RedHat recently issued an urgent security alert warning about a supply chain attack affecting two versions of the XZ Utils data compression library. This compromise, known as CVE-2024-3094, has a severity score of 10.0 and impacts versions 5.6.0 and 5.6.1.
The malicious code inserted into the library can interfere with the sshd daemon process, potentially allowing unauthorized remote access to systems. The issue was discovered by Microsoft security researcher Andres Freund, who identified heavily obfuscated code in the library introduced through GitHub commits.
As a precaution, users of affected Linux distributions like Fedora have been advised to downgrade to a safe version of XZ Utils. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also recommended taking similar steps to safeguard systems.
This incident highlights the importance of vigilance in software supply chain security to prevent such attacks and underscores the need for thorough code reviews and monitoring for any suspicious changes.
Source link