Asustor Security Advisory AS-2024-002: XZ Utils
None of company's products affected by CVE-2024-3094, vulnerability only affecting XZ Utils 5.6.0 and 5.6.1
This is a Press Release edited by StorageNewsletter.com on April 9, 2024 at 2:01 pmAsustor, Inc. had published a security advisory concerning XZ Utils versions 5.6.0 and 5.6.1.
Date: 2024-04-03
Severity: Not affected
Status: Resolved
Statement
A critical security vulnerability has been discovered in XZ Utils versions 5.6.0 and 5.6.1.
None of the company’s products are affected by CVE-2024-3094 as this vulnerability only affect XZ Utils 5.6.0 and 5.6.1.
Affected products
|
Product |
Severity |
Fixed release availability |
|---|---|---|
|
ADM 4.2 and 4.1 |
Not affected |
N/A |
|
ADM 4.0 |
Not affected |
N/A |
Detail
- CVE-2024-3094
- Severity: Not affected
- Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Reference
- CVE-2024-3094
- Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094
Revision
|
Revision |
Date |
Description |
|---|---|---|
|
1 |
2024-04-03 |
Initial public release. |
Share this news :
Subscribe to our free daily newsletter
