Memory Leak Vulnerability in Golang RSA Code Could Lead to Resource Exhaustion
CVE-2024-1394

7.5HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Ansible Automation Platform 2.4 For Rhel 8; Red Hat Ansible Automation Platform 2.4 For Rhel 9; Red Hat Developer Tools; Red Hat Enterprise Linux 8
Vendor: CVE Published:; 21 March 2024

Summary

A memory leak flaw has been identified in the RSA encrypting and decrypting code of the Golang FIPS OpenSSL library. This issue arises from improper handling of named return parameters, specifically within the RSA library's context initialization process. When errors occur during context initialization or property settings, the related pointers, namely 'pkey' and 'ctx', are left unfreed, leading to a potential resource exhaustion vulnerability. Attackers can exploit this flaw through crafted inputs, causing the application to exhaust memory resources.

Affected Version(s)

Red Hat Ansible Automation Platform 2.4 for RHEL 8 0:1.4.5-1.el8ap

Red Hat Ansible Automation Platform 2.4 for RHEL 9 0:1.4.5-1.el9ap

Red Hat Developer Tools 0:1.19.13-6.el7_9

References

https://access.redhat.com/errata/RHSA-2024:1462

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2024:1468

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2024:1472

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 21, 2024
Vulnerability Reserved
Feb 9, 2024

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank @qmuntal and @r3kumar for reporting this issue.