Vulnerability in XZ Utils - thingsHub not affected

overlay triangle

Is your thingsHub affected by the XZ vulnerability (CVE-2024-3094)?

Last week, a critical vulnerability (CVE-2024-3094, base score: 10.0 Critical) was discovered in XZ Utils. This vulnerability could potentially allow attackers to execute code on affected systems.

Our development team immediately investigated the impact on our systems. This has led to the following result:

In the system environment of the thingsHub products "Cloud" and "OnPremise" XZ Utils is not installed by default and therefore these are not affected by the vulnerability.

Our relevant custom Dockerfiles explicitly exclude the installation of XZ. Additionally, Grafana, which is used within our system, uses the unaffected image alpine:3.19.1 and does not install XZ on it. Likewise, the CNCF certified Kubernetes engine we use for the thingshub cloud service (GKE) is not affected by this bug.

If you or your colleagues have any questions about this, you can contact us at any time by e-mail or telephone.

Your SmartMakers thingsHub development team

Share this article

Published April 9, 2024

Change language

Read more

iot asset tracking webinar

Webinar: IoT Asset Tracking Basics

Learn how IoT asset tracking works and in which areas it can be used in our 30-minute asset tracking basics webinar. The participation is free of charge.