How to Use to Check If You Are Affected by the XZ Backdoor

Michael Lubas, 2024-03-30

TL;DR? Upgrade your Paraxial agent to 2.7.3 in mix. When you start your Elixir app, will record the version of xz you are running in production, to be viewed in the site’s App Audit. 5.6.0 and 5.6.1 have the backdoor, other versions are safe.

XZ is a package used in most Linux distributions, meaning if you are running an Elixir/Phoenix web application on a Linux web server, you probably have it installed. A high severity backdoor was recently discovered in xz versions 5.6.0 and 5.6.1.

To determine if you are affected, run the following:

% xz --version
xz (XZ Utils) 5.4.4
liblzma 5.4.4

If you see 5.6.0 or 5.6.1, you are vulnerable and you need to downgrade.

The target audience of this blog is Elixir developers, and is a security product that can check if an Elixir application is vulnerable. If you are not using Elixir/Phoenix in your work, then the rest of this blog post is not relevant for you. It is about how automates and records this work.

Note that without you will have to ssh into the web server running your Elixir application to determine if it is vulnerable. If you are currently using, App Audit can be used to determine exactly what version of xz you are currently running in production, and store a record for compliance purposes.

Upgrade your agent to 2.7.3 in mix.exs. Earlier versions will not work. Start your Elixir app with:

mix phx.server

Then go to your site’s App Audit page and search for xz:

If you see 5.6.0 or 5.6.1, you are vulnerable. If you do not see xz in App Audit, check your agent version, it must be version 2.7.3. Also check to make sure a scan was recently run (it happens when the application is started with mix phx.server). If you have questions, email for help. I am personally monitoring the inbox to ensure prompt response times due to the developing nature of this backdoor.

Further Reading

Check if you’re vulnerable to CVE-2024-3094, Latio Tech

Everything I Know About the Xz Backdoor

FAQ on the xz-utils backdoor stops data breaches by securing your Elixir and Phoenix apps. Detect and fix critical security issues today. Attending ElixirConf EU (April 17th) in Lisbon? founder Michael Lubas is giving the training Elixir Application Security and will be speaking at the conference. Hope to see you there!

Subscribe to stay up to date on new posts.