CVE-2024-1394

Description

A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the “return nil, nil, fail(…)” pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Unknown

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

General Information

Offensive Application

Unknown

Utility Class

Unknown

Ports

Unknown

Vulnerable Versions

Red Hat Ansible Automation Platform 2.4 for RHEL 8 not down converted

Red Hat Ansible Automation Platform 2.4 for RHEL 9 not down converted

Red Hat Developer Tools not down converted

Red Hat Enterprise Linux 8 not down converted

Red Hat Enterprise Linux 9 not down converted

Red Hat OpenShift Container Platform 4.12 not down converted

Red Hat OpenShift Container Platform 4.13 not down converted

Red Hat OpenShift Container Platform 4.14 not down converted

Red Hat OpenShift Container Platform 4.15 not down converted

NBDE Tang Server not down converted

OpenShift Developer Tools and Services not down converted

OpenShift Pipelines not down converted

OpenShift Serverless not down converted

Red Hat Ansible Automation Platform 1.2 not down converted

Red Hat Ansible Automation Platform 2 not down converted

Red Hat Certification for Red Hat Enterprise Linux 8 not down converted

Red Hat Certification for Red Hat Enterprise Linux 9 not down converted

Red Hat Enterprise Linux 7 not down converted

Red Hat OpenShift Container Platform 4 not down converted

Red Hat Openshift Container Storage 4 not down converted

Red Hat Openshift Data Foundation 4 not down converted

Red Hat OpenShift Dev Spaces not down converted

Red Hat OpenShift GitOps not down converted

Red Hat OpenShift on AWS not down converted

Red Hat OpenShift Virtualization 4 not down converted

Red Hat OpenStack Platform 16.1 not down converted

Red Hat OpenStack Platform 16.2 not down converted

Red Hat OpenStack Platform 17.1 not down converted

Red Hat Service Interconnect 1 not down converted

Red Hat Software Collections not down converted

Red Hat Storage 3 not down converted

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

Unknown

Reporter

Unknown

Vendors

Red Hat

Products

Red Hat Ansible Automation Platform 2.4 for RHEL 8,
Red Hat Ansible Automation Platform 2.4 for RHEL 9,
Red Hat Developer Tools,
Red Hat Enterprise Linux 8,
Red Hat Enterprise Linux 9,
Red Hat OpenShift Container Platform 4.12,
Red Hat OpenShift Container Platform 4.13,
Red Hat OpenShift Container Platform 4.14,
Red Hat OpenShift Container Platform 4.15,
NBDE Tang Server,
OpenShift Developer Tools and Services,
OpenShift Pipelines,
OpenShift Serverless,
Red Hat Ansible Automation Platform 1.2,
Red Hat Ansible Automation Platform 2,
Red Hat Certification for Red Hat Enterprise Linux 8,
Red Hat Certification for Red Hat Enterprise Linux 9,
Red Hat Enterprise Linux 7,
Red Hat OpenShift Container Platform 4,
Red Hat Openshift Container Storage 4,
Red Hat Openshift Data Foundation 4,
Red Hat OpenShift Dev Spaces,
Red Hat OpenShift GitOps,
Red Hat OpenShift on AWS,
Red Hat OpenShift Virtualization 4,
Red Hat OpenStack Platform 16.1,
Red Hat OpenStack Platform 16.2,
Red Hat OpenStack Platform 17.1,
Red Hat Service Interconnect 1,
Red Hat Software Collections,
Red Hat Storage 3

References

Canonical

CVE-2024-1394 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394)

Miscellaneous

https://access.redhat.com/errata/RHSA-2024:1462

https://access.redhat.com/errata/RHSA-2024:1468

https://access.redhat.com/errata/RHSA-2024:1472

https://access.redhat.com/errata/RHSA-2024:1501

https://access.redhat.com/errata/RHSA-2024:1502

https://access.redhat.com/security/cve/CVE-2024-1394

https://bugzilla.redhat.com/show_bug.cgi?id=2262921

https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6

https://access.redhat.com/errata/RHSA-2024:1561

https://access.redhat.com/errata/RHSA-2024:1563

https://access.redhat.com/errata/RHSA-2024:1640

https://access.redhat.com/errata/RHSA-2024:1644

https://access.redhat.com/errata/RHSA-2024:1646

https://access.redhat.com/errata/RHSA-2024:1574

https://access.redhat.com/errata/RHSA-2024:1566

https://access.redhat.com/errata/RHSA-2024:1567

https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136

https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f

https://pkg.go.dev/vuln/GO-2024-2660

https://vuln.go.dev/ID/GO-2024-2660.json

https://access.redhat.com/errata/RHSA-2024:1763

https://access.redhat.com/errata/RHSA-2024:1897

https://access.redhat.com/errata/RHSA-2024:2562

https://access.redhat.com/errata/RHSA-2024:2568

https://access.redhat.com/errata/RHSA-2024:2569

Rapid7

Unknown

Unknown

Unknown

Unknown

Unknown

Unknown

CVE-2024-1394

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2024-1394

Unknown

Unknown

Unknown

Unknown

Unknown

CVE-2024-1394

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification