On March 29, 2024, a backdoor was identified in XZ Utils, a commonly used software package in Linux operating systems.
This development led the U.S. Cybersecurity and Infrastructure Agency (CISA) to release a warning, advising users to revert XZ Utils to a secure version, such as XZ Utils 5.4.6 Stable and can be referenced in CVE-2024-3094 which explains that malicious code is present in the XZ Utils package versions 5.6.0/5.6.1 and can result in the bypass of SSH authentication.
As this package is in such common use, interacts with other software packages, and can be exploited by someone with malicious intent means that its discovery represents a call to action for many organizations as has been done in the past for similar widespread industry event like Log4j.
Does this CVE impact OPSWAT operations?
After a comprehensive review of OPSWAT’s use of Linux operating systems and the packages installed on them, OPSWAT can confirm that no OPSWAT systems contain version 5.6.0 or 5.6.1 of the XZ Utils package.
Does this CVE impact OPSWAT products & services?
OPSWAT has also conducted a thorough review of our developed products and their software dependencies. As a result, OPSWAT can confirm that it does not include XZ Utils 5.6.0 or 5.6.1 into its products or service offerings.
Given our commitment to security, we wanted to ensure we effectively communicated an update upon reaching our earliest assessment.
Should you have any questions or concerns, please don’t hesitate to directly reach out through any of our support channels.
