A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.
History

Thu, 21 Nov 2024 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els
References

Sat, 16 Nov 2024 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:9.4

Fri, 15 Nov 2024 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.4::appstream
Vendors & Products Redhat rhel Eus
References

Tue, 05 Nov 2024 08:15:00 +0000

Type Values Removed Values Added
References

Wed, 30 Oct 2024 23:00:00 +0000

Type Values Removed Values Added
References

Tue, 22 Oct 2024 17:15:00 +0000

Type Values Removed Values Added
References

Thu, 03 Oct 2024 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:9

Thu, 03 Oct 2024 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8

Thu, 03 Oct 2024 00:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:9::appstream
References

Wed, 02 Oct 2024 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8::appstream
References

Tue, 01 Oct 2024 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 01 Oct 2024 18:30:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.
Title golang-fips: Golang FIPS zeroed buffer Golang-fips: golang fips zeroed buffer
First Time appeared Redhat
Redhat amq Streams
Redhat ansible Automation Platform
Redhat container Native Virtualization
Redhat enterprise Linux
Redhat network Bound Disk Encryption Tang
Redhat ocp Tools
Redhat openshift
Redhat openshift Container Storage
Redhat openshift Data Foundation
Redhat openshift Devspaces
Redhat openshift Gitops
Redhat openshift Pipelines
Redhat openshift Service On Aws
Redhat openstack
Redhat satellite
Redhat serverless
Redhat service Interconnect
Redhat storage
Redhat trusted Artifact Signer
CPEs cpe:/a:redhat:amq_streams:1
cpe:/a:redhat:ansible_automation_platform
cpe:/a:redhat:ansible_automation_platform:2
cpe:/a:redhat:container_native_virtualization:4
cpe:/a:redhat:network_bound_disk_encryption_tang:1
cpe:/a:redhat:ocp_tools
cpe:/a:redhat:openshift:4
cpe:/a:redhat:openshift_container_storage:4
cpe:/a:redhat:openshift_data_foundation:4
cpe:/a:redhat:openshift_devspaces:3::el8
cpe:/a:redhat:openshift_gitops:1
cpe:/a:redhat:openshift_pipelines:1
cpe:/a:redhat:openshift_service_on_aws:1
cpe:/a:redhat:openstack:16.2
cpe:/a:redhat:openstack:17.1
cpe:/a:redhat:satellite:6
cpe:/a:redhat:serverless:1
cpe:/a:redhat:service_interconnect:1
cpe:/a:redhat:storage:3
cpe:/a:redhat:trusted_artifact_signer:1
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat amq Streams
Redhat ansible Automation Platform
Redhat container Native Virtualization
Redhat enterprise Linux
Redhat network Bound Disk Encryption Tang
Redhat ocp Tools
Redhat openshift
Redhat openshift Container Storage
Redhat openshift Data Foundation
Redhat openshift Devspaces
Redhat openshift Gitops
Redhat openshift Pipelines
Redhat openshift Service On Aws
Redhat openstack
Redhat satellite
Redhat serverless
Redhat service Interconnect
Redhat storage
Redhat trusted Artifact Signer
References

Tue, 01 Oct 2024 01:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title golang-fips: Golang FIPS zeroed buffer
Weaknesses CWE-457
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L'}

threat_severity

Moderate


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-10-01T18:17:29.420Z

Updated: 2024-12-02T14:25:53.286Z

Reserved: 2024-09-30T17:07:30.833Z

Link: CVE-2024-9355

cve-icon Vulnrichment

Updated: 2024-10-01T18:37:43.886Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2024-10-01T19:15:09.793

Modified: 2024-11-21T20:15:45.247

Link: CVE-2024-9355

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-09-30T20:53:42Z

Links: CVE-2024-9355 - Bugzilla