CVE-2024-9355

Golang-fips: golang fips zeroed buffer

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.

An update for rhc-worker-script is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Issues addressed include a denial of service vulnerability.

*Credits: This issue was discovered by David Benoit (Red Hat).

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Attack Vector

Local

Attack Complexity

High

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-09-30 CVE Reserved
2024-10-01 CVE Published
2025-04-03 CVE Updated
2025-04-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-457: Use of Uninitialized Variable

CAPEC

References (10)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-9355	2024-10-01
https://bugzilla.redhat.com/show_bug.cgi?id=2315719	2024-10-01
https://access.redhat.com/errata/RHSA-2024:10133	2025-04-03
https://access.redhat.com/errata/RHSA-2024:7502	2025-04-03
https://access.redhat.com/errata/RHSA-2024:7550	2025-04-03
https://access.redhat.com/errata/RHSA-2024:8327	2025-04-03
https://access.redhat.com/errata/RHSA-2024:8678	2025-04-03
https://access.redhat.com/errata/RHSA-2024:8847	2025-04-03
https://access.redhat.com/errata/RHSA-2024:9551	2025-04-03
https://access.redhat.com/errata/RHSA-2025:2416	2025-04-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Oracle Search vendor "Oracle"		Linux Search vendor "Oracle" for product "Linux"				*		-		Affected
Red Hat Search vendor "Red Hat"		Enterprise Linux Search vendor "Red Hat" for product "Enterprise Linux"				*		-		Affected
Redhat Search vendor "Redhat"		Amq Streams Search vendor "Redhat" for product "Amq Streams"				*		-		Affected
Redhat Search vendor "Redhat"		Ansible Automation Platform Search vendor "Redhat" for product "Ansible Automation Platform"				*		-		Affected
Redhat Search vendor "Redhat"		Container Native Virtualization Search vendor "Redhat" for product "Container Native Virtualization"				*		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				*		-		Affected
Redhat Search vendor "Redhat"		Network Bound Disk Encryption Tang Search vendor "Redhat" for product "Network Bound Disk Encryption Tang"				*		-		Affected
Redhat Search vendor "Redhat"		Ocp Tools Search vendor "Redhat" for product "Ocp Tools"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Search vendor "Redhat" for product "Openshift"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Storage Search vendor "Redhat" for product "Openshift Container Storage"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Data Foundation Search vendor "Redhat" for product "Openshift Data Foundation"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Devspaces Search vendor "Redhat" for product "Openshift Devspaces"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Gitops Search vendor "Redhat" for product "Openshift Gitops"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Pipelines Search vendor "Redhat" for product "Openshift Pipelines"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Service On Aws Search vendor "Redhat" for product "Openshift Service On Aws"				*		-		Affected
Redhat Search vendor "Redhat"		Openstack Search vendor "Redhat" for product "Openstack"				*		-		Affected
Redhat Search vendor "Redhat"		Satellite Search vendor "Redhat" for product "Satellite"				*		-		Affected
Redhat Search vendor "Redhat"		Serverless Search vendor "Redhat" for product "Serverless"				*		-		Affected
Redhat Search vendor "Redhat"		Service Interconnect Search vendor "Redhat" for product "Service Interconnect"				*		-		Affected
Redhat Search vendor "Redhat"		Storage Search vendor "Redhat" for product "Storage"				*		-		Affected
Redhat Search vendor "Redhat"		Trusted Artifact Signer Search vendor "Redhat" for product "Trusted Artifact Signer"				*		-		Affected
Alma Search vendor "Alma"		Linux Search vendor "Alma" for product "Linux"				*		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				*		-		Affected
Oracle Search vendor "Oracle"		Linux Search vendor "Oracle" for product "Linux"				*		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Search vendor "Redhat" for product "Openshift"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Eus Search vendor "Redhat" for product "Rhel Eus"				*		-		Affected
Redhat Search vendor "Redhat"		Satellite Search vendor "Redhat" for product "Satellite"				*		-		Affected
Rocky Search vendor "Rocky"		Linux Search vendor "Rocky" for product "Linux"				*		-		Affected
Suse Search vendor "Suse"		Packagehub Search vendor "Suse" for product "Packagehub"				*		-		Affected