What’s new: The XZ-Utils backdoor, tracked under CVE-2024-3094, is still present in at least 35 Linux images on Docker Hub. This backdoor allows attackers to bypass SSH authentication and execute commands as root. Debian has opted not to remove these compromised images, citing low risk, despite concerns from researchers about the potential for accidental use in automated builds.
Who’s affected
Organizations and developers using Docker images that rely on the affected versions of the xz-utils library (5.6.0 and 5.6.1) may be at risk. The backdoor was included in official packages for major Linux distributions, including Debian, Fedora, OpenSUSE, and Red Hat.
What to do
- Verify that your Docker images do not use xz-utils versions 5.6.0 or 5.6.1. Ensure the library is updated to version 5.6.2 or later.
- Manually check for the presence of the backdoor in any dependent open-source software.
- Avoid using outdated images from Docker Hub that may contain the backdoored library.
