Reference: https://discuss.elastic.co/t/elastic-security-statement-for-cve-2024-3094-xz-versions-5-6-0-and-5-6-1/357894/1

On March 29th, 2024, Elastic became aware of the malicious code planted in the xz package 3.

Elastic has performed an investigation to identify any Elastic Products which may be impacted by this issue and we have concluded that no Elastic products use the versions of xz affected by this vulnerability. Therefore, Elastic Products are not affected by this issue.

Related:

• oss-security - backdoor in upstream xz/liblzma leading to ssh server compromis
• 500ms to midnight: XZ / liblzma backdoor — Elastic Security Lab
• Urgent security alert for Fedora 41 and Fedora Rawhide users
• [SECURITY] [DSA 5649-1] xz-utils security update
• NVD - CVE-2024-309

---

• Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.