Last updated on April 3, 2024 at 02:40 pm

We’re aware of a critical vulnerability impacting XZ Utils, where malicious code was inserted into a library that could allow for remote code execution via Secure Shell Protocol (SSH). 

XZ is a general-purpose data compression format present in nearly every Linux distribution software. Successful exploitation of this vulnerability could allow inadvertent remote code execution by the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The affected XZ Utils versions are: 

  • 5.6.0
  • 5.6.1

Schools using these versions should roll back XZ Utils to a version prior to 5.6.x. You can find more information about this vulnerability on the National Cyber Security Centre Advisory here.