CVE-2024-1394
Golang-fips/openssl: memory leaks in code encrypting and decrypting rsa payloads
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
Se encontró una falla de pérdida de memoria en Golang en el código de cifrado/descifrado RSA, lo que podría conducir a una vulnerabilidad de agotamiento de recursos mediante entradas controladas por el atacante. La pérdida de memoria ocurre en github.com/golang-fips/openssl/openssl/rsa.go#L113. Los objetos filtrados son pkey? y ctx?. Esa función utiliza parámetros de retorno con nombre para liberar pkey? y ctx? si hay un error al inicializar el contexto o al configurar las diferentes propiedades. Todas las declaraciones de devolución relacionadas con casos de error siguen el patrón "return nil, nil, fail(...)", lo que significa que pkey? y ctx? serán nulos dentro de la función diferida que debería liberarlos.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-09 CVE Reserved
- 2024-03-21 CVE Published
- 2024-08-14 EPSS Updated
- 2025-01-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-401: Missing Release of Memory after Effective Lifetime
CAPEC
References (45)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | * | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Exadata Dbserver Search vendor "Oracle" for product "Exadata Dbserver" | * | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Linux Search vendor "Oracle" for product "Linux" | * | - |
Affected
| ||||||
| Red Hat Search vendor "Red Hat" | Enterprise Linux Search vendor "Red Hat" for product "Enterprise Linux" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ansible Automation Platform Search vendor "Redhat" for product "Ansible Automation Platform" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ansible Automation Platform Developer Search vendor "Redhat" for product "Ansible Automation Platform Developer" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ansible Automation Platform Inside Search vendor "Redhat" for product "Ansible Automation Platform Inside" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Certification Search vendor "Redhat" for product "Certification" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Certifications Search vendor "Redhat" for product "Certifications" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Container Native Virtualization Search vendor "Redhat" for product "Container Native Virtualization" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Developer Tools Search vendor "Redhat" for product "Developer Tools" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Devtools Search vendor "Redhat" for product "Devtools" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Network Bound Disk Encryption Tang Search vendor "Redhat" for product "Network Bound Disk Encryption Tang" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ocp Tools Search vendor "Redhat" for product "Ocp Tools" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Search vendor "Redhat" for product "Openshift" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Container Storage Search vendor "Redhat" for product "Openshift Container Storage" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Data Foundation Search vendor "Redhat" for product "Openshift Data Foundation" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Devspaces Search vendor "Redhat" for product "Openshift Devspaces" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Gitops Search vendor "Redhat" for product "Openshift Gitops" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Pipelines Search vendor "Redhat" for product "Openshift Pipelines" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Service On Aws Search vendor "Redhat" for product "Openshift Service On Aws" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Rhel E4s Search vendor "Redhat" for product "Rhel E4s" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Rhel Eus Search vendor "Redhat" for product "Rhel Eus" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Rhel Software Collections Search vendor "Redhat" for product "Rhel Software Collections" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Serverless Search vendor "Redhat" for product "Serverless" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Service Interconnect Search vendor "Redhat" for product "Service Interconnect" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Software Collections Search vendor "Redhat" for product "Software Collections" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Storage Search vendor "Redhat" for product "Storage" | * | - |
Affected
| ||||||
| Alma Search vendor "Alma" | Linux Search vendor "Alma" for product "Linux" | * | - |
Affected
| ||||||
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | * | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Linux Search vendor "Oracle" for product "Linux" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Search vendor "Redhat" for product "Openshift" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Rhel E4s Search vendor "Redhat" for product "Rhel E4s" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Rhel Eus Search vendor "Redhat" for product "Rhel Eus" | * | - |
Affected
| ||||||
| Rocky Search vendor "Rocky" | Linux Search vendor "Rocky" for product "Linux" | * | - |
Affected
| ||||||