docs: xz-utils security advisory (#2557)

* CVE - XZ utils * xz-utils security advisory - update impact statement - add ubuntu security advisory * xz-utils security advisory - list all OS * xz-utils security advisory - change uses to supports * xz-utils security advisory - change images to distributions * xz-utils security advisory - address review comments * docs: language tocuh-up * chore: fixed utlity term --------- Co-authored-by: alagujeeva <alagujeeva22@gmail.com> Co-authored-by: Karl Cardenas <karl@spectrocloud.com>
spectrocloud · Apr 2, 2024 · 1c3d353 · 1c3d353
1 parent 67ae52c
commit 1c3d353
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/docs/docs-content/security-bulletins/cve-reports.md b/docs/docs-content/security-bulletins/cve-reports.md
@@ -32,6 +32,41 @@ _Are there any links users can visit to find out more?_
 
 -->
 
+## April 2, 2024 - CVE-2024-3094 Malicious Code in XZ Utility - 10 CVSS
+
+Malicious code was discovered in the upstream tarballs of the XZ utility, starting with version 5.6.0, contain malicious
+code. This code is hidden within a test file in the source code and is extracted by the liblzma build process. The code
+then modifies specific functions in the liblzma library, resulting in a modified version of the library. Any software
+that links against this modified library may have its data interaction intercepted and modified. You can learn more
+about the vulnerability in the [CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094) reference page.
+
+#### Impact
+
+No impact. None of the OS distributions supported by Palette use the impacted versions of the XZ utils package. Below
+are the links to the security advisories for all the Palette supported OS distributions:
+
+- [Ubuntu 20.04, 22.04, 23.10](https://ubuntu.com/security/CVE-2024-3094)
+- [RHEL 8](https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users)
+- [OpenSUSE Leap](https://www.suse.com/c/suse-addresses-supply-chain-attack-against-xz-compression-library/)
+- [SLE Micro](https://www.suse.com/c/suse-addresses-supply-chain-attack-against-xz-compression-library/)
+
+#### Patches
+
+Not Applicable
+
+### Workarounds
+
+Not Applicable
+
+#### References
+
+- [CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094)
+- [Ubuntu CVE Disclosure](https://ubuntu.com/security/CVE-2024-3094)
+- [RedHat CVE Disclosure](https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users)
+- [SUSE CVE Disclosure](https://www.suse.com/c/suse-addresses-supply-chain-attack-against-xz-compression-library/)
+
+<br />
+
 ## January 10, 2024 - CVE-2023-39323 Bypass CGO Restrictions - 8.1 CVSS
 
 Line directives `//line` can be used to bypass the restrictions on `//go:cgo_` directives, allowing blocked linker and