What is CVE-2024-3094?

A malicious backdoor was inserted into XZ Utils 5.6.0 and 5.6.1 by a compromised maintainer, enabling unauthorized SSH access via systemd on affected systems.

How do I fix CVE-2024-3094?

Downgrade XZ Utils to 5.4.6 or upgrade to 5.6.2+ immediately. Verify installed version: xz --version Audit system for indicators of compromise (IoC): check sshd binary hash. Rotate all SSH keys on affected systems. Implement software supply chain checks (SBOM, Sigstore, Trivy). Review and harden your CI/CD pipeline dependency management.

Which versions are affected by CVE-2024-3094?

Affected: XZ Utils 5.6.0, 5.6.1. Fixed in: XZ Utils 5.4.6 (downgrade) or 5.6.2+.

criticalCVSS 10/10·Published: 2024-03-29·XZ Utils (liblzma)

How to fix CVE-2024-3094 – Step-by-Step Guide

CVE-2024-3094, known as the XZ Utils Backdoor, is a critical supply chain vulnerability (CVSS 10) affecting XZ Utils versions 5.6.0 and 5.6.1. This sophisticated attack introduced a malicious backdoor enabling unauthorized remote access. It was discovered on March 29, 2024, preventing widespread exploitation.

CVE ID

CVE-2024-3094

Severity

CRITICAL

CVSS Score

10/10

Affected

XZ Utils (liblzma)

What is XZ Utils Backdoor – Supply Chain Attack?

This is a supply chain attack where malicious code was injected into XZ Utils 5.6.0 and 5.6.1 by a compromised maintainer. The backdoor specifically targets systems running systemd and linked sshd, allowing a threat actor to gain unauthorized remote SSH access. The malicious code manipulates liblzma, a component of XZ Utils, to interfere with sshd authentication.

Affected Versions

XZ Utils 5.6.0, 5.6.1

Fixed In

XZ Utils 5.4.6 (downgrade) or 5.6.2+

Official References

Impact and Risks for your Infrastructure

Systems running affected XZ Utils versions (5.6.0, 5.6.1) with systemd-linked sshd are vulnerable to complete system compromise via unauthorized remote SSH access. This could lead to data exfiltration, service disruption, and further network penetration. While discovered early, the potential impact on compromised infrastructure is severe.

xz-utilssupply-chaincriticallinuxbackdoor2024

Step-by-Step Mitigation Guide

Immediately identify and downgrade XZ Utils to a safe version like 5.4.6, or upgrade to 5.6.2+ if available from your distribution. Verify the installed XZ Utils version using your package manager (e.g., `apt show xz-utils` or `rpm -q xz-libs`). Ensure no malicious binaries or modified SSH configurations persist after remediation.

1Downgrade XZ Utils to 5.4.6 or upgrade to 5.6.2+ immediately.
2Verify installed version: xz --version
3Audit system for indicators of compromise (IoC): check sshd binary hash.
4Rotate all SSH keys on affected systems.
5Implement software supply chain checks (SBOM, Sigstore, Trivy).
6Review and harden your CI/CD pipeline dependency management.

Frequently Asked Questions

What is the CVSS score for CVE-2024-3094?▼

CVE-2024-3094 has a CVSS score of 10/10 (critical severity). This reflects the most severe potential impact, requiring immediate remediation.

Which versions of XZ Utils (liblzma) are affected?▼

Affected: XZ Utils 5.6.0, 5.6.1. The vulnerability was fixed in: XZ Utils 5.4.6 (downgrade) or 5.6.2+.

How long does it take to fix CVE-2024-3094?▼

For most teams: 15–60 minutes to apply the patch, plus 15 minutes of post-patch verification. Complex multi-service environments may require 2–4 hours including staging validation.

Is CVE-2024-3094 being actively exploited?▼

Check the NVD entry and CISA KEV catalog for exploitation status. As a critical-severity vulnerability, treat it as a priority remediation regardless of known exploitation status.

Run Security Check →Browse Runbooks →← All CVE Solutions

This CVE fix guide is based on publicly available security advisories (NVD, vendor bulletins). Always test changes in a staging environment before applying to production. Verify against the official vendor advisory for the most up-to-date guidance.