40

Moderator Note: This question relates to a rapidly evolving current event. It has been protected to prevent unrelated banter or answers that do not benefit the post.

In March 2024, a backdoor was discovered in libxz 5.6.0 and 5.6.1.

Does this vulnerability affect Ubuntu LTS or any other Ubuntu release?

Thomas Ward
  • 74,764
Yasha Karant
  • 961
  • If you need to keep track of issues bookmark https://ubuntu.com/security/cves it will have all versions listed with a status specifically for Ubuntu. – Rinzwind Mar 30 '24 at 05:59

3 Answers3

27

As a member of the Community Council and as an Ubuntu Developer myself, I reached out to Debian and Ubuntu security contacts.

LTS and currently stable releases of Ubuntu do not have versions of xz that are affected by this, so existing Ubuntu releases are unaffected.

The impacted xz versions were only in noble-proposed which impacts only the in-development release. No versions of xz in already-released versions of Ubuntu are affected.

The in-development release, Noble 24.04, is currently being deep-dived and scoured for whether there is any lasting effect, and both Debian and Ubuntu reverted the packaging to a known-good older xz release that does NOT contain revisions from the malicious actor.

The Ubuntu Security Team is still tracking this, though no impact exists on current stable releases (Noble is not yet released at the time of this post, so it is not considered 'stable'.)

Thomas Ward
  • 74,764
  • When I read https://launchpad.net/ubuntu/+source/xz-utils/+publishinghistory it looks like it did make into the release pocket of noble, not merely the proposed pocket. – Peter Green Mar 31 '24 at 04:19
  • @PeterGreen I'm not sure exactly how to read that page, but the multiple entries under "release" for 5.6.0 don't seem to list any "published" dates. The CVE tracker page has a comment that "The affected version of xz-utils was only in noble-proposed, and was removed before migrating to noble itself." – IMSoP Mar 31 '24 at 19:18
  • The publishing history does look a bit odd, the "deleted" entries for noble indeed don't list a publish date. On the other hand there is a "deleted" entry for noble-proposed which lists the reason as "moved to noble", and why would it have been deleted from noble if it was never in there? – Peter Green Mar 31 '24 at 21:12
21

Answer: No.

Reasoning:

Edit: On the 30th of March, it got added to Ubuntu CVE

Recap of the results on that page:

trusty  Not vulnerable
xenial  Not vulnerable
bionic  Not vulnerable
focal   Not vulnerable (5.2.4-1ubuntu1.1)
jammy   Not vulnerable (5.2.5-2ubuntu1)
mantic  Not vulnerable (5.4.1-0.2)
upstream    Needs triage

Highest version we have is 5.4.5

noble (libs): XZ-format compression library
5.4.5-0.3: amd64 arm64 armhf i386 ppc64el riscv64 s390x

Publication Date: 2024/03/29 12:30 PM PST

CVE Identifier: CVE-2024-3094

AWS is aware of CVE-2024-3094, which affects versions 5.6.0 and 5.6.1 of the xz-utils package. This issue may attempt to introduce security issues in openssh through the use of liblzma within some operating system environments. Amazon Linux customers are not affected by this issue, and no action is required. AWS infrastructure and services do not utilize the affected software and are not impacted. Users of Bottlerocket are not affected.

Customers using other operating systems are advised to refer to information provided by the OS vendor to address any concerns originating from this reported issue.

cocomac
  • 3,394
Rinzwind
  • 299,756
  • The Ubuntu CVE tracker now lists it, and confirms the "not vulnerable" assessment: https://ubuntu.com/security/CVE-2024-3094 – IMSoP Mar 31 '24 at 19:09
  • 3
    It's worth pointing out that it was more luck than skill that the 'No' wasn't a 'Yes' - Jia Tan pushed hard for the (compromised) version to be included before the last beta freeze. See https://bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2059417 – James Snell Mar 31 '24 at 22:08
3

For a quick check, run the commands below to get an overview of the machine's information. Focus mainly on versions of the xz and liblzma libraries that must be less than or equal to 5.5.*.

uname -a

lsb_release -a


ldd --version


xz --version


apt list --installed | grep liblzma


lsof -p $(ps -aux | grep 'sshd' | grep 'listener' | awk '{print $2}') | grep '.so' | grep 'liblzma'

This last command will show if there is an SSH server loading the liblzma library, where you can confirm which version is loaded into memory.

See the output of the above commands:

output of the above commands

Sergio Cabral
  • 149
  • 5
    Simpler version of your last command: pgrep -f 'sshd.*listener' | sudo xargs lsof -p | grep -F lzma.so Also: (a) please don't post screenshots of text. Copy the text here and use code formatting instead. (b) I assume you meant 5.6 and not 5.9 in the first paragraph? – muru Mar 30 '24 at 19:07