Docker Hub still hosts dozens of Linux images with the XZ backdoor

What’s new: The XZ-Utils backdoor, tracked under CVE-2024-3094, is still present in at least 35 Linux images on Docker Hub. This backdoor allows attackers to bypass SSH authentication and execute commands as root. Despite being reported, Debian has opted not to remove these compromised images, citing low risk and the importance of archiving continuity.

Who’s affected

Users and organizations that pull Docker images from Docker Hub, particularly those using images based on the backdoored XZ-Utils library versions 5.6.0 and 5.6.1, are at risk. This includes CI/CD pipelines and production systems that may inadvertently use these compromised images.

What to do

• Verify that the XZ-Utils library version is 5.6.2 or later in your Docker images.
• Avoid using outdated images from Docker Hub that may contain the backdoor.
• Implement scanning tools to detect the XZ-Utils backdoor in your environment.

Sources

• BleepingComputer