HomeDescription
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
PUBLISHED Reserved 2024-09-30 | Published 2024-10-01 | Updated 2025-11-11 | Assigner redhat
MEDIUM: 6.5CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Problem types
Use of Uninitialized Variable
Product status
Default status
affected
Default status
affected
0:0.10-2.el7_9 (rpm) before *
unaffected
Default status
affected
8100020241001112709.a3795dee (rpm) before *
unaffected
Default status
affected
0:9.2.10-20.el8_10 (rpm) before *
unaffected
Default status
affected
0:5.1.1-9.el8_10 (rpm) before *
unaffected
Default status
affected
0:1.21.13-4.el9_4 (rpm) before *
unaffected
Default status
affected
0:9.2.10-19.el9_4 (rpm) before *
unaffected
Default status
affected
0:132-1.el9 (rpm) before *
unaffected
Default status
affected
0:3.6.1-1.el9 (rpm) before *
unaffected
Default status
affected
0:5.1.1-4.el9_4 (rpm) before *
unaffected
Default status
affected
0:0.3.1-1.el8sat (rpm) before *
unaffected
Default status
affected
0:0.3.1-1.el9sat (rpm) before *
unaffected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
affected
Default status
affected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Timeline
| 2024-09-30: | Reported to Red Hat. |
| 2024-09-30: | Made public. |
Credits
This issue was discovered by David Benoit (Red Hat).
References
access.redhat.com/errata/RHSA-2024:10133 (RHSA-2024:10133) vendor-advisory
access.redhat.com/errata/RHSA-2024:7502 (RHSA-2024:7502) vendor-advisory
access.redhat.com/errata/RHSA-2024:7550 (RHSA-2024:7550) vendor-advisory
access.redhat.com/errata/RHSA-2024:8327 (RHSA-2024:8327) vendor-advisory
access.redhat.com/errata/RHSA-2024:8678 (RHSA-2024:8678) vendor-advisory
access.redhat.com/errata/RHSA-2024:8847 (RHSA-2024:8847) vendor-advisory
access.redhat.com/errata/RHSA-2024:9551 (RHSA-2024:9551) vendor-advisory
access.redhat.com/errata/RHSA-2025:2416 (RHSA-2025:2416) vendor-advisory
access.redhat.com/errata/RHSA-2025:7118 (RHSA-2025:7118) vendor-advisory
access.redhat.com/errata/RHSA-2025:7256 (RHSA-2025:7256) vendor-advisory
access.redhat.com/errata/RHSA-2025:7624 (RHSA-2025:7624) vendor-advisory
access.redhat.com/security/cve/CVE-2024-9355 vdb-entry
bugzilla.redhat.com/show_bug.cgi?id=2315719 (RHBZ#2315719) issue-tracking
github.com/golang-fips/openssl/pull/198
cve.org
(CVE-2024-9355)
nvd.nist.gov
(CVE-2024-9355)
Download JSON
