What is CVE-2024-3094?

A malicious backdoor was inserted into XZ Utils 5.6.0 and 5.6.1 by a compromised maintainer, enabling unauthorized SSH access via systemd on affected systems.

How do I fix CVE-2024-3094?

Downgrade XZ Utils to 5.4.6 or upgrade to 5.6.2+ immediately. Verify installed version: xz --version Audit system for indicators of compromise (IoC): check sshd binary hash. Rotate all SSH keys on affected systems. Implement software supply chain checks (SBOM, Sigstore, Trivy). Review and harden your CI/CD pipeline dependency management.

Which versions are affected by CVE-2024-3094?

Affected: XZ Utils 5.6.0, 5.6.1. Fixed in: XZ Utils 5.4.6 (downgrade) or 5.6.2+.

criticalCVSS 10/10·Published: 2024-03-29·XZ Utils (liblzma)

How to fix CVE-2024-3094 – Step-by-Step Guide

CVE-2024-3094, the XZ Utils Backdoor, is a critical supply chain vulnerability (CVSS 10) affecting XZ Utils versions 5.6.0 and 5.6.1. This sophisticated attack inserted malicious code, posing a severe threat to system integrity and trust in open-source software.

CVE ID

CVE-2024-3094

Severity

CRITICAL

CVSS Score

10/10

Affected

XZ Utils (liblzma)

What is XZ Utils Backdoor – Supply Chain Attack?

A sophisticated supply chain attack inserted a backdoor into XZ Utils versions 5.6.0 and 5.6.1. This malicious code, disguised within liblzma, could allow an attacker to gain unauthorized remote SSH access. Specifically, it targets systems using systemd-linked sshd, exploiting the compromised library during authentication.

Affected Versions

XZ Utils 5.6.0, 5.6.1

Fixed In

XZ Utils 5.4.6 (downgrade) or 5.6.2+

Official References

Impact and Risks for your Infrastructure

The primary impact is unauthorized remote access to affected systems running XZ Utils 5.6.0/5.6.1 with systemd-linked sshd. Attackers could execute arbitrary code, leading to full system compromise and data exfiltration. While critical, its discovery before widespread deployment limited potential real-world impact.

xz-utilssupply-chaincriticallinuxbackdoor2024

Step-by-Step Mitigation Guide

Immediately identify and downgrade XZ Utils to a known safe version like 5.4.6, or upgrade to 5.6.2+ if available. Verify your system is not running affected versions 5.6.0 or 5.6.1 of XZ Utils/liblzma. Reboot systems after applying the fix and monitor for unusual activity.

1Downgrade XZ Utils to 5.4.6 or upgrade to 5.6.2+ immediately.
2Verify installed version: xz --version
3Audit system for indicators of compromise (IoC): check sshd binary hash.
4Rotate all SSH keys on affected systems.
5Implement software supply chain checks (SBOM, Sigstore, Trivy).
6Review and harden your CI/CD pipeline dependency management.

Frequently Asked Questions

What is the CVSS score for CVE-2024-3094?▼

CVE-2024-3094 has a CVSS score of 10/10 (critical severity). This reflects the most severe potential impact, requiring immediate remediation.

Which versions of XZ Utils (liblzma) are affected?▼

Affected: XZ Utils 5.6.0, 5.6.1. The vulnerability was fixed in: XZ Utils 5.4.6 (downgrade) or 5.6.2+.

How long does it take to fix CVE-2024-3094?▼

For most teams: 15–60 minutes to apply the patch, plus 15 minutes of post-patch verification. Complex multi-service environments may require 2–4 hours including staging validation.

Is CVE-2024-3094 being actively exploited?▼

Check the NVD entry and CISA KEV catalog for exploitation status. As a critical-severity vulnerability, treat it as a priority remediation regardless of known exploitation status.

Run Security Check →Browse Runbooks →← All CVE Solutions

This CVE fix guide is based on publicly available security advisories (NVD, vendor bulletins). Always test changes in a staging environment before applying to production. Verify against the official vendor advisory for the most up-to-date guidance.