Golang OpenSSL Vulnerability Affects FIPS Mode

CVE-2024-9355

6.5MEDIUM

Key Information

Vendor: Red Hat
Status: Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9; Nbde Tang Server; Openshift Developer Tools And Services
Vendor: CVE Published:; 1 October 2024

Summary

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.

Affected Version(s)

Red Hat Enterprise Linux 8 <= 8100020241001112709.a3795dee

Red Hat Enterprise Linux 8 <= 0:9.2.10-20.el8_10

Red Hat Enterprise Linux 8 <= 0:5.1.1-9.el8_10

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: null to: 6.5 - (MEDIUM)
Oct 1, 2024
Vulnerability published.
Oct 1, 2024
Reported to Red Hat.
Sep 30, 2024
Vulnerability Reserved.
Sep 30, 2024

Collectors

NVD DatabaseMitre Database

Credit

This issue was discovered by David Benoit (Red Hat).