← back
CVE-2024-9355

Golang-fips: golang fips zeroed buffer

CVSS 6.5 MEDIUMEPSS 0.3%CWE-457
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Affected products
github.com/golang-fips/opensslRed Hat · NBDE Tang ServerRed Hat · OpenShift Developer Tools and ServicesRed Hat · OpenShift PipelinesRed Hat · OpenShift ServerlessRed Hat · Red Hat Ansible Automation Platform 1.2Red Hat · Red Hat Ansible Automation Platform 2Red Hat · Red Hat Enterprise Linux 10Red Hat · Red Hat Enterprise Linux 7Red Hat · Red Hat Enterprise Linux 7 Extended Lifecycle SupportRed Hat · Red Hat Enterprise Linux 8Red Hat · Red Hat Enterprise Linux 9Red Hat · Red Hat Enterprise Linux 9.4 Extended Update SupportRed Hat · Red Hat OpenShift Container Platform 4Red Hat · Red Hat Openshift Container Storage 4Red Hat · Red Hat Openshift Data Foundation 4Red Hat · Red Hat OpenShift Dev SpacesRed Hat · Red Hat OpenShift GitOpsRed Hat · Red Hat OpenShift on AWSRed Hat · Red Hat OpenShift Virtualization 4Red Hat · Red Hat OpenStack Platform 16.2Red Hat · Red Hat OpenStack Platform 17.1Red Hat · Red Hat Satellite 6Red Hat · Red Hat Service Interconnect 1Red Hat · Red Hat Storage 3Red Hat · Red Hat Trusted Artifact SignerRed Hat · Satellite Client 6 for RHEL 10Red Hat · Satellite Client 6 for RHEL 8Red Hat · Satellite Client 6 for RHEL 9Red Hat · Streams for Apache Kafka 2.9.0

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://access.redhat.com/errata/RHSA-2024:10133https://access.redhat.com/errata/RHSA-2024:7502https://access.redhat.com/errata/RHSA-2024:7550https://access.redhat.com/errata/RHSA-2024:8327https://access.redhat.com/errata/RHSA-2024:8678https://access.redhat.com/errata/RHSA-2024:8847https://access.redhat.com/errata/RHSA-2024:9551https://access.redhat.com/errata/RHSA-2025:2416https://access.redhat.com/errata/RHSA-2025:7118https://access.redhat.com/errata/RHSA-2025:7256https://access.redhat.com/errata/RHSA-2025:7624https://access.redhat.com/security/cve/CVE-2024-9355