The XZ-Utils backdoor, first discovered in March 2024, is still present in at least 35 Linux images on Docker Hub, potentially putting users, organizations, and their data at risk.
Docker Hub is the official public container image registry operated by Docker, allowing developers and organizations to upload or download prebuilt images and share them with the community.
Many CI/CD pipelines, developers, and production systems pull images directly from Docker Hub as base layers for their own containers, and if those images are compromised, the new build inherits the flaw or malicious code.
Binarly researchers have discovered numerous Docker images still impacted by the XZ-Utils backdoor.
"At first glance, this might not seem alarming: if the distribution packages were backdoored, then any Docker images based on them would be infected as well," reports Binarly.
"However, what we discovered is that some of these compromised images are still publicly available on Docker Hub. And even more troubling, other images have been built on top of these infected base images, making them transitively infected."
Binarly reported the images to Debian, one of the maintainers still offering backdoored images, who decided not to take them offline, citing low risk and importance of archiving continuity.
The XZ-Utils backdoor, tracked under CVE-2024-3094, was malicious code hidden in the liblzma.so library of the xz-utils compression tool, versions 5.6.0 and 5.6.1.
It hooked the RSA_public_decrypt function in OpenSSH via glibc's IFUNC mechanism, so if an attacker with a special private key connected over SSH to an affected system, they could bypass authentication and remotely run commands as root.
The backdoor was stealthily injected by a long-time project contributor named "Jia Tan," and shipped in official Linux distro packages like Debian, Fedora, OpenSUSE, and Red Hat, making it one of the most severe software supply chain compromises last year.
... continue reading