The details
Red Hat assigned CVE-2024-3094.
We investigate issues like this one – so you don’t have to
Looking through the details of the attack reveals a few prerequisites in order to be affected:
✅ Use a recent version of liblzma (5.6.0+): Chainguard Images were shipping version 5.6.1, but we have rolled back to version 5.4.6 and removed 5.6.0 and 5.6.1 from our distribution out of an abundance of caution, however, we were not affected and customers and users remain safe from this attack. These Images are available now for our free tier users and customers.
❌ Build liblzma on a Debian/RPM based x86_64 distribution. Our packaging of liblzma takes place on our “undistro” Wolfi, which was not specifically targeted by this malware.
❌ Configure the build of OpenSSH to link to liblzma. Our packaging of OpenSSH is part of our open source Wolfi repo, and does not link to liblzma.
Recommendations for Chainguard Images customers
While Chainguard Images are not impacted by this vulnerability, the affected liblzma versions 5.6.0 and 5.6.1 that were used to potentially attack other Linux distributions might still be present in previous Image versions users and customers may have pulled. We recommend Chainguard Images customers and users update to the most recent versions of Chainguard Images that were released, which removed the affected versions of liblzma (5.6.0 and 5.6.1) and were rolled back to version 5.4.6.
Chainguard Images customers and users can also leverage each Chainguard Image SBOM and our Chainguard Events API to surface where the affected versions of liblzma are present.
To enable customers to track what Images have been pulled by their users, we've published a demo application that listens to Image pull events and records them in Google BigQuery. You can deploy this example directly, or fork it and make whatever modifications you want.
After recording pull events, you can join the table with SBOM data to determine when Images containing certain packages (such as xz 5.6.x) are pulled, by whom, and from where.
For customers that need additional support surfacing this information, please contact Chainguard Support.
What’s next?
This attack is a long game on the part of the author. The malicious code appears to have been added by a core contributor of the upstream xz project among a large number of other changes. We expect this incident to raise significant attention on the xz project which may uncover additional findings. Chainguard will closely monitor any potential new findings and continue to keep our users safe.
Get started with Chainguard Images
Software supply chain security concerns will only continue to be heightened as new threats that have widespread impact on users emerge—like this one. If you are looking to strengthen your software supply chain security defenses, Chainguard is here to help. You can get started with Chainguard Images for free today to see for yourself how we're working to improve the container image landscape with a secure-by-default design. Our Images inventory is always expanding. If you need something you don’t see listed in our Directory, reach out to our team.
Editor's note: This blog post was updated on April 3, 2024 to include additonal recommendations for Chainguard Images customers.