CVE-2024-3094: a backdoor in XZ Utils

CVE-2024-3094: a backdoor in XZ Utils

Apr 3, 2024
Sergey Chernyshev

On March 29th, 2024, malicious code was discovered in xz-utils, which is a popular open-source library for lossless data compression. This library is used in most Linux distributions.

Alpaquita Linux is unaffected by this backdoor, but we downgraded the xz package out of precaution and included a patch. We recommend updating your Alpaquita image immediately as it is currently unknown whether the vulnerability is associated with other backdoors. Find out more about the CVE and how to update the library below.

Table of Contents

  1. Description
  2. Risk scope
  3. Mitigation


The backdoor is injected into the xz package at build stage. The versions 5.6.0 and 5.6.1 are affected. If the running program has the process name /usr/sbin/sshd, the payload is activated (other possible activation scenarios are currently under investigation). The payload uses the IFUNC mechanism and reads the message sent by an attacker. If this message is signed with a specific private key, the payload executes its contents on the vulnerable system.

The liblzma package turns out to be in sshd in Linux distributions that use systemd because they have a linked libsystemd with liblzma.

The person who injected malicious code into xz-utils has been preparing their attack for several years, building a reputation in the OSS community, gaining trust and eventually, the access to the xz project as an additional maintainer. The attacker or the group of attackers also pushed for linking sshd with libsystemd in several Linux distros to make sshd load liblzma (this didn't get into stable builds though).

Luckily, the vulnerability was quickly discovered by the OSS community. The repository was banned and the account of the attacker was suspended. Other projects in which the attacker took part are currently being analyzed as well.

Risk scope

The backdoor targets sshd binaries linked with libsystemd and glibc, so your system is definitely affected under the following circumstances:

  • A glibc-based Linux distribution with systemd is used (it is currently unknown whether musl-based distros are affected),
  • The installed version of xz is 5.6.0 or 5.6.1 (these versions are used in rolling releases, no stable versions are affected),
  • A publicly accessible OpenSSH server process is running. 

The vulnerability is considered critical because it allows remote root access to an authenticated attacker.

Note that this is the only scenario definitely known for now but the investigation is ongoing so other backdoors may be discovered later.

Neither glibc- nor musl-based Alpaquita uses systemd (which has a dependency on xz/liblzma), which means sshd is not linked to xz/liblzma via systemd and hence Alpaquita is not affected by this CVE.


Alpaquita Linux is not affected by this backdoor. However, as it is unknown whether there are other backdoors associated with this vulnerability, out of caution, we downgraded the xz version to 5.2.5 (prior to any commits from the attacker) and also included CVE-2022-1271 fix in this version. To ensure that the version of xz packages installed is the latest without any commits from the attacker, run:

apk update && apk upgrade xz* && apk version xz*

Verify that the version is 5.6.1_p525 (Alpaquita stream) and 5.2.9_p525 (Alpaquita 23-LTS). Here, p525 means that the actual version of the package is 5.2.5.

If you use alpaquita-linux-python or alpaquita-linux-gcc, you should immediately update the image to receive the patch. Other BellSoft’s public container images based on Alpaquita Stream, don’t contain the library; however, if you do use the xz library in the containers, we recommend you to rebuild the image to include the updated version of the library.

Subcribe to our newsletter


Read the industry news, receive solutions to your problems, and find the ways to save money.

Further reading