Broadcom API Gateway Appliance - Impact of XZ Utils vulnerability ( CVE-2024-3094 )
Article ID: 281653
Updated On:
Products
Issue/Introduction
Reported supply chain compromise found in the XZ Utils library.
Reference: CVE-2024-3094
"Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library."
Cause
Layer7 Appliances running API Gateway 10.x (CentOS) and API Gateway 11.x (Debian) do come packaged with XZ Utils 5.2.x, which does not contain the malicious code.
Resolution
Product is not affected.
Feedback
