Dear dojo,
Recently a backdoor has been identified in upstream tarballs of the XZ open source library used many Linux distribution and tools. This is tracked as CVE-2024-3094.
Reading the documentation, I don't think any of the native DataMiner SW products are affected by this vulnerability. I am also thinking about customers with Cassandra & OpenSearch database installations on RHEL, CentOS or Ubuntu. It seems these are not affected.
Anybody can confirm this?
Thanks,
Koen.
Hi Koen,
You are correct that this backdoor does not affect DataMiner. The backdoor specifically targets sshd for linux. This does mean that customers with Cassadra & Opensearch installations might be affected, depending on which distro they are running.
This is what I could find on some of the most common linux distros:
- Ubuntu: not affected
- Debian: stable versions are not affected, but some testing, unstable and experimental are affected
- Red Hat: Fedora Rawhide and Fedora linux 40 beta are affected, RHEL is not affected
- Arch: some Arch linux versions are affected
More details can be found in this article.