Bulletin ID: HCSEC-2024-06
Affected Products / Versions: None known at this time.
Publication Date: April 2, 2024
Summary
HashiCorp products and services have no known exposure to the XZ Utils (xz/liblzma) supply chain attack and associated vulnerability, CVE-2024-3094, at this time. This bulletin will be updated if this situation changes.
Background
A supply chain attack that introduced malicious code into the XZ Utils project was disclosed publicly on March 29, 2024.
There are many sources of information about this, including the original disclosure, the CVE record, and a CISA advisory.
Details
Generally, HashiCorp products and services utilize a combination of proprietary and open source dependencies for build and operation. Our investigation continues, but HashiCorp products and services have no known exposure to this attack at this point in time.
More broadly, beyond HashiCorp’s core products and services, HashiCorp utilizes software products and cloud services from a range of vendors across our business. We are tracking developments and will continue to systematically evaluate for exposure and take remediation action as appropriate.
Remediation
None necessary at this time. This bulletin will be updated if this situation changes.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.