A memory leak flaw was found in the RSA encrypting/decrypting code which might lead to a resource exhaustion vulnerability, as it is theoretically exploitable using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. Unfortunately, notice that all the return statements related to error cases follow the "return nil, nil, fail(...)" pattern, which means that pkey and ctx will be nil inside the deferred function that should free them.
Any thoughts on a fixed in version yet? It would be helpful, for the moment, to know the module that's affected.
populated fixed in field
Thanks for the update.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1472 https://access.redhat.com/errata/RHSA-2024:1472
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1644 https://access.redhat.com/errata/RHSA-2024:1644
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1646 https://access.redhat.com/errata/RHSA-2024:1646
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2024:1563 https://access.redhat.com/errata/RHSA-2024:1563
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2024:1561 https://access.redhat.com/errata/RHSA-2024:1561
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:1574 https://access.redhat.com/errata/RHSA-2024:1574
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:1567 https://access.redhat.com/errata/RHSA-2024:1567
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:1566 https://access.redhat.com/errata/RHSA-2024:1566
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:1763 https://access.redhat.com/errata/RHSA-2024:1763
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:1897 https://access.redhat.com/errata/RHSA-2024:1897