Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2024-3094

Published: 29 March 2024

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Notes

AuthorNote
Priority reason:
Results in a backdoor in sshd
mdeslaur
The affected version of xz-utils was only in noble-proposed, and
was removed before migrating to noble itself. No released
versions of Ubuntu were affected by this issue.

Priority

Critical

Cvss 3 Severity Score

10.0

Score breakdown

Status

Package Release Status
xz-utils
Launchpad, Ubuntu, Debian
bionic Not vulnerable

focal Not vulnerable
(5.2.4-1ubuntu1.1)
jammy Not vulnerable
(5.2.5-2ubuntu1)
mantic Not vulnerable
(5.4.1-0.2)
trusty Not vulnerable

upstream Needs triage

xenial Not vulnerable

Severity score breakdown

Parameter Value
Base score 10.0
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Changed
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H