Critical Vulnerability Found in Latest Versions of “xz” Compression Tools: CentOS Users Beware
In a major security alert, the Information Risk and Security and Product Security teams at Red Hat have discovered a critical vulnerability in the newest versions of the popular “xz” compression tools and libraries. This malicious code, found in versions 5.6.0 and 5.6.1, has the potential to grant unauthorized access to systems, making it imperative for CentOS users to take immediate action.
The vulnerability, designated as CVE-2024-3094, has been identified in users who have updated to the compromised versions of the xz libraries. As a precautionary measure, Red Hat is advising all Fedora developers to temporarily halt the usage of Fedora Rawhide, the development distribution for future Fedora builds, until the issue is resolved. The plan is to revert to the safer xz-5.4.x version and only then redeploy Fedora Rawhide instances.
While no confirmed cases have been reported in CentOS’s Fedora Linux 40 builds, Red Hat advises users to downgrade to version 5.4 as an added safeguard. An update to revert xz back to 5.4.x has already been released and is being rolled out to all Fedora Linux 40 users through the regular update system. Detailed instructions on how to expedite this update can be found on Red Hat’s website.
The malicious code discovered in the compromised versions of xz libraries specifically targets the authentication process in sshd via systemd. This could potentially enable hackers to bypass sshd authentication and gain unauthorized remote access to the system. It must be noted that the malicious code is only present in the download package and does not affect the Git distribution, which is lacking in the M4 macro that triggers the malicious code during builds.
Upon further investigation, it has been found that the corrupted packages are only present in Fedora 41 and Fedora Rawhide within the Red Hat community ecosystem. No versions of Red Hat Enterprise Linux (RHEL) have been affected by this vulnerability. However, successful injections have been found in xz 5.6.x versions for Debian Unstable (Sid) and other distributions may also be at risk of being compromised.
If you are a user of the affected distributions, it is strongly recommended to immediately stop using Fedora 41 or Fedora Rawhide and consult with your information security team for further guidance. Red Hat is working diligently to resolve this issue and ensure the utmost security for all its users.
