xz-utils Backdoor: CVE-2024-3094
Priority: ● Critical (CVSS score: 10.0)
Status: In Progress
First Published: April 4, 2024
Advisory Version: 1.02
References: CVE-2024-3094
Summary
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Affected Products
Vulnerable Products
Hitachi Vantara is currently investigating its product lines to determine if any are affected by this vulnerability. If any products or solutions are found to be impacted, they will be indicated in this section, in subsequent updates to this advisory, along with information regarding fixed release versions (if such information is available at the time.) Likewise, any products or solutions that have been confirmed not to be affected by the given vulnerability will be listed in the section below.
Products Confirmed Not Vulnerable
* As this is an ongoing investigation across all Hitachi Vantara product lines, please note that products may be reclassified as vulnerable as they continue to be evaluated for risk as additional information pertaining to CVE-2024-3094 is released.
| Product | Notes |
| Storage Products |
|
VSP 5000 Series VSP G1x00 and F1x00 VSP E Series VSP Gxx0 and Fxx0 VSP Gx00 and Fx00 VSP N Series Storage Navigator RAID Manager |
Not affected |
| Software Products |
|
Hitachi Ops Center Suite - Including OVA for Ops Center |
|
|
Adapters SVSS/SVMC/SVSA/SVOP/SOBD/SSCOMi/SNFC/SSPC/SVBR/SSPP/SRPC - Including OVA for SVSA (VASA provider) - Including OVA for SVMC (vCenter plugin) |
|
|
HSA Storage Administrator HAD Automation Director HCM Configuration Manager HIAA Infrastructure Analytics Advisor (including Detail View, Probe Server, Windows Probe) |
| Content Products |
| Hitachi Content Platform (HCP) | Not affected |
| Hitachi Data Ingestor (HDI) | Not affected |
| Network Attached Storage |
| HNAS 4000 Series | Not affected |
| HNAS 5000 Series | Not affected |
| VSP One File | Not affected |
Recommended Actions
Please continue to check this Security Advisory, as new information will be added to it as it becomes available.
If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.
The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.