XZ Vulnerability (CVE-2024-3094)

ImAMacGuy
Valued Contributor II

Curious how everybody is remediating that new supply chain vulnerability for XZ.  

My security team sent me this link - xz-backdoor-attack 

I'm guessing an EA to locate non-patched versions, but what about deploying/updating the version?  I'm guessing a lot of them were done using brew.  

 

3 REPLIES 3

jamf-42
Valued Contributor II

I ran a ‘which xz’ on all devices with brew installed and only a few had it installed.. brew update downgrades it.

not that it an actual issue on macOS 

talkingmoose
Moderator
Moderator

I'm not a security expert, but according to this, it's only a vulnerability on Linux distros not BSD like macOS.

https://lwn.net/Articles/968084/

https://www.reddit.com/r/cybersecurity/comments/1btz1w6/mac_os_running_homebrew_may_be_vulnerable_to...

 

abuehler
New Contributor III

@ImAMacGuy afaik macOS is not really impacted.
But since xt 5.6.0 and 5.6.1 have been taken off homebrew as well, I decided to run a script that let brew update (well, actually downgrade in this case) xz to the latest recommended version.

If you are interested, have look at this: https://github.com/adibue/brew-xz-patcher/