Introduction

EVS is actively responding to the reported vulnerability in XZ utils, an open-source data compression utility available on almost all installations of Linux. We are currently conducting a product-by-product analysis to determine if any are potentially impacted by the vulnerability. This is an ongoing investigation, so please check this bulletin page frequently for updates. 

Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. 

 

Products under investigation or not impacted

Product Version Status Comment
CCast All Not affected  
Cerebrum All Not affected  
Dyvi All Under analysis  
Ingest Funnel All Under analysis  
IPDirector All Not affected  
IPD-VIA All Under analysis  
IPLink for Adobe All Not affected  
IPLink for Avid All Under analysis  
IPWeb All Under analysis  
LSM Connect All Not affected  
LSM-VIA All Not affected  
MAD All Under analysis  
Mediahub All  Under analysis  
Multicam (XT) All Not affected  
MultiReview All Not affected  
Neuron All Not affected  
PMZ All Under analysis  
Synapse All Not affected  
Teradici Cloud Access All Not affected  
Truck Manager All Not affected  
XFile All Not affected  
XnetMonitor All Not affected  
XSNeo / X-One / Xeebra All Not affected  
XNetWebMonitor All Not affected  
Xplore All Not affected  
Xsquare All Not affected  
Xstore All Under analysis  
Xedio All Not affected  

 

Known EVS impacted products & resolution

This list is under investigation and will be regularly updated.

Product Version Status Workaround Patch
None        

More information

More information and detailed explanations on the working of this vulnerability can be found via the links below: