Assigner | redhat |
Reserved | 2024-09-30 |
Published | 2024-10-01 |
Updated | 2024-10-10 |
Description
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
MEDIUM: 6.5 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L |
Problem types
Use of Uninitialized Variable
Product status
Default status
affected
8100020241001112709.a3795dee before *
unaffected
Default status
affected
0:1.21.13-4.el9_4 before *
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Timeline
2024-09-30: | Reported to Red Hat. |
2024-09-30: | Made public. |
Credits
This issue was discovered by David Benoit (Red Hat).
References
https://access.redhat.com/errata/RHSA-2024:7502 (RHSA-2024:7502) vendor-advisory
https://access.redhat.com/errata/RHSA-2024:7550 (RHSA-2024:7550) vendor-advisory
https://access.redhat.com/security/cve/CVE-2024-9355 vdb-entry
https://bugzilla.redhat.com/show_bug.cgi?id=2315719 (RHBZ#2315719) issue-tracking
cve.org CVE-2024-9355
nvd.nist.gov CVE-2024-9355
Download JSON
Share this page
https://cve.threatint.com
Subscribe to our newsletter to learn more about our work.