Update on CVE-2024-3094: XZ Utils Vulnerability

Update timeline

1. resolved Apr 01, 2024, 08:18 PM UTC

   Aptible is aware of CVE-2024-3094, a critical vulnerability in XZ Utils, specifically affecting versions 5.6.0 and 5.6.1, with a CVSS score of 10, indicating a severe level of risk. This vulnerability results from a supply chain compromise and is present in data compression software widely used across major Linux distributions. The malicious code discovered in the affected versions allows for unauthorized system access, posing a significant security threat. The Aptible platform and services do not utilize the affected software versions and are not impacted. Aptible customers are urged to evaluate dependencies in their Docker Images and other systems and patch as needed urgently to mitigate the risk associated with this vulnerability. Given the scope and severity of the CVE, our security team continues to monitor the situation actively. If you have any concerns or questions, please contact the Aptible Support team.