You are here

Vulnerability Awareness – Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library

Vulnerability Awareness – Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library

Created: Tuesday, April 2, 2024 - 13:40
Categories:
Cybersecurity, Federal & State Resources, Security Preparedness

Reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1 have caused CISA and the open source community to respond. XZ Utils is data compression software and may be present in Linux distributions. The malicious code may allow unauthorized access to affected systems.

CISA recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable—hunt for any malicious activity and report any positive findings to CISA. CISA also suggests following this Red Hat advisory for more information.

Analyst Comment (Jennifer Lyn Walker): According to current reporting (referenced from the resources below), community analysis of the backdoor is ongoing. Fortunately, thanks to the original discovery, the backdoored version of the utility did not affect stable branches of most major Linux distributions and is unlikely to have made it into any production systems. The most at-risk category of users is likely developers, many of whom tend to run bleeding-edge versions of Linux. While it was discovered before it made its way into most Linux distributions and its real-world impact is believed to be limited, experts suggest that it did present a very real and present danger.

Linux systems administrators are encouraged to maintain awareness of ongoing analysis for impacted distributions and recommended remediations.

Additional Resources