SSH Reported Issue CVE-2024-3094 (xz)

Stephane MAUBIAN
  • Updated

Dear customers,

Regarding CVE-2024-3094 (SSH critical vulnerability), Dalet has investigated the issue and so far no Dalet product or installation has been proven vulnerable.

A video explanation can be found here: https://youtu.be/MllrK4XSJxc?list=PLEhx2mYG3crzuriiZ0kpSqPuTDC-3yu4e

 

This article will be updated as the situation evolves.

 

Linux

Distribution Affected Branches Affected Packages Remediation Comments
Fedora 40, 41, Rawhide (active development)

xz-5.6.0-*

xz-5.6.1-*

Fedora 40 – Update to latest version (5.4.x).

Fedora 41 & Rawhide – Stop using immediately.

  
Debian testing, unstable (sid), experimental

xz-utils 5.5.1alpha-0.1

(uploaded on 2024-02-01), up to and including 5.6.1-1

 Update to latest version (5.6.1+really5.4.5-1) No stable branches are affected
Alpine Edge (active development) xz 5.6.1-r0, 5.6.1-r1 Update to latest version (5.6.1-r2) No stable branches are affected
OpenSUSE Tumbleweed xz-5.6.0, xz-5.6.1 Update to latest version (5.6.1.revertto5.4)  

 

Sources:

https://ubuntu.com/security/CVE-2024-3094
https://security.alpinelinux.org/vuln/CVE-2024-3094
https://security-tracker.debian.org/tracker/CVE-2024-3094

Bitnami: https://twitter.com/bitnami/status/1774019566143775079

node.js has not published any CVE-2024-3094 warning (Google search)

Further info on the whole backstory: https://pentest-tools.com/blog/xz-utils-backdoor-cve-2024-3094

 

 

Flex 

alpine

java:17-alpine

ubuntu:20.04

    

No affected images

docker-base (1)

docker-spring-boot-base (3)

docker-fsp-base (4)

    

docker-nodejs-base (2)

        

docker-java (21)

        
         

webnews

eclipse-temurin:11.0.19_7-jre-alpine

node:16.16.0-alpine3.15

ubuntu:22.04

ubuntu:18.04

nginx:1.20.2-alpine

Not affected images

base-java (5)

base-nodejs (7)

base-cpp (8)

base-dmt (9)

base-nginx (10)

base-java-grpc (6)

  

<dbserver>

<dmt>

  
         

CubeNG

base-nodejs

ubuntu:20.04

ubuntu:22.04

    

no information about base-nodejs. Other images are without a malicious package

<nodejs apps> (11)

cube-baseimage-cpp (12)

cube-baseimage-release (13)

    
         

InStream

ubuntu:20.04 (14)

aspnet:3.1-focal (15)

node:12 (16)

node:18 (17)

  

Not affected images

<C++ services>

        
         

Amberfin

tomcat:9.0.73-jre17-temurin-focal (18)

ubuntu:20.04 (19)

amazonlinux:2.0-with-python3.9 (20)

Windows images (out of scope)

  

Not affected images

<workflow, execution>

<some transcode services>

<serverless images>

    
         

 

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk