I’ve heard about a critical vulnerability found in SSH servers, particularly affecting XZ utility versions 5.6.0 and 5.6.1, as well as the liblzma library. This vulnerability is tracked under CVE-2024-3094 with a severity score of 10.0, indicating it’s critical.
I’m a bit confused here. Will this vulnerability only impact the operating system level? For instance, I’m currently working with Scala (scala-2.12.18) and Akka. When I searched through my code, I found the following dependency:
<dependency>
<groupId>org.tukaani</groupId>
<artifactId>xz</artifactId>
<scope>test</scope>
</dependency>
It was located at this path:
.sbt\boot\scala-2.12.18\org.scala-sbt\sbt\1.9.6\log4j-core-2.17.1.jar!\META-INF\maven\org.apache.logging.log4j\log4j-core\pom.xml
Additionally, I found this:
<dependency>
<groupId>org.tukaani</groupId>
<artifactId>xz</artifactId>
<version>1.8</version>
<optional>true</optional>
</dependency>
At this path:
AppData\Local\Coursier\cache\v1\https\http://repo1.maven.org\maven2\org\apache\commons\commons-compress\1.18\commons-compress-1.18.jar!\META-INF\maven\org.apache.commons\commons-compress\pom.xml
When I checked on https://mvnrepository.com/artifact/org.tukaani/xz, it showed the latest version as 1.9, whereas the affected versions are 5.6.0 and 5.6.1 of XZ Utility.
Can anyone help me understand if I’m missing something here? Is this vulnerability only at the OS level, affecting Linux distributions? When I ran the below command on my server:
strings
which xz| egrep "(XZ Utils)"
I got the following response:
xz (XZ Utils) 5.2.2
This confirms that we’re safe. However, I’m still puzzled as to why there’s a difference between the version on Maven Repository and the OS level.
Apologies if I’m missing something basic here.
The CVE affects the XZ utils binaries on your OS, not the Java library.
There's nothing to do if you rely on the Java library as it's a pure Java library that doesn't rely on the OS binary.
More information on https://tukaani.org/.