Synology Security Advisory SA-24:06 XZ Utils
None of firm's products are affected by CVE-2024-3094 as vulnerability only affect XZ Utils 5.6.0 and 5.6.1.
This is a Press Release edited by StorageNewsletter.com on April 3, 2024 at 2:01 pmSynology, Inc. had published a security advisory concerning XZ Utils.
Publish time: 2024-04-01 12:02:16 UTC+8
Last updated: 2024-04-01 12:02:16 UTC+8
Severity: Not affected
Status: Resolved
Abstract
None of firm’s products are affected by CVE-2024-3094 as this vulnerability only affect XZ Utils 5.6.0 and 5.6.1.
Affected products
Product |
Severity |
Fixed release availability |
---|---|---|
DSM 7.2 |
Not affected |
N/A |
DSM 7.1 |
Not affected |
N/A |
DSM 6.2 |
Not affected |
N/A |
DSMUC 3.1 |
Not affected |
N/A |
BSM 1.0 |
Not affected |
N/A |
SRM 1.3 |
Not affected |
N/A |
VS Firmware 1.0 |
Not affected |
N/A |
Camera Firmware 1.1 |
Not affected |
N/A |
Mitigation : None
Detail
- CVE-2024-3094
- Severity: Not affected
- CVSS3 Base Score: 0.0
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N
- Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Reference
- Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094
- CVE-2024-3094
Revision
Revision |
Date |
Description |
---|---|---|
1 |
2024-04-01 |
Initial public release. |