On Friday, 2024-03-29, a backdoor was discovered in the ubiquitous xz utils Linux package, commonly used for LZMA compression operations via the liblzma library. This supply-chain attack targets sshd, and can allow malicious actors to execute code with root privileges.

Monit is not affected by this vulnerability.

Our platform exists in a managed, hardened environment that has sshd disabled, with no ability to remote into the machines that run the applications and services that comprise the Monit platform. In addition, we do not use xz utils (or LZMA compression) anywhere in our CI/CD pipeline, and when checking other software dependencies, we confirmed that our Linux distro does not contain an infected version of the liblzma library.

We take our customers' and users' data security and privacy very seriously, and monitor the information security landscape for threats so we can take action when any are discovered. For more information, please see the Information Security Policy and Data Protection and Handling Policy as well as our SOC2 Type 2 report at security.monitapp.io. Our security portal also contains other artifacts that describe how we think about and operationalize information and data security.

‍

Rian Stockbower

Chief Technology Officer

rian@monitapp.io

‍