Bug 2262921 (CVE-2024-1394)
| Summary: | CVE-2024-1394 golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abishop, adudiak, amctagga, anjoseph, ansmith, apevec, askrabec, bodavis, brking, chazlett, crizzo, danken, dbenoit, dfreiber, dhanak, dholler, dkenigsb, dperaza, drosa, drow, dshah, dsimansk, eglynn, emachado, epacific, fdeutsch, fgustavs, ganandan, gkamathe, haoli, hhorak, hkataria, jaharrin, jajackso, jburati, jburrell, jcammara, jchui, jeder, jhardy, jjoyce, jmitchel, jneedle, jobarker, joelsmith, jorton, jprabhak, jschluet, kegrant, kingland, koliveir, kshier, kverlaen, lchilton, lhh, link, lmauda, lsvaty, mabashia, manissin, matzew, mbocek, mburns, mcressma, mgarciac, mmagr, mnewsome, mnovotny, nbecker, nobody, odf-bz-bot, omaciel, opohorel, oramraz, owatkins, pbraun, peholase, pgrist, phoracek, pierdipi, pjindal, rgatica, rguimara, rhos-maint, rhuss, rolivier, saroy, sausingh, sdawley, security-response-team, sfeifer, shbose, shvarugh, sidakwo, simaishi, sipoyare, smcdonal, smullick, stcannon, stirabos, teagle, tfister, thason, thavo, tkral, tsweeney, vkumar, wtam, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | github.com/golang-fips/openssl/v2 2.0.1, github.com/microsoft/go-crypto-openssl/openssl 0.2.9 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2262923, 2262924, 2262925, 2262926, 2262927, 2262928, 2262929, 2262930, 2262931, 2262932, 2262933, 2262934, 2262935, 2262936, 2262937, 2262949, 2262950, 2262951, 2262952, 2262953, 2262954, 2262955, 2262956, 2279584 | ||
| Bug Blocks: | 2262922 | ||
|
Description
Avinash Hanwate
2024-02-06 06:06:25 UTC
Any thoughts on a fixed in version yet? It would be helpful, for the moment, to know the module that's affected. populated fixed in field Thanks for the update. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1472 https://access.redhat.com/errata/RHSA-2024:1472 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1644 https://access.redhat.com/errata/RHSA-2024:1644 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1646 https://access.redhat.com/errata/RHSA-2024:1646 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2024:1563 https://access.redhat.com/errata/RHSA-2024:1563 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2024:1561 https://access.redhat.com/errata/RHSA-2024:1561 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:1574 https://access.redhat.com/errata/RHSA-2024:1574 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:1567 https://access.redhat.com/errata/RHSA-2024:1567 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:1566 https://access.redhat.com/errata/RHSA-2024:1566 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:1763 https://access.redhat.com/errata/RHSA-2024:1763 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:1897 https://access.redhat.com/errata/RHSA-2024:1897 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2562 https://access.redhat.com/errata/RHSA-2024:2562 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2568 https://access.redhat.com/errata/RHSA-2024:2568 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2569 https://access.redhat.com/errata/RHSA-2024:2569 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3265 https://access.redhat.com/errata/RHSA-2024:3265 This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 for RHEL 8 Via RHSA-2024:2767 https://access.redhat.com/errata/RHSA-2024:2767 This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 for RHEL 9 Via RHSA-2024:2729 https://access.redhat.com/errata/RHSA-2024:2729 This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 for RHEL 9 Via RHSA-2024:2730 https://access.redhat.com/errata/RHSA-2024:2730 filed rhel-9 z-stream trackers per https://issues.redhat.com/browse/RHEL-24310?focusedId=24906983&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-24906983 wrong component, refiling for rhel-9 containernetworking-plugins This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:4146 https://access.redhat.com/errata/RHSA-2024:4146 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:0045 https://access.redhat.com/errata/RHSA-2024:0045 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:4371 https://access.redhat.com/errata/RHSA-2024:4371 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:4378 https://access.redhat.com/errata/RHSA-2024:4378 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:4379 https://access.redhat.com/errata/RHSA-2024:4379 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:4502 https://access.redhat.com/errata/RHSA-2024:4502 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:4581 https://access.redhat.com/errata/RHSA-2024:4581 This issue has been addressed in the following products: RHODF-4.16-RHEL-9 Via RHSA-2024:4591 https://access.redhat.com/errata/RHSA-2024:4591 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:4672 https://access.redhat.com/errata/RHSA-2024:4672 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:4761 https://access.redhat.com/errata/RHSA-2024:4761 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:4762 https://access.redhat.com/errata/RHSA-2024:4762 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2024:4699 https://access.redhat.com/errata/RHSA-2024:4699 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:4960 https://access.redhat.com/errata/RHSA-2024:4960 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5258 https://access.redhat.com/errata/RHSA-2024:5258 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:5634 https://access.redhat.com/errata/RHSA-2024:5634 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:7262 https://access.redhat.com/errata/RHSA-2024:7262 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:7118 https://access.redhat.com/errata/RHSA-2025:7118 |