What We Do
How We Do
Get Started
Security advisories

XZ Utils Supply Chain Compromise

April 1, 2024 | 4 MINS READ

Speak With A Security Expert Now



On March 29th, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the open-source community, reported on a critical vulnerability impacting XZ Utils, a general-purpose data-compression library included in many Linux distributions. Tracked as CVE-2024-3094 (CVSS: 10), the vulnerability stems from a supply chain compromise which resulted in malicious code being included in versions 5.6.0 and 5.6.1 of the XZ libraries.

The malicious code modifies the build process of liblzma, a component of XZ Utils, resulting in a compromised liblzma library. The malicious build interferes with authentication in sshd via systemd. The Secure Shell (SSH) protocol is a common method for securely connecting to remote systems; sshd is the service that allows access. In an attack scenario, a threat actor could use this interference to break the sshd authentication, enabling them to execute code on the system remotely.

This topic is actively developing, and additional details are expected to emerge. Organizations are strongly recommended to immediately perform the recommended mitigation actions to prevent abuse.

What we’re doing about it

What you should do about it

Organizations, developers, and users are recommended to:

See Additional Information for a full list of known impacted products.

Additional information

On March 29th, Andres Freund (Principal Software Engineer at Microsoft) emailed Open Source Security (OSS) warning the community of a backdoor discovered in xz/liblzma. While performing system benchmarking on a Debian system, Andres observed sshd processes utilizing an abnormal amount of CPU time, which led to the finding that liblzma, part of the XZ package, was responsible for the CPU usage. Further investigation led to the discovery of the backdoored XZ tarballs (TAR archives).

The attack began with the creation of the GitHub account JiaT75 (Jia Tan) in 2021, which initially contributed to related projects before targeting XZ Utils. In January 2023, Jia Tan merged their first commit to the XZ project and would continue to make commits throughout 2023. In February and March 2024, JiaT75 issued commits for versions 5.6.0 and 5.6.1 of XZ Utils that introduced the backdoor. In the following weeks, Tan and others made requests to the developers of Ubuntu, Red Hat, and Debian to merge the updates into their operating systems.

In an attempt to avoid detection, “the malicious injection present in the XZ versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present” states Red Hat.

On April 1st, Anthony Weems (Cloud Vulnerability Researcher at Google) published Proof-of-Concept (PoC) exploit code for CVE-2024-3094. However, the payloads are signed with an ED448 (an elliptic curve signing algorithm) key, so Anthony had to use his own key for testing. This means to exploit CVE-2024-3094 in real-world attacks, the threat actor would need to have knowledge of the ED448 private key used to sign the payloads.

At this time, CVE-2024-3094 is confirmed to impact:

Unaffected distros

macOS users utilizing homebrew are potentially impacted


[1] https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-3094
[3] https://www.openwall.com/lists/oss-security/2024/03/29/4
[4] https://mastodon.social/@AndresFreundTec/112180406142695845
[5] https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
[6] https://twitter.com/amlweems/status/1774819428208689241
[7] https://github.com/amlweems/xzbot
[8] https://boehs.org/node/everything-i-know-about-the-xz-backdoor
[9] https://twitter.com/fr0gger_/status/1774342248437813525
[10] https://unit42.paloaltonetworks.com/threat-brief-xz-utils-cve-2024-3094/
[11] https://www.kaspersky.com/blog/cve-2024-3094-vulnerability-backdoor/50873/

View Most Recent Advisories