Dear customers,
Regarding CVE-2024-3094 (SSH critical vulnerability), Dalet has investigated the issue and so far no Dalet product or installation has been proven vulnerable.
A video explanation can be found here: https://youtu.be/MllrK4XSJxc?list=PLEhx2mYG3crzuriiZ0kpSqPuTDC-3yu4e
This article will be updated as the situation evolves.
Linux
Distribution | Affected Branches | Affected Packages | Remediation | Comments |
Fedora | 40, 41, Rawhide (active development) |
xz-5.6.0-* xz-5.6.1-* |
Fedora 40 – Update to latest version (5.4.x). Fedora 41 & Rawhide – Stop using immediately. |
|
Debian | testing, unstable (sid), experimental |
xz-utils 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1 |
Update to latest version (5.6.1+really5.4.5-1) | No stable branches are affected |
Alpine | Edge (active development) | xz 5.6.1-r0, 5.6.1-r1 | Update to latest version (5.6.1-r2) | No stable branches are affected |
OpenSUSE | Tumbleweed | xz-5.6.0, xz-5.6.1 | Update to latest version (5.6.1.revertto5.4) |
Sources:
https://ubuntu.com/security/CVE-2024-3094
https://security.alpinelinux.org/vuln/CVE-2024-3094
https://security-tracker.debian.org/tracker/CVE-2024-3094
Bitnami: https://twitter.com/bitnami/status/1774019566143775079
node.js has not published any CVE-2024-3094 warning (Google search)
Further info on the whole backstory: https://pentest-tools.com/blog/xz-utils-backdoor-cve-2024-3094
Flex |
|||||
alpine |
java:17-alpine |
ubuntu:20.04 |
No affected images |
||
docker-base (1) |
docker-spring-boot-base (3) |
docker-fsp-base (4) |
|||
docker-nodejs-base (2) |
|||||
docker-java (21) |
|||||
webnews |
|||||
eclipse-temurin:11.0.19_7-jre-alpine |
node:16.16.0-alpine3.15 |
ubuntu:22.04 |
ubuntu:18.04 |
nginx:1.20.2-alpine |
Not affected images |
base-java (5) |
base-nodejs (7) |
base-cpp (8) |
base-dmt (9) |
base-nginx (10) |
|
base-java-grpc (6) |
<dbserver> |
<dmt> |
|||
CubeNG |
|||||
base-nodejs |
ubuntu:20.04 |
ubuntu:22.04 |
no information about base-nodejs. Other images are without a malicious package |
||
<nodejs apps> (11) |
cube-baseimage-cpp (12) |
cube-baseimage-release (13) |
|||
InStream |
|||||
ubuntu:20.04 (14) |
aspnet:3.1-focal (15) |
node:12 (16) |
node:18 (17) |
Not affected images |
|
<C++ services> |
|||||
Amberfin |
|||||
tomcat:9.0.73-jre17-temurin-focal (18) |
ubuntu:20.04 (19) |
amazonlinux:2.0-with-python3.9 (20) |
Windows images (out of scope) |
Not affected images |
|
<workflow, execution> |
<some transcode services> |
<serverless images> |
|||
Comments
0 comments
Please sign in to leave a comment.