Palo Alto Networks Security Advisories / CVE-2024-3094

CVE-2024-3094 Informational: Impact of Malicious Code in XZ Tools and Libraries (CVE-2024-3094)


Informational

Description

The Palo Alto Networks Product Security Assurance team has evaluated the supply chain compromise impacting versions 5.6.0 and 5.6.1 of XZ tools and libraries. These versions of the software may allow unauthorized access to affected systems.

Based on the information presently known, Palo Alto Networks products and cloud services do not contain affected XZ software packages and are not impacted by these issues.

Please refer to the Unit42 Threat Brief for the latest guidance and product offerings to protect customers from CVE-2024-3094 in their environments: https://unit42.paloaltonetworks.com/threat-brief-xz-utils-cve-2024-3094/

CVESummary
CVE-2024-3094Malicious code in distributed source tarballs of xz, starting with version 5.6.0

Product Status

VersionsAffectedUnaffected
Cloud NGFW NoneAll
Cortex XDR NoneAll
Cortex XDR Agent NoneAll
GlobalProtect App NoneAll
PAN-OS NoneAll
Prisma Access NoneAll
Prisma Cloud NoneAll
Prisma Cloud Compute NoneAll

Weakness Type

CWE-506: Embedded Malicious Code

Solution

No software updates are required at this time.

Timeline

Initial Publication
© 2024 Palo Alto Networks, Inc. All rights reserved.