Replicated’s Response to CVE-2024-3094, aka the backdoor in xz library

Andrew Storms
 | 
Apr 4, 2024

On March 29th, 2024, a security compromise impacting SSH was unveiled, originating from a vulnerability within the upstream xz/liblzma package. A backdoor had been inserted into the upstream XZ Utils Data Compression Library project, capable of manipulating the behavior of sshd through a complex chain of events.

Due to the significant CVE associated with these vulnerabilities, Replicated initiated a risk assessment process on March 29th, 2024. Initially, our image scanning tools and software composition analysis indicated that none of our products were affected by the vulnerability.

Our KOTS and SDK products are constructed on Wolfi images and undergo frequent rebuilding to minimize the number of CVEs. However, as the week progressed and new information came to light, we engaged with several of our customers to discuss the unfolding events. Despite our image scanners providing clear reports, upon reviewing the Chainguard blog post, we deemed it prudent to release a new version incorporating the latest Wolfi packages to ensure that the vulnerable xz library was not utilized.

On April 3rd 2024, we released KOTS v1.108.4, ensuring that our software does not use or reference the vulnerable xz library. We will continue to monitor developments and respond accordingly.

Should customers have any questions or concerns, they are encouraged to reach out to us directly.