Toplu bütün makinelerde Zafiyet kontrolü yapmak isteyenler için CVE-2024-3094 xz sürüm kontrolü yapan ve çıktı basan ansible taskı
- hosts: all
tasks:
- name: Run CVE-2024-3094 vulnerability check script
shell: |
set -eu
echo "Checking system for CVE-2024-3094 Vulnerability..."
echo "https://nvd.nist.gov/vuln/detail/CVE-2024-3094"
# find path to liblzma used by sshd
# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4
sshd_path=$(whereis -b sshd | awk '{print $2}')
path=$(ldd "$sshd_path" 2>/dev/null | grep -o '/.*liblzma[^ ]*' | head -1)
if [ -z "$path" ]; then
echo
echo "Probably not vulnerable (liblzma not found)"
exit
fi
# check for function signature
# adapted from https://www.openwall.com/lists/oss-security/2024/03/29/4
echo
echo "Checking for function signature in liblzma..."
if hexdump -ve '1/1 "%.2x"' "$path" | grep -q 'f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410'; then
echo "Function signature in liblzma: VULNERABLE"
else
echo "Function signature in liblzma: OK"
fi
# check xz version
echo
echo "Checking xz version..."
xz_version=$(xz --version | head -n1 | awk '{print $4}')
if [[ "$xz_version" == "5.6.0" || "$xz_version" == "5.6.1" ]]; then
echo "xz version $xz_version: VULNERABLE"
else
echo "xz version $xz_version: OK"
fi
register: script_output
- debug:
var: script_output.stdout_lines