A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.
References
Link Providers
https://access.redhat.com/errata/RHSA-2024:1462 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1468 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1472 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1501 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1502 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1561 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1563 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1566 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1567 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1574 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1640 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1644 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1646 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1763 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1897 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:2562 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:2568 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:2569 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:2729 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:2730 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:2767 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:3265 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:3352 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4146 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4371 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4378 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4379 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4502 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4581 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4591 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4672 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4699 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4761 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4762 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:4960 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:5258 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:5634 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:7262 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2024-1394 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2262921 cve-icon cve-icon
https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136 cve-icon cve-icon cve-icon
https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6 cve-icon cve-icon cve-icon
https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-1394 cve-icon
https://pkg.go.dev/vuln/GO-2024-2660 cve-icon cve-icon cve-icon
https://vuln.go.dev/ID/GO-2024-2660.json cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-1394 cve-icon
History

Tue, 10 Dec 2024 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_devspaces:3:: cpe:/a:redhat:openshift_devspaces:3:

Mon, 09 Dec 2024 10:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_devspaces:3::el8 cpe:/a:redhat:openshift_devspaces:3::

Thu, 26 Sep 2024 23:15:00 +0000

Type Values Removed Values Added
References

Mon, 23 Sep 2024 05:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 21 Aug 2024 04:00:00 +0000

Type Values Removed Values Added
References

Tue, 13 Aug 2024 16:30:00 +0000

Type Values Removed Values Added
References

Wed, 07 Aug 2024 16:45:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-03-21T12:16:38.790Z

Updated: 2024-12-23T06:24:59.424Z

Reserved: 2024-02-09T06:02:35.056Z

Link: CVE-2024-1394

cve-icon Vulnrichment

Updated: 2024-08-01T18:40:20.583Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-03-21T13:00:08.037

Modified: 2024-11-21T08:50:29.120

Link: CVE-2024-1394

cve-icon Redhat

Severity : Important

Publid Date: 2024-03-20T00:00:00Z

Links: CVE-2024-1394 - Bugzilla