On Friday, March 29, 2024, an exploit was found to be embedded in the source code of recently released versions of XZ, a library used by many applications to handle LZMA compression. This vulnerability was assigned CVE-2024-30941. The severity of this “supply-chain” style of attack has caused its CVE case to receive a CVSS2 score of 10 out of 10. Details and history of this exploit are being covered by various news outlets.
We are writing to let you know that BrickStor SP does not contain the XZ library and is therefore not affected by this vulnerability. BrickStor SP has never included any version of the XZ library as a software component. We will continue to monitor the ongoing research and findings concerning this vulnerability.
Given the severity and nature of CVE-2024-3094, RackTop suggests that its customers scrutinize their wider infrastructure and follow vendor guidance regarding the remediation of any vulnerable software that may be present.