xz/liblzma/libarchive compromise

At this time we have no reason to believe Apache projects are directly impacted by this compromise, also known as CVE-2024-3094.

At this time, we do not believe that ASF projects or ASF infrastructure are directly impacted by CVE-2024-3094. We have no indication that the person(s) responsible for the backdoor have contributed to any ASF projects. After our initial, risk-based triage, our security team is now working with each project’s oversight team (the PMC) to review their possible use of the xz library through dependency for a second level of scrutiny and review.

Project specific information

Situation as reported by each Project Management Committee (PMC).

Last updated 2024-04-02 12:00 UTC.

Project Status dylib[1]
Apache Activemq Clear No
Apache Arrow Clear Yes
Apache bRPC Clear No
Apache Celix Clear Yes
Apache Commons Compress Clear[2] No
Apache Cordova Clear Yes
Apache CouchDB Clear No[3]
Apache Guacamole Clear Yes
Apache IoTDB Clear[2] No
Apache Kudu Clear No
Apache Log4cxx Clear no
Apache Log4j Clear[1] no
Apache Log4net Clear no
Apache Lucene Clear No
Apache Mesos Clear Yes[1-bis]
Apache MyNewt Clear No
Apache OpenOffice Clear Yes[1-bis]
Apache Qpid Clear No
Apache Solr Clear No
Apache Serf Clear No
Apache Subversion Clear Yes
Apache Thrift Clear Yes[1]
Apache Trafficserver Clear Yes[4]
Apache Uima Clear No
Apache Uima CPP Clear No

Note 1: In certain deployments, executables may rely on a local/system-level dynamically-loaded library containing code from XZ (either directly or, for example via language bindings). End users should follow instructions/updates of OS and package managers.

Note 1-bis: Binaries shipped by the ASF will not rely in OS/system level XZ; but builds by third parties may. In these cases End users should follow instructions/updates of OS and package managers.

Note 2: This java project relies on org.tukaani/xz version 1.9 (21 March 2021) or earlier; these releases are prior to known actions of the bad actor(s) associated with CVE-2024-3039

Note 3: The web interface has a Node.js build-time but relies on Node.js 18 run-time, which is a release that likely predates this issue. The Node project announced on March 27th a security release for April 3rd that we first suspected might be related, but that turned out to be unrelated after all.

Note 4: Optional runtime dependency on (local) liblzma; the project does not ship a binary for the library; any impact may depend on how it is compiled locally and if a compromised version of liblzma is present. In these cases End users should follow instructions/updates of OS and package managers.

Published by using 394 words.