CVE-2024-1394

Golang-fips/openssl: memory leaks in code encrypting and decrypting rsa payloads

Description

A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.

Remediation

Workaround:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Category

7.5

CVSS

Severity: High

CVSS 3.1 •

EPSS 0.80% Top 30%

Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com

Affected: Red Hat Red Hat Ansible Automation Platform 2.4 for RHEL 8

Affected: Red Hat Red Hat Ansible Automation Platform 2.4 for RHEL 9

Affected: Red Hat Red Hat Developer Tools

Affected: Red Hat Red Hat Enterprise Linux 8

Affected: Red Hat Red Hat Enterprise Linux 9

Affected: Red Hat Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Affected: Red Hat Red Hat Enterprise Linux 9.2 Extended Update Support

Affected: Red Hat Red Hat OpenShift Container Platform 4.12

Affected: Red Hat Red Hat OpenShift Container Platform 4.13

Affected: Red Hat Red Hat OpenShift Container Platform 4.14

Affected: Red Hat Red Hat OpenShift Container Platform 4.15

Affected: Red Hat Red Hat OpenStack Platform 16.2

Affected: Red Hat Red Hat OpenStack Platform 17.1 for RHEL 8

Affected: Red Hat Red Hat OpenStack Platform 17.1 for RHEL 9

Affected: Red Hat RHODF-4.16-RHEL-9

Affected: Red Hat NBDE Tang Server

Affected: Red Hat OpenShift Developer Tools and Services

Affected: Red Hat OpenShift Pipelines

Affected: Red Hat OpenShift Serverless

Affected: Red Hat Red Hat Ansible Automation Platform 1.2

Affected: Red Hat Red Hat Ansible Automation Platform 2

Affected: Red Hat Red Hat Certification for Red Hat Enterprise Linux 8

Affected: Red Hat Red Hat Certification for Red Hat Enterprise Linux 9

Affected: Red Hat Red Hat Enterprise Linux 7

Affected: Red Hat Red Hat Enterprise Linux 8

Affected: Red Hat Red Hat Enterprise Linux 9

Affected: Red Hat Red Hat OpenShift Container Platform 4

Affected: Red Hat Red Hat Openshift Container Storage 4

Affected: Red Hat Red Hat OpenShift Dev Spaces

Affected: Red Hat Red Hat OpenShift GitOps

Affected: Red Hat Red Hat OpenShift on AWS

Affected: Red Hat Red Hat OpenShift Virtualization 4

Affected: Red Hat Red Hat OpenStack Platform 16.1

Affected: Red Hat Red Hat OpenStack Platform 16.2

Affected: Red Hat Red Hat OpenStack Platform 17.1

Affected: Red Hat Red Hat OpenStack Platform 18.0

Affected: Red Hat Red Hat Service Interconnect 1

Affected: Red Hat Red Hat Software Collections

Affected: Red Hat Red Hat Storage 3

References

Link	Tags
https://access.redhat.com/errata/RHSA-2024:1462	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1468	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1472	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1501	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1502	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1561	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1563	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1566	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1567	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1574	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1640	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1644	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1646	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1763	vendor advisory
https://access.redhat.com/errata/RHSA-2024:1897	vendor advisory
https://access.redhat.com/errata/RHSA-2024:2562	vendor advisory
https://access.redhat.com/errata/RHSA-2024:2568	vendor advisory
https://access.redhat.com/errata/RHSA-2024:2569	vendor advisory
https://access.redhat.com/errata/RHSA-2024:2729	vendor advisory
https://access.redhat.com/errata/RHSA-2024:2730	vendor advisory
https://access.redhat.com/errata/RHSA-2024:2767	vendor advisory
https://access.redhat.com/errata/RHSA-2024:3265	vendor advisory
https://access.redhat.com/errata/RHSA-2024:3352	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4146	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4371	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4378	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4379	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4502	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4581	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4591	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4672	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4699	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4761	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4762	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4960	vendor advisory
https://access.redhat.com/errata/RHSA-2024:5258	vendor advisory
https://access.redhat.com/errata/RHSA-2024:5634	vendor advisory
https://access.redhat.com/errata/RHSA-2024:7262	vendor advisory
https://access.redhat.com/errata/RHSA-2025:7118	vendor advisory
https://access.redhat.com/security/cve/CVE-2024-1394	vdb entry
https://bugzilla.redhat.com/show_bug.cgi?id=2262921	issue tracking
https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136
https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6
https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f
https://pkg.go.dev/vuln/GO-2024-2660
https://vuln.go.dev/ID/GO-2024-2660.json

Frequently Asked Questions

What is the severity of CVE-2024-1394?: CVE-2024-1394 has been scored as a high severity vulnerability.
How to fix CVE-2024-1394?: As a workaround for remediating CVE-2024-1394: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Is CVE-2024-1394 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-1394 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-1394?: CVE-2024-1394 affects Red Hat Red Hat Ansible Automation Platform 2.4 for RHEL 8, Red Hat Red Hat Ansible Automation Platform 2.4 for RHEL 9, Red Hat Red Hat Developer Tools, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions, Red Hat Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions, Red Hat Red Hat Enterprise Linux 9.2 Extended Update Support, Red Hat Red Hat Enterprise Linux 9.2 Extended Update Support, Red Hat Red Hat OpenShift Container Platform 4.12, Red Hat Red Hat OpenShift Container Platform 4.12, Red Hat Red Hat OpenShift Container Platform 4.12, Red Hat Red Hat OpenShift Container Platform 4.12, Red Hat Red Hat OpenShift Container Platform 4.12, Red Hat Red Hat OpenShift Container Platform 4.12, Red Hat Red Hat OpenShift Container Platform 4.12, Red Hat Red Hat OpenShift Container Platform 4.12, Red Hat Red Hat OpenShift Container Platform 4.12, Red Hat Red Hat OpenShift Container Platform 4.12, Red Hat Red Hat OpenShift Container Platform 4.13, Red Hat Red Hat OpenShift Container Platform 4.13, Red Hat Red Hat OpenShift Container Platform 4.13, Red Hat Red Hat OpenShift Container Platform 4.13, Red Hat Red Hat OpenShift Container Platform 4.13, Red Hat Red Hat OpenShift Container Platform 4.13, Red Hat Red Hat OpenShift Container Platform 4.13, Red Hat Red Hat OpenShift Container Platform 4.13, Red Hat Red Hat OpenShift Container Platform 4.13, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.14, Red Hat Red Hat OpenShift Container Platform 4.15, Red Hat Red Hat OpenShift Container Platform 4.15, Red Hat Red Hat OpenShift Container Platform 4.15, Red Hat Red Hat OpenShift Container Platform 4.15, Red Hat Red Hat OpenShift Container Platform 4.15, Red Hat Red Hat OpenShift Container Platform 4.15, Red Hat Red Hat OpenShift Container Platform 4.15, Red Hat Red Hat OpenShift Container Platform 4.15, Red Hat Red Hat OpenShift Container Platform 4.15, Red Hat Red Hat OpenShift Container Platform 4.15, Red Hat Red Hat OpenShift Container Platform 4.15, Red Hat Red Hat OpenShift Container Platform 4.15, Red Hat Red Hat OpenShift Container Platform 4.15, Red Hat Red Hat OpenStack Platform 16.2, Red Hat Red Hat OpenStack Platform 17.1 for RHEL 8, Red Hat Red Hat OpenStack Platform 17.1 for RHEL 9, Red Hat Red Hat OpenStack Platform 17.1 for RHEL 9, Red Hat RHODF-4.16-RHEL-9, Red Hat RHODF-4.16-RHEL-9, Red Hat NBDE Tang Server, Red Hat OpenShift Developer Tools and Services, Red Hat OpenShift Developer Tools and Services, Red Hat OpenShift Pipelines, Red Hat OpenShift Serverless, Red Hat Red Hat Ansible Automation Platform 1.2, Red Hat Red Hat Ansible Automation Platform 1.2, Red Hat Red Hat Ansible Automation Platform 2, Red Hat Red Hat Certification for Red Hat Enterprise Linux 8, Red Hat Red Hat Certification for Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 7, Red Hat Red Hat Enterprise Linux 7, Red Hat Red Hat Enterprise Linux 7, Red Hat Red Hat Enterprise Linux 7, Red Hat Red Hat Enterprise Linux 7, Red Hat Red Hat Enterprise Linux 7, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat OpenShift Container Platform 4, Red Hat Red Hat OpenShift Container Platform 4, Red Hat Red Hat OpenShift Container Platform 4, Red Hat Red Hat OpenShift Container Platform 4, Red Hat Red Hat OpenShift Container Platform 4, Red Hat Red Hat OpenShift Container Platform 4, Red Hat Red Hat OpenShift Container Platform 4, Red Hat Red Hat Openshift Container Storage 4, Red Hat Red Hat OpenShift Dev Spaces, Red Hat Red Hat OpenShift GitOps, Red Hat Red Hat OpenShift on AWS, Red Hat Red Hat OpenShift Virtualization 4, Red Hat Red Hat OpenStack Platform 16.1, Red Hat Red Hat OpenStack Platform 16.1, Red Hat Red Hat OpenStack Platform 16.1, Red Hat Red Hat OpenStack Platform 16.2, Red Hat Red Hat OpenStack Platform 16.2, Red Hat Red Hat OpenStack Platform 16.2, Red Hat Red Hat OpenStack Platform 17.1, Red Hat Red Hat OpenStack Platform 17.1, Red Hat Red Hat OpenStack Platform 17.1, Red Hat Red Hat OpenStack Platform 18.0, Red Hat Red Hat Service Interconnect 1, Red Hat Red Hat Service Interconnect 1, Red Hat Red Hat Service Interconnect 1, Red Hat Red Hat Software Collections, Red Hat Red Hat Storage 3.

Description

Remediation

Category

CWE-401 – Missing Release of Memory after Effective Lifetime

References

Frequently Asked Questions