Skip to content

brinhosa/CVE-2024-3094-One-Liner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits

readme.md

readme.md

 
 

Repository files navigation

CVE-2024-3094 One Liner Vulnerability Checker

This repository provides simple yet powerful one-liner scripts designed to help you quickly determine if your server is vulnerable to CVE-2024-3094, a critical security vulnerability found in certain versions of the xz utility. Additionally, we offer a convenient way to scan your code repositories for references to the xz library, which might be indicative of potential indirect vulnerabilities.

Check Server Vulnerability

To ascertain whether your server is susceptible to CVE-2024-3094, execute the following command in your terminal:

(type dpkg &>/dev/null && dpkg -l xz 2>/dev/null | awk '/^ii/{print $3}' | grep -qE '^(5.6.0|5.6.1)$' && echo "Vulnerable: CVE-2024-3094" || echo "Not vulnerable or xz not installed") || (type rpm &>/dev/null && rpm -q --qf "%{VERSION}\n" xz 2>/dev/null | grep -qE '^(5.6.0|5.6.1)$' && echo "Vulnerable: CVE-2024-3094" || echo "Not vulnerable or xz not installed")

The above command will check for the packages in the Linux distro.

Or try this other option where the xz command will be executed, this is usually not recommended:

command -v xz &>/dev/null && { xz_version=$(xz --version | head -n 1 | awk '{print $4}'); [[ $xz_version == "5.6.0" || $xz_version == "5.6.1" ]] && echo "Vulnerable: CVE-2024-3094" || echo "Not vulnerable: CVE-2024-3094"; } || echo "xz not installed"

This script performs the following actions:

  • Checks if the xz utility is installed.
  • Determines the installed version of xz.
  • Compares the version against known vulnerable versions (5.6.0 and 5.6.1).
  • Outputs the vulnerability status of your server.

Advanced Vulnerability Check for Docker Images

For teams using Docker and concerned about vulnerabilities within their container images, we offer a sophisticated example using Trivy, an open-source vulnerability scanner by Aqua Security. This method scans Docker images for vulnerabilities, including CVE-2024-3094, and provides a clear output regarding the security status of the image.

Checking Docker Images with Trivy

The following command utilizes Trivy to scan a Docker image (debian:experimental-20240311) for vulnerabilities and filters the results for CVE-2024-3094 related to liblzma5:

docker run --rm -v $('pwd'):/project -w /project aquasec/trivy:latest image --format cyclonedx --scanners vuln --output /project/result.json debian:experimental-20240311@sha256:16cc2b09c44d991d36f63153f13a7c98fb7da6bd2ba9d7cc0f48baacb7484970 && jq -r '.components[] | .properties[] | select(.name == "aquasecurity:trivy:PkgID" and (.value | tostring | test("liblzma5@(5\\.6\\.0|5\\.6\\.1)"))) | .value' result.json | grep -qE '5\.6\.0|5\.6\.1' && echo "Vulnerable: CVE-2024-3094" || echo "Not vulnerable or liblzma5 not found"

How It Works:

  1. Docker Run Command: Initiates a Trivy container, mounting the current directory as a volume to the container. This setup allows Trivy to output the scan results directly to a file (result.json) in the host's current directory.

  2. Trivy Scan: Scans the specified Docker image for vulnerabilities, outputting the results in the CycloneDX format (a standardized format for software bill of materials).

  3. Processing with jq: Filters the scan results to identify the package liblzma5 and checks for the versions "5.6.0" or "5.6.1".

  4. Vulnerability Check: Uses grep to search for vulnerable versions of liblzma5. It prints "Vulnerable: CVE-2024-3094" if found; otherwise, it outputs "Not vulnerable or liblzma5 not found".

This method is highly effective for automated pipelines and can be adapted to check for various vulnerabilities across different Docker images, ensuring your deployments are secure.

Customizing the Scan for Your Docker Images

To use the provided command for scanning your own Docker images, follow these steps to customize the command according to your needs:

  1. Replace the Docker Image: Change debian:experimental-20240311@sha256:16cc2b09c44d991d36f63153f13a7c98fb7da6bd2ba9d7cc0f48baacb7484970 with the image you wish to scan. You can specify your image by name and tag (e.g., yourimage:yourtag) or by its digest.

  2. Adjust the Vulnerability Check: If you're scanning for vulnerabilities other than CVE-2024-3094, modify the jq and grep expressions to target the specific packages and versions relevant to the vulnerabilities of interest.

For example, to scan your image named yourimage:yourtag:

docker run --rm -v $('pwd'):/project -w /project aquasec/trivy:latest image --format cyclonedx --scanners vuln --output /project/result.json yourimage:yourtag && jq -r '.components[] | .properties[] | select(.name == "aquasecurity:trivy:PkgID" and (.value | tostring | test("liblzma5@(5\\.6\\.0|5\\.6\\.1)"))) | .value' result.json | grep -qE '5\.6\.0|5\.6\.1' && echo "Vulnerable: CVE-2024-3094" || echo "Not vulnerable or liblzma5 not found"

Tips for Customization:

  • For Different Vulnerabilities: Replace "liblzma5@(5\\.6\\.0|5\\.6\\.1)" in the jq command with the package and versions you are interested in. For example, to check for openssl version "1.1.1", you might use openssl@(1\\.1\\.1).

  • For Different Properties: Depending on the vulnerability or package, you might need to adjust .name == "aquasecurity:trivy:PkgID" to target different properties in the CycloneDX output.

Ensuring Accurate Scans

  • Regular Updates: Ensure that your instance of Trivy is regularly updated to have the latest vulnerability definitions. This can usually be achieved by pulling the latest aquasec/trivy image before running scans.

  • Understanding Output: Familiarize yourself with the output format of Trivy and jq processing to accurately interpret the results and understand the implications for your Docker images.

Scan Code Repositories for xz References

If you're maintaining code that potentially interacts with or depends on the xz library, it's crucial to identify any explicit references to vulnerable library versions. Use the following commands to scan your repositories:

Search for "tukaani" References

The tukaani project is the home of the xz utility. To find mentions within your code:

grep -rnH "tukaani" .

Search for Maven Dependency References

For Java projects using Maven, you might specify xz as a dependency in your pom.xml. To locate these references:

grep -rnH "org.tukaani:xz:" .

These commands will recursively search the current directory (and subdirectories) for the specified patterns, reporting the file name, line number, and the line containing the match.

Note: Ensure you have the necessary permissions to run these scripts on your server or to scan repositories. Always verify and test scripts in a safe environment before use in production systems.

Feel free to contribute or suggest improvements to this repository by submitting a pull request or opening an issue. Your feedback and contributions are highly appreciated!

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published