Help

XZ Vulnerability (CVE-2024-3094)

ImAMacGuy
Valued Contributor II

Posted on ‎04-03-2024 10:15 AM

Curious how everybody is remediating that new supply chain vulnerability for XZ.  

My security team sent me this link - xz-backdoor-attack 

I'm guessing an EA to locate non-patched versions, but what about deploying/updating the version?  I'm guessing a lot of them were done using brew.  

 

0 Kudos
Reply
3 REPLIES 3

jamf-42
Valued Contributor II

‎04-03-2024 10:25 AM - edited ‎04-03-2024 10:26 AM

I ran a ‘which xz’ on all devices with brew installed and only a few had it installed.. brew update downgrades it.

not that it an actual issue on macOS 

Reply

talkingmoose
Moderator
Moderator

Posted on ‎04-03-2024 11:06 AM

I'm not a security expert, but according to this, it's only a vulnerability on Linux distros not BSD like macOS.

https://lwn.net/Articles/968084/

https://www.reddit.com/r/cybersecurity/comments/1btz1w6/mac_os_running_homebrew_may_be_vulnerable_to...

 

Reply

abuehler
New Contributor III

Posted on ‎04-05-2024 12:45 AM

@ImAMacGuy afaik macOS is not really impacted.
But since xt 5.6.0 and 5.6.1 have been taken off homebrew as well, I decided to run a script that let brew update (well, actually downgrade in this case) xz to the latest recommended version.

If you are interested, have look at this: https://github.com/adibue/brew-xz-patcher/

Reply