Open-source library XZ Utils Vulnerability (CVE-2024-3094)
Resolved
Akamai is aware of the reported supply chain compromise in the XZ Utils data compression library (CVE-2024-3094) which affects versions 5.6.0 and 5.6.1 of the xz-utils package. This vulnerability attempts to introduce the ability for an attacker to remotely execute commands in OpenSSH through the use of the liblzma library within some operating system environments.
Akamai has assessed the vulnerability, and determined that the Akamai Platform is not affected and the Linux images currently offered by Linode are also not affected. However, customers who installed Kali Linux linodes between March 26 and March 29, or who switched to or upgraded their linodes to e.g., “unstable” or “testing” streams of certain Linux versions on their own may be affected. We strongly recommend that those customers follow the guidance of the OS provider to either patch or downgrade the affected packages as needed.
To determine whether your system might be affected:
Check the version of xz-utils and liblzma:
xz --version
In the output, make sure that the versions displayed are not 5.6.0 or 5.6.1.
Verify that /usr/sbin/sshd is not linked against liblzma:
ldd /usr/sbin/sshd | grep liblzma
If the output of this command is empty, then the system is not affected. If the output contains the pathname of the liblzma library, then the system may be affected depending on the version of liblzma/xz-utils as noted above.
In addition, customers of Akamai Guardicore can utilize Akamai Guardicore Segmentation Insight to identify affected systems – see our detailed blog post for more details.
For more information about this vulnerability, please see:
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
https://lists.debian.org/debian-security-announce/2024/msg00057.html
https://news.opensuse.org/2024/03/29/xz-backdoor/
https://www.kali.org/blog/about-the-xz-backdoor/
Thank you for your continued support.
Posted Apr 01, 2024 - 21:37 UTC
This incident affected: Regions (US-East (Newark), US-Central (Dallas), US-West (Fremont), US-Southeast (Atlanta), US-IAD (Washington), US-ORD (Chicago), CA-Central (Toronto), EU-West (London), EU-Central (Frankfurt), FR-PAR (Paris), AP-South (Singapore), AP-Northeast-2 (Tokyo 2), AP-West (Mumbai), AP-Southeast (Sydney), SE-STO (Stockholm), US-SEA (Seattle), IT-MIL (Milan), JP-OSA (Osaka), IN-MAA (Chennai), ID-CGK (Jakarta), BR-GRU (Sao Paulo), NL-AMS (Amsterdam), US-MIA (Miami), US-LAX (Los Angeles), ES-MAD (Madrid)), Linode.com, Linode Manager and API, Hosted DNS Service, Longview, Managed Databases, Block Storage (US-East (Newark) Block Storage, US-Central (Dallas) Block Storage, US-West (Fremont) Block Storage, US-Southeast (Atlanta) Block Storage, US-IAD (Washington) Block Storage, US-ORD (Chicago) Block Storage, CA-Central (Toronto) Block Storage, EU-West (London) Block Storage, EU-Central (Frankfurt) Block Storage, FR-PAR (Paris) Block Storage, AP-South (Singapore) Block Storage, AP-Northeast-2 (Tokyo 2) Block Storage, AP-West (Mumbai) Block Storage, AP-Southeast (Sydney) Block Storage, SE-STO (Stockholm) Block Storage, US-SEA (Seattle) Block Storage, JP-OSA (Osaka) Block Storage, IN-MAA (Chennai) Block Storage), NodeBalancers (US-East (Newark) NodeBalancers, US-Central (Dallas) NodeBalancers, US-West (Fremont) NodeBalancers, US-Southeast (Atlanta) NodeBalancers, US-IAD (Washington) NodeBalancers, US-ORD (Chicago) NodeBalancers, CA-Central (Toronto) NodeBalancers, EU-West (London) NodeBalancers, EU-Central (Frankfurt) NodeBalancers, FR-PAR (Paris) NodeBalancers, AP-South (Singapore) NodeBalancers, AP-Northeast-2 (Tokyo 2) NodeBalancers, AP-West (Mumbai) NodeBalancers, AP-Southeast (Sydney) NodeBalancers, SE-STO (Stockholm) NodeBalancers, US-SEA (Seattle) NodeBalancers, JP-OSA (Osaka) NodeBalancers, IN-MAA (Chennai) NodeBalancers), Backups (US-East (Newark) Backups, US-Central (Dallas) Backups, US-West (Fremont) Backups, US-Southeast (Atlanta) Backups, US-IAD (Washington) Backups, US-ORD (Chicago) Backups, CA-Central (Toronto) Backups, EU-West (London) Backups, EU-Central (Frankfurt) Backups, FR-PAR (Paris) Backups, AP-South (Singapore) Backups, AP-Northeast-2 (Tokyo 2) Backups, AP-West (Mumbai) Backups, AP-Southeast (Sydney) Backups, SE-STO (Stockholm) Backups, US-SEA (Seattle) Backups, JP-OSA (Osaka) Backups, IN-MAA (Chennai) Backups), Object Storage (US-East (Newark) Object Storage, US-Southeast (Atlanta) Object Storage, US-IAD (Washington) Object Storage, US-ORD (Chicago) Object Storage, EU-Central (Frankfurt) Object Storage, AP-South (Singapore) Object Storage, FR-PAR (Paris) Object Storage, SE-STO (Stockholm) Object Storage, US-SEA (Seattle) Object Storage, JP-OSA (Osaka) Object Storage, IN-MAA (Chennai) Object Storage, ID-CGK (Jakarta)), and Linode Kubernetes Engine (US-East (Newark) Linode Kubernetes Engine, US-Central (Dallas) Linode Kubernetes Engine, US-West (Fremont) Linode Kubernetes Engine, US-Southeast (Atlanta) Linode Kubernetes Engine, US-IAD (Washington) Linode Kubernetes Engine, US-ORD (Chicago) Linode Kubernetes Engine, CA-Central (Toronto) Linode Kubernetes Engine, EU-West (London) Linode Kubernetes Engine, EU-Central (Frankfurt) Linode Kubernetes Engine, FR-PAR (Paris) Linode Kubernetes Engine, AP-South (Singapore) Linode Kubernetes Engine, AP-Northeast-2 (Tokyo 2) Linode Kubernetes Engine, AP-West (Mumbai) Linode Kubernetes Engine, AP-Southeast (Sydney) Linode Kubernetes Engine, SE-STO (Stockholm) Linode Kubernetes Engine, US-SEA (Seattle) Linode Kubernetes Engine, JP-OSA (Osaka) Linode Kubernetes Engine, IN-MAA (Chennai) Linode Kubernetes Engine, ID-CGK (Jakarta)).