CVE-2024-1394

high

Description

A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.

References

https://vuln.go.dev/ID/GO-2024-2660.json

https://pkg.go.dev/vuln/GO-2024-2660

https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f

https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6

https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136

https://bugzilla.redhat.com/show_bug.cgi?id=2262921

https://access.redhat.com/security/cve/CVE-2024-1394

https://access.redhat.com/errata/RHSA-2024:7262

https://access.redhat.com/errata/RHSA-2024:5634

https://access.redhat.com/errata/RHSA-2024:5258

https://access.redhat.com/errata/RHSA-2024:4960

https://access.redhat.com/errata/RHSA-2024:4762

https://access.redhat.com/errata/RHSA-2024:4761

https://access.redhat.com/errata/RHSA-2024:4699

https://access.redhat.com/errata/RHSA-2024:4672

https://access.redhat.com/errata/RHSA-2024:4591

https://access.redhat.com/errata/RHSA-2024:4581

https://access.redhat.com/errata/RHSA-2024:4502

https://access.redhat.com/errata/RHSA-2024:4379

https://access.redhat.com/errata/RHSA-2024:4378

https://access.redhat.com/errata/RHSA-2024:4371

https://access.redhat.com/errata/RHSA-2024:4146

https://access.redhat.com/errata/RHSA-2024:3352

https://access.redhat.com/errata/RHSA-2024:3265

https://access.redhat.com/errata/RHSA-2024:2767

https://access.redhat.com/errata/RHSA-2024:2730

https://access.redhat.com/errata/RHSA-2024:2729

https://access.redhat.com/errata/RHSA-2024:2569

https://access.redhat.com/errata/RHSA-2024:2568

https://access.redhat.com/errata/RHSA-2024:2562

https://access.redhat.com/errata/RHSA-2024:1897

https://access.redhat.com/errata/RHSA-2024:1763

https://access.redhat.com/errata/RHSA-2024:1646

https://access.redhat.com/errata/RHSA-2024:1644

https://access.redhat.com/errata/RHSA-2024:1640

https://access.redhat.com/errata/RHSA-2024:1574

https://access.redhat.com/errata/RHSA-2024:1567

https://access.redhat.com/errata/RHSA-2024:1566

https://access.redhat.com/errata/RHSA-2024:1563

https://access.redhat.com/errata/RHSA-2024:1561

https://access.redhat.com/errata/RHSA-2024:1502

https://access.redhat.com/errata/RHSA-2024:1501

https://access.redhat.com/errata/RHSA-2024:1472

https://access.redhat.com/errata/RHSA-2024:1468

https://access.redhat.com/errata/RHSA-2024:1462

Details

Source: Mitre, NVD

Published: 2024-03-21

Updated: 2024-09-26

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High