Critical remote code execution vulnerability in XZ Library (CVE-2024-3094)

Advisory No: TZCERT/SA/2024/04/02

Date of First Release: 2^nd April 2024

Source: Arch Linux, Red Hat

Software Affected: XZ Library versions 5.6.0 and 5.6.1

Overview:

Arch Linux and Red Hat have released security patches to address a critical vulnerability affecting the xz library. The vulnerability could allow an attacker to execute arbitrary code.

Description:

Xz is a general-purpose data compression format present in nearly every Linux distribution. This library is affected by a critical vulnerability tracked as CVE-2024-3094. The vulnerability is the result of the absence of M4 macro files that contain the instructions for building with automakes in the tarballs. This issue results in additional software modification thus leading to arbitrary code execution.

Impact:

Successful exploitation of this vulnerability may allow the attacker to take control of the affected system.

Solution:

Multiple Operating System vendors have released patches for this vulnerability. Users and administrators are encouraged to apply necessary updates.

References:

1. https://security.archlinux.org/ASA-202403-1
2. https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users