Zimbra not affected by XZ backdoor vulnerability CVE-2024-3094

Zimbra not affected by XZ backdoor vulnerability CVE-2024-3094

XZ Utils is nearly ubiquitous in Linux. It provides lossless data compression on virtually all Unix-like operating systems, including Linux. xz Utils provides critical functions for compressing and decompressing data during all kinds of operations. xz Utils also supports the legacy .lzma format, making this component even more crucial.

Zimbra supported operating systems are not affected, in addition Zimbra does not package XZ software. Zimbra is not affected by CVE-2024-3094. This article is here for your reference.

What does the backdoor do?

The xz software is used in many Linux distributions and in macOS for tasks like compressing release tarballs, kernel images etc. But the backdoor was caught early – the malicious code only made it into a few bleeding-edge Linux distributions, such as the upcoming Fedora Linux 40; Fedora Rawhide developer distribution; Debian Unstable; and Kali Linux. Vulnerable distributions require glibc (for IFUNC, a way to make indirection function calls into OpenSSH authentication), and xz-5.6.0 or xz-5.6.1

Red Hat has confirmed that Fedora Rawhide (the current development version of Fedora Linux) and Fedora Linux 40 beta contained affected versions (5.6.0, 5.6.1) of the xz libraries, and that no versions of Red Hat Enterprise Linux (RHEL) are affected.

OpenSUSE maintainers say that openSUSE Tumbleweed and openSUSE MicroOS included an affected xz version between March 7th and March 28th, and have provided advice on what users of those should do. It has been established that the malicious file introduced into Tumbleweed is not present in SUSE Linux Enterprise and/or Leap.

Debian maintainers announced that no Debian stable versions are known to be affected, but that compromised packages were part of the Debian testing, unstable and experimental distributions, and users of those are urged to update the xz-utils packages.

Users of Kali Linux that have updated their installation between March 26th to March 29th are affected, OffSec confirmed.

Some Arch Linux virtual machine and container images and an installation medium contained the affected XZ versions.

Ubuntu says that no released versions of Ubuntu were affected by this issue.

Linux Mint is not affected. Gentoo Linux is not affected. Amazon Linux customers are not affected. Alpine Linux – not affected.

Zimbra-supported operating systems remain unaffected

To check if system utilizes a backdoored version of the liblzma library, we can use the script provided here: https://github.com/cyclone-github/scripts/blob/main/xz_cve-2024-3094-detect.sh

Alternatively, we can quickly assess if we are running a vulnerable version by employing the official detect.sh script from Openwall, accessible here: https://www.openwall.com/lists/oss-security/2024/03/29/4/3

Download the script onto the system you wish to examine and execute the following commands:

chmod +x detect.sh
Jump to: navigation, search