https://community.appian.com/support/w/kb/3524/kb-2300-information-about-the-xz-utils-data-compression-library-vulnerability-cve-2024-3094en-USTelligent Community 12https://community.appian.com/support/w/kb/3524/kb-2300-information-about-the-xz-utils-data-compression-library-vulnerability-cve-2024-3094Fri, 05 Apr 2024 19:51:32 GMTd3a83456-d57b-489c-a84c-4e8267bb592a:a11c35b8-6ed5-4540-9869-3146e45b5200pauline.delacruzhttps://community.appian.com/support/w/kb/3524/kb-2300-information-about-the-xz-utils-data-compression-library-vulnerability-cve-2024-3094#commentsCurrent Revision posted to Appian Knowledge Base by pauline.delacruz on 4/5/2024 7:51:32 PM<br /> <p><span style="font-weight:400;">On 29-Mar-2024, a Microsoft security researcher </span><a href="https://www.openwall.com/lists/oss-security/2024/03/29/4"><span style="font-weight:400;">announced</span></a><span style="font-weight:400;"> that he had discovered malicious code in the upstream tarballs of xz, a lossless data compression library, starting with version 5.6.0. Shortly thereafter, NVD assigned the backdoor vulnerability a </span><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-3094"><span style="font-weight:400;">CVE</span></a><span style="font-weight:400;">, and </span><a href="https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094"><span style="font-weight:400;">CISA recommended</span></a><span style="font-weight:400;"> all affected users downgrade to an uncompromised version.</span></p> <p><span style="font-weight:400;">Upon assessing the Appian platform against all details of the CVE, we can confirm that the Appian platform is not impacted by this vulnerability as Appian does not utilize the impacted versions described in the above advisories. We will continue to monitor the situation and provide any updates as appropriate.</span></p> <h2><span style="font-weight:400;">Additional Notes:</span></h2> <p><span style="font-weight:400;">The following CVE was released with additional information on the scope of the vulnerability:</span></p> <ul> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-3094"><span style="font-weight:400;">CVE-2024-3094</span></a> <span style="font-weight:400;">(&ldquo;XZ: Malicious Code in Distributed Source&rdquo;)</span></li> </ul> <h2><span style="font-weight:400;">Supporting Documentation:</span></h2> <ul> <li style="font-weight:400;"><a href="https://www.openwall.com/lists/oss-security/2024/03/29/4"><span style="font-weight:400;">https://www.openwall.com/lists/oss-security/2024/03/29/4</span><span style="font-weight:400;"><br /></span></a></li> <li style="font-weight:400;"><a href="https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094"><span style="font-weight:400;">https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094</span><span style="font-weight:400;"><br /></span></a></li> </ul> <h2><span style="font-weight:400;">Affected Versions</span></h2> <p><span style="font-weight:400;">This article applies to all supported versions of Appian.</span></p> <p><span style="font-weight:400;">Last reviewed: </span><span style="font-weight:400;">April 5, 2024</span></p><div style="clear:both;"></div> <div style="font-size: 90%;">Tags: Security</div> https://community.appian.com/support/w/kb/3524/kb-2300-information-about-the-xz-utils-data-compression-library-vulnerability-cve-2024-3094/revision/2Fri, 05 Apr 2024 19:50:17 GMTd3a83456-d57b-489c-a84c-4e8267bb592a:a11c35b8-6ed5-4540-9869-3146e45b5200pauline.delacruzhttps://community.appian.com/support/w/kb/3524/kb-2300-information-about-the-xz-utils-data-compression-library-vulnerability-cve-2024-3094#commentsRevision 2 posted to Appian Knowledge Base by pauline.delacruz on 4/5/2024 7:50:17 PM<br /> <p><span style="font-weight:400;">On 29-Mar-2024, a Microsoft security researcher </span><a href="https://www.openwall.com/lists/oss-security/2024/03/29/4"><span style="font-weight:400;">announced</span></a><span style="font-weight:400;"> that he had discovered malicious code in the upstream tarballs of xz, a lossless data compression library, starting with version 5.6.0. Shortly thereafter, NVD assigned the backdoor vulnerability a </span><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-3094"><span style="font-weight:400;">CVE</span></a><span style="font-weight:400;">, and </span><a href="https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094"><span style="font-weight:400;">CISA recommended</span></a><span style="font-weight:400;"> all affected users downgrade to an uncompromised version.</span></p> <p><span style="font-weight:400;">Upon assessing the Appian platform against all details of the CVE, we can confirm that the Appian platform is not impacted by this vulnerability as Appian does not utilize the impacted versions described in the above advisories. We will continue to monitor the situation and provide any updates as appropriate.</span></p> <h2><span style="font-weight:400;">Additional Notes:</span></h2> <p><span style="font-weight:400;">The following CVE was released with additional information on the scope of the vulnerability:</span></p> <ul> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-3094"><span style="font-weight:400;">CVE-2024-3094</span></a> <span style="font-weight:400;">(&ldquo;XZ: Malicious Code in Distributed Source&rdquo;)</span></li> </ul> <h2><span style="font-weight:400;">Supporting Documentation:</span></h2> <ul> <li style="font-weight:400;"><a href="https://www.openwall.com/lists/oss-security/2024/03/29/4"><span style="font-weight:400;">https://www.openwall.com/lists/oss-security/2024/03/29/4</span><span style="font-weight:400;"><br /></span></a></li> <li style="font-weight:400;"><a href="https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094"><span style="font-weight:400;">https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094</span><span style="font-weight:400;"><br /></span></a></li> </ul> <h2><span style="font-weight:400;">Affected Versions</span></h2> <p><span style="font-weight:400;">This article applies to all supported versions of Appian.</span></p> <p><span style="font-weight:400;">Last reviewed: </span><span style="font-weight:400;">April 2024</span></p><div style="clear:both;"></div> https://community.appian.com/support/w/kb/3524/kb-2300-information-about-the-xz-utils-data-compression-library-vulnerability-cve-2024-3094/revision/1Fri, 05 Apr 2024 19:48:23 GMTd3a83456-d57b-489c-a84c-4e8267bb592a:a11c35b8-6ed5-4540-9869-3146e45b5200pauline.delacruzhttps://community.appian.com/support/w/kb/3524/kb-2300-information-about-the-xz-utils-data-compression-library-vulnerability-cve-2024-3094#commentsRevision 1 posted to Appian Knowledge Base by pauline.delacruz on 4/5/2024 7:48:23 PM<br /> <p><span style="font-weight:400;">On 29-Mar-2024, a Microsoft security researcher </span><a href="https://www.openwall.com/lists/oss-security/2024/03/29/4"><span style="font-weight:400;">announced</span></a><span style="font-weight:400;"> that he had discovered malicious code in the upstream tarballs of xz, a lossless data compression library, starting with version 5.6.0. Shortly thereafter, NVD assigned the backdoor vulnerability a </span><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-3094"><span style="font-weight:400;">CVE</span></a><span style="font-weight:400;">, and </span><a href="https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094"><span style="font-weight:400;">CISA recommended</span></a><span style="font-weight:400;"> all affected users downgrade to an uncompromised version.</span></p> <p></p> <p><span style="font-weight:400;">Upon assessing the Appian platform against all details of the CVE, we can confirm that the Appian platform is not impacted by this vulnerability as Appian does not utilize the impacted versions described in the above advisories. We will continue to monitor the situation and provide any updates as appropriate.</span></p> <p></p> <h2><span style="font-weight:400;">Additional Notes:</span></h2> <p><span style="font-weight:400;">The following CVE was released with additional information on the scope of the vulnerability:</span></p> <p></p> <ul> <li style="font-weight:400;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-3094"><span style="font-weight:400;">CVE-2024-3094</span></a> <span style="font-weight:400;">(&ldquo;XZ: Malicious Code in Distributed Source&rdquo;)</span><span style="font-weight:400;"><br /></span><span style="font-weight:400;"><br /></span><span style="font-weight:400;">Supporting Documentation:</span></li> <li style="font-weight:400;"><a href="https://www.openwall.com/lists/oss-security/2024/03/29/4"><span style="font-weight:400;">https://www.openwall.com/lists/oss-security/2024/03/29/4</span><span style="font-weight:400;"><br /><br /></span></a></li> <li style="font-weight:400;"><a href="https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094"><span style="font-weight:400;">https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094</span><span style="font-weight:400;"><br /><br /></span></a></li> </ul> <p><br /><br /></p> <h2><span style="font-weight:400;">Affected Versions</span></h2> <p><span style="font-weight:400;">This article applies to all supported versions of Appian.</span></p> <p><span style="font-weight:400;">Last reviewed: </span><span style="font-weight:400;">April 2024</span></p><div style="clear:both;"></div>