/jcloud.no/www/article/2024/03_security_libzlma/index.html - jorgen

Supply chain vulnerability LibZLMA / XZ

The open source project libzlma, used to compress and decompress data and files using the XZ algorithm, has been purpously compromised by one of the authors of project. The affected known versions with the remote code execution backdoor is 5.6.0 and 5.6.1.

Older versions might also be affected since the author who wrote the backdoor has been a member of the team for 2 years. The backdoor seems to be designed to compromise OpenSSH under operating systems using systemd. JCloud do not use systemd and never deployed 5.6.0 or 5.6.1. Coincidently, the latest version deployed by Jcloud is older than 2 years.

Zlma is used in many other software projects, including web. In OpenSSH, the backdoor can be triggered through an unauthenticated ssh connection allowing remote code execution.

2024-03-29