At this time, we do not believe that ASF projects or ASF infrastructure are directly impacted by CVE-2024-3094. We have no indication that the person(s) responsible for the backdoor have contributed to any ASF projects. After our initial, risk-based triage, our security team is now working with each project’s oversight team (the PMC) to review their possible use of the xz library through dependency for a second level of scrutiny and review.
Project specific information
Situation as reported by each Project Management Committee (PMC).
Last updated 2024-04-02 12:00 UTC.
| Project | Status | dylib[1] |
|---|---|---|
| Apache Activemq | Clear | No |
| Apache Arrow | Clear | Yes |
| Apache bRPC | Clear | No |
| Apache Celix | Clear | Yes |
| Apache Commons Compress | Clear[2] | No |
| Apache Cordova | Clear | Yes |
| Apache CouchDB | Clear | No[3] |
| Apache Guacamole | Clear | Yes |
| Apache IoTDB | Clear[2] | No |
| Apache Kudu | Clear | No |
| Apache Log4cxx | Clear | no |
| Apache Log4j | Clear[1] | no |
| Apache Log4net | Clear | no |
| Apache Lucene | Clear | No |
| Apache Mesos | Clear | Yes[1-bis] |
| Apache MyNewt | Clear | No |
| Apache OpenOffice | Clear | Yes[1-bis] |
| Apache Qpid | Clear | No |
| Apache Solr | Clear | No |
| Apache Serf | Clear | No |
| Apache Subversion | Clear | Yes |
| Apache Thrift | Clear | Yes[1] |
| Apache Trafficserver | Clear | Yes[4] |
| Apache Uima | Clear | No |
| Apache Uima CPP | Clear | No |
Note 1: In certain deployments, executables may rely on a local/system-level dynamically-loaded library containing code from XZ (either directly or, for example via language bindings). End users should follow instructions/updates of OS and package managers.
Note 1-bis: Binaries shipped by the ASF will not rely in OS/system level XZ; but builds by third parties may. In these cases End users should follow instructions/updates of OS and package managers.
Note 2: This java project relies on org.tukaani/xz version 1.9 (21 March 2021) or earlier; these releases are prior to known actions of the bad actor(s) associated with CVE-2024-3039
Note 3: The web interface has a Node.js build-time but relies on Node.js 18 run-time, which is a release that likely predates this issue. The Node project announced on March 27th a security release for April 3rd that we first suspected might be related, but that turned out to be unrelated after all.
Note 4: Optional runtime dependency on (local) liblzma; the project does not ship a binary for the library; any impact may depend on how it is compiled locally and if a compromised version of liblzma is present. In these cases End users should follow instructions/updates of OS and package managers.