Elastic Security Statement for CVE-2024-3094, xz versions 5.6.0 and 5.6.1

Elastic Products are not affected by this issue.

On March 29th, 2024, Elastic became aware of the malicious code planted in the xz package.

Elastic has performed an investigation to identify any Elastic Products which may be impacted by this issue and we have concluded that no Elastic products use the versions of xz affected by this vulnerability. Therefore, Elastic Products are not affected by this issue.

Reference Links:

• oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise
• 500ms to midnight: XZ / liblzma backdoor — Elastic Security Labs
• Urgent security alert for Fedora 41 and Fedora Rawhide users
• [SECURITY] [DSA 5649-1] xz-utils security update
• NVD - CVE-2024-3094