We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-9355

Golang-fips: golang fips zeroed buffer



Assignerredhat
Reserved2024-09-30
Published2024-10-01
Updated2024-10-10

Description

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.



MEDIUM: 6.5CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Problem types

Use of Uninitialized Variable

Product status

Default status
affected

8100020241001112709.a3795dee before *
unaffected

Default status
affected

0:1.21.13-4.el9_4 before *
unaffected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
unaffected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
unaffected

Default status
unaffected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Timeline

2024-09-30:Reported to Red Hat.
2024-09-30:Made public.

Credits

This issue was discovered by David Benoit (Red Hat).

References

https://access.redhat.com/errata/RHSA-2024:7502 (RHSA-2024:7502) vendor-advisory

https://access.redhat.com/errata/RHSA-2024:7550 (RHSA-2024:7550) vendor-advisory

https://access.redhat.com/security/cve/CVE-2024-9355 vdb-entry

https://bugzilla.redhat.com/show_bug.cgi?id=2315719 (RHBZ#2315719) issue-tracking

cve.org CVE-2024-9355

nvd.nist.gov CVE-2024-9355

Download JSON

Share this page
https://cve.threatint.com
Subscribe to our newsletter to learn more about our work.