CVE-2024-9355
mediumCVSS v3 Base Score
6.5
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS Score
0.3%
Exploitation probability in 30 days
Top 79% most likely to be exploited
Attack Characteristics
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Confidentiality
High
Integrity
High
Availability
Low
Vulnerability Report
Generated by CyberWatcher
Description
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
CWE
CWE-457Affected Products
Red Hat Red Hat Enterprise Linux 7 Extended Lifecycle SupportRed Hat Red Hat Enterprise Linux 8Red Hat Red Hat Enterprise Linux 9Red Hat Red Hat Enterprise Linux 9.4 Extended Update SupportRed Hat Satellite Client 6 for RHEL 10Red Hat Satellite Client 6 for RHEL 8Red Hat Satellite Client 6 for RHEL 9Red Hat Streams for Apache Kafka 2.9.0Red Hat NBDE Tang ServerRed Hat OpenShift Developer Tools and Services