Updated 05 April 2024 - 12:00 CET
EVS is actively responding to the reported vulnerability in XZ utils, an open-source data compression utility available on almost all installations of Linux. We are currently conducting a product-by-product analysis to determine if any are potentially impacted by the vulnerability. This is an ongoing investigation, so please check this bulletin page frequently for updates.
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
| Product | Version | Status | Comment |
|---|---|---|---|
| CCast | All | Not affected | |
| Cerebrum | All | Not affected | |
| Dyvi | All | Under analysis | |
| Ingest Funnel | All | Under analysis | |
| IPDirector | All | Not affected | |
| IPD-VIA | All | Under analysis | |
| IPLink for Adobe | All | Not affected | |
| IPLink for Avid | All | Under analysis | |
| IPWeb | All | Under analysis | |
| LSM Connect | All | Not affected | |
| LSM-VIA | All | Not affected | |
| MAD | All | Under analysis | |
| Mediahub | All | Under analysis | |
| Multicam (XT) | All | Not affected | |
| MultiReview | All | Not affected | |
| Neuron | All | Not affected | |
| PMZ | All | Under analysis | |
| Synapse | All | Not affected | |
| Teradici Cloud Access | All | Not affected | |
| Truck Manager | All | Not affected | |
| XFile | All | Not affected | |
| XnetMonitor | All | Not affected | |
| XSNeo / X-One / Xeebra | All | Not affected | |
| XNetWebMonitor | All | Not affected | |
| Xplore | All | Not affected | |
| Xsquare | All | Not affected | |
| Xstore | All | Under analysis | |
| Xedio | All | Not affected |
This list is under investigation and will be regularly updated.
| Product | Version | Status | Workaround | Patch |
|---|---|---|---|---|
| None |
More information and detailed explanations on the working of this vulnerability can be found via the links below:
XZ Outbreak (CVE-2024-3094): details and mitigations: https://nvd.nist.gov/vuln/detail/CVE-2024-3094
What we know about the xz Utils backdoor that almost infected the world: https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/