Appearance
MET-2024-001
XZ Utils (CVE-2024-3094)
Skip to content
| Bulletin ID | MET-2024-001 |
|---|---|
| Date (published) | 2024-04-02T00:00:00.000Z |
| Date (last updated) | 2024-04-02T00:00:00.000Z |
| Severity | Informational |
Description
On March 29th, 2024, malicious code was discovered in XZ Utils, a compression tool, versions 5.6.0 and 5.6.1. The vulnerability could have been used to target SSH and allow a malicious actor to gain access to vulnerable Linux hosts.
Affected Products/Services
Metaplay infrastructure and product are not affected by this vulnerability.
- Metaplay by default leverages automatically updating AWS Linux images for underlying compute hosts. AWS Linux is not impacted, as per AWS's Security Bulletin AWS-2024-002.
- Dockerfiles that are part of Metaplay are based on
mcr.microsoft.com/dotnet/aspnetimages (as of present tag8.0), which do not contain the tool or libraries.
Impact
None.
CVE and CVSS Information
References
- https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
- https://aws.amazon.com/security/security-bulletins/AWS-2024-002/
Contact Information
Security-related questions or concerns can be sent to security@metaplay.io.
Revision History
| Date | Description |
|---|---|
| 2024-04-02 | Security Bulletin released |