Skip to main content
Published on April 2, 2024
CVE-2024-3094. A backdoor was deliberately planted in versions 5.6.0 and 5.6.1 of the xz-utils library. Caught on March 29, 2024 by a curious Postgres developer investigating unusual SSH connection times, the attack was stopped before it reached stable distributions. But it could have made it — and that is the real story.

What happened

Over the course of two years, a contributor under the pseudonym Jia Tan earned the trust of the xz-utils community, eventually becoming co-maintainer. With that role, they progressively injected, across several scattered commits, an obfuscated payload into the liblzma library. At build time, the payload:
  1. Detects that it is being compiled in a context that will later be loaded by sshd via systemd (distributions that patch sshd to depend on libsystemd, which itself depends on liblzma).
  2. Hooks specific internal sshd functions at startup.
  3. Lets anyone in possession of a specific key bypass SSH authentication as any user, with no log trace.
In other words: universal root access on tens of millions of servers, through a backdoor that classical security tooling would not have flagged.

Why this did not become a global disaster

Andres Freund, a Postgres maintainer at Microsoft, was debugging suspicious 500ms SSH connection times. Following the trail, he eventually surfaced the payload — and reported to oss-security on March 29, 2024. At that point, versions 5.6.0 and 5.6.1 only shipped in:
  • Fedora 41 and Rawhide
  • Debian testing/unstable/experimental
  • openSUSE Tumbleweed, openSUSE MicroOS
  • Arch Linux
  • A few bleeding edge macOS channels via Homebrew
No stable production distribution shipped those versions. The actual compromise perimeter was tiny.

Are you affected?

Check your installed xz version: 
xz --version
If the output shows 5.6.0 or 5.6.1, you are potentially exposed. 
# Debian/Ubuntu
dpkg -l xz-utils liblzma5

# Fedora/RHEL/AlmaLinux/Rocky
rpm -qa | grep -i xz

# Arch
pacman -Q xz

What to do

If you are on a 5.6.x version

Downgrade to 5.4.x (the last clean release) immediately. Every affected distribution has shipped fixed packages by now. On Arch: 
sudo pacman -Syyuu  # full upgrade
On Debian unstable/testing: 
sudo apt update && sudo apt install --reinstall xz-utils liblzma5

If you are on a stable distribution

You are not affected. 5.6.0/5.6.1 never reached Debian stable, Ubuntu LTS, RHEL stable, etc.

Either way

Use the episode to ask the broader question: which packages do you build from source or install from unofficial repos? The xz-utils attack exposed how fragile a model can be where a single maintainer of a critical library can compromise the planet. That calls for:
  • Strict reduction of internally-built dependencies.
  • Use of signed, auditable mirrors.
  • Tighter review of critical transitive dependencies (crypto libs, compression libs, drivers, etc.).

Takeaways

xz-utils is not a classical “vulnerability”: it is a supply-chain attack on open-source software, with long-running social engineering (two years of work) and a sophisticated technical payload. Practical lesson: update to a clean version. Strategic lesson: trust in open-source code is not just “it’s public”. Audit what you ship. For questions, open a ticket from your OnetSolutions client area.