This repository provides simple yet powerful one-liner scripts designed to help you quickly determine if your server is vulnerable to CVE-2024-3094, a critical security vulnerability found in certain versions of the xz utility. Additionally, we offer a convenient way to scan your code repositories for references to the xz library, which might be indicative of potential indirect vulnerabilities.
To ascertain whether your server is susceptible to CVE-2024-3094, execute the following command in your terminal:
(type dpkg &>/dev/null && dpkg -l xz 2>/dev/null | awk '/^ii/{print $3}' | grep -qE '^(5.6.0|5.6.1)$' && echo "Vulnerable: CVE-2024-3094" || echo "Not vulnerable or xz not installed") || (type rpm &>/dev/null && rpm -q --qf "%{VERSION}\n" xz 2>/dev/null | grep -qE '^(5.6.0|5.6.1)$' && echo "Vulnerable: CVE-2024-3094" || echo "Not vulnerable or xz not installed")The above command will check for the packages in the Linux distro.
Or try this other option where the xz command will be executed, this is usually not recommended:
command -v xz &>/dev/null && { xz_version=$(xz --version | head -n 1 | awk '{print $4}'); [[ $xz_version == "5.6.0" || $xz_version == "5.6.1" ]] && echo "Vulnerable: CVE-2024-3094" || echo "Not vulnerable: CVE-2024-3094"; } || echo "xz not installed"This script performs the following actions:
- Checks if the
xzutility is installed. - Determines the installed version of
xz. - Compares the version against known vulnerable versions (5.6.0 and 5.6.1).
- Outputs the vulnerability status of your server.
For teams using Docker and concerned about vulnerabilities within their container images, we offer a sophisticated example using Trivy, an open-source vulnerability scanner by Aqua Security. This method scans Docker images for vulnerabilities, including CVE-2024-3094, and provides a clear output regarding the security status of the image.
The following command utilizes Trivy to scan a Docker image (debian:experimental-20240311) for vulnerabilities and filters the results for CVE-2024-3094 related to liblzma5:
docker run --rm -v $('pwd'):/project -w /project aquasec/trivy:latest image --format cyclonedx --scanners vuln --output /project/result.json debian:experimental-20240311@sha256:16cc2b09c44d991d36f63153f13a7c98fb7da6bd2ba9d7cc0f48baacb7484970 && jq -r '.components[] | .properties[] | select(.name == "aquasecurity:trivy:PkgID" and (.value | tostring | test("liblzma5@(5\\.6\\.0|5\\.6\\.1)"))) | .value' result.json | grep -qE '5\.6\.0|5\.6\.1' && echo "Vulnerable: CVE-2024-3094" || echo "Not vulnerable or liblzma5 not found"How It Works:
-
Docker Run Command: Initiates a Trivy container, mounting the current directory as a volume to the container. This setup allows Trivy to output the scan results directly to a file (
result.json) in the host's current directory. -
Trivy Scan: Scans the specified Docker image for vulnerabilities, outputting the results in the CycloneDX format (a standardized format for software bill of materials).
-
Processing with
jq: Filters the scan results to identify the packageliblzma5and checks for the versions "5.6.0" or "5.6.1". -
Vulnerability Check: Uses
grepto search for vulnerable versions ofliblzma5. It prints "Vulnerable: CVE-2024-3094" if found; otherwise, it outputs "Not vulnerable or liblzma5 not found".
This method is highly effective for automated pipelines and can be adapted to check for various vulnerabilities across different Docker images, ensuring your deployments are secure.
To use the provided command for scanning your own Docker images, follow these steps to customize the command according to your needs:
-
Replace the Docker Image: Change
debian:experimental-20240311@sha256:16cc2b09c44d991d36f63153f13a7c98fb7da6bd2ba9d7cc0f48baacb7484970with the image you wish to scan. You can specify your image by name and tag (e.g.,yourimage:yourtag) or by its digest. -
Adjust the Vulnerability Check: If you're scanning for vulnerabilities other than CVE-2024-3094, modify the
jqandgrepexpressions to target the specific packages and versions relevant to the vulnerabilities of interest.
For example, to scan your image named yourimage:yourtag:
docker run --rm -v $('pwd'):/project -w /project aquasec/trivy:latest image --format cyclonedx --scanners vuln --output /project/result.json yourimage:yourtag && jq -r '.components[] | .properties[] | select(.name == "aquasecurity:trivy:PkgID" and (.value | tostring | test("liblzma5@(5\\.6\\.0|5\\.6\\.1)"))) | .value' result.json | grep -qE '5\.6\.0|5\.6\.1' && echo "Vulnerable: CVE-2024-3094" || echo "Not vulnerable or liblzma5 not found"Tips for Customization:
-
For Different Vulnerabilities: Replace
"liblzma5@(5\\.6\\.0|5\\.6\\.1)"in thejqcommand with the package and versions you are interested in. For example, to check foropensslversion "1.1.1", you might useopenssl@(1\\.1\\.1). -
For Different Properties: Depending on the vulnerability or package, you might need to adjust
.name == "aquasecurity:trivy:PkgID"to target different properties in the CycloneDX output.
-
Regular Updates: Ensure that your instance of Trivy is regularly updated to have the latest vulnerability definitions. This can usually be achieved by pulling the latest
aquasec/trivyimage before running scans. -
Understanding Output: Familiarize yourself with the output format of Trivy and
jqprocessing to accurately interpret the results and understand the implications for your Docker images.
If you're maintaining code that potentially interacts with or depends on the xz library, it's crucial to identify any explicit references to vulnerable library versions. Use the following commands to scan your repositories:
The tukaani project is the home of the xz utility. To find mentions within your code:
grep -rnH "tukaani" .For Java projects using Maven, you might specify xz as a dependency in your pom.xml. To locate these references:
grep -rnH "org.tukaani:xz:" .These commands will recursively search the current directory (and subdirectories) for the specified patterns, reporting the file name, line number, and the line containing the match.
Note: Ensure you have the necessary permissions to run these scripts on your server or to scan repositories. Always verify and test scripts in a safe environment before use in production systems.
Feel free to contribute or suggest improvements to this repository by submitting a pull request or opening an issue. Your feedback and contributions are highly appreciated!