CVE-2024-1394

EUVD-2024-0854

21.03.2024, 13:00

A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 80%

Red Hat Enterprise Linux Releases

Red Hat Product

Release

buildah

RHEL 9

2:1.33.7-3.el9_4

fixed

buildah-tests

RHEL 9

2:1.33.7-3.el9_4

fixed

containernetworking-plugins

RHEL 9

1:1.4.0-4.el9_4

fixed

go-toolset

RHEL 9

0:1.21.9-2.el9_4

fixed

golang

RHEL 9

0:1.21.9-2.el9_4

fixed

golang-bin

RHEL 9

0:1.21.9-2.el9_4

fixed

golang-docs

RHEL 9

0:1.21.9-2.el9_4

fixed

golang-misc

RHEL 9

0:1.21.9-2.el9_4

fixed

golang-src

RHEL 9

0:1.21.9-2.el9_4

fixed

golang-tests

RHEL 9

0:1.21.9-2.el9_4

fixed

grafana

RHEL 8	0:9.2.10-16.el8_10 fixed
RHEL 9	0:9.2.10-16.el9_4 fixed

grafana-pcp

RHEL 9

0:5.1.1-2.el9_4

fixed

grafana-selinux

RHEL 8	0:9.2.10-16.el8_10 fixed
RHEL 9	0:9.2.10-16.el9_4 fixed

gvisor-tap-vsock

RHEL 9

6:0.7.3-4.el9_4

fixed

osbuild-composer

RHEL 8	0:101-2.el8_10 fixed
RHEL 9	0:132-1.el9 fixed

osbuild-composer-core

RHEL 8	0:101-2.el8_10 fixed
RHEL 9	0:132-1.el9 fixed

osbuild-composer-worker

RHEL 8	0:101-2.el8_10 fixed
RHEL 9	0:132-1.el9 fixed

podman

RHEL 9

4:4.9.4-5.el9_4

fixed

podman-docker

RHEL 9

4:4.9.4-5.el9_4

fixed

podman-plugins

RHEL 9

4:4.9.4-5.el9_4

fixed

podman-remote

RHEL 9

4:4.9.4-5.el9_4

fixed

podman-tests

RHEL 9

4:4.9.4-5.el9_4

fixed

runc

RHEL 9

4:1.1.12-3.el9_4

fixed

skopeo

RHEL 9

2:1.14.3-3.el9_4

fixed

skopeo-tests

RHEL 9

2:1.14.3-3.el9_4

fixed

Common Weakness Enumeration

CWE-401 - Missing Release of Memory after Effective Lifetime
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

References

https://access.redhat.com/errata/RHSA-2024:1462

https://access.redhat.com/errata/RHSA-2024:1468

https://access.redhat.com/errata/RHSA-2024:1472

https://access.redhat.com/errata/RHSA-2024:1501

https://access.redhat.com/errata/RHSA-2024:1502

https://access.redhat.com/errata/RHSA-2024:1561

https://access.redhat.com/errata/RHSA-2024:1563

https://access.redhat.com/errata/RHSA-2024:1566

https://access.redhat.com/errata/RHSA-2024:1567

https://access.redhat.com/errata/RHSA-2024:1574

https://access.redhat.com/errata/RHSA-2024:1640

https://access.redhat.com/errata/RHSA-2024:1644

https://access.redhat.com/errata/RHSA-2024:1646

https://access.redhat.com/errata/RHSA-2024:1763

https://access.redhat.com/errata/RHSA-2024:1897

https://access.redhat.com/errata/RHSA-2024:2562

https://access.redhat.com/errata/RHSA-2024:2568

https://access.redhat.com/errata/RHSA-2024:2569

https://access.redhat.com/errata/RHSA-2024:2729

https://access.redhat.com/errata/RHSA-2024:2730

https://access.redhat.com/errata/RHSA-2024:2767

https://access.redhat.com/errata/RHSA-2024:3265

https://access.redhat.com/errata/RHSA-2024:3352

https://access.redhat.com/errata/RHSA-2024:4146

https://access.redhat.com/errata/RHSA-2024:4371

https://access.redhat.com/errata/RHSA-2024:4378

https://access.redhat.com/errata/RHSA-2024:4379

https://access.redhat.com/errata/RHSA-2024:4502

https://access.redhat.com/errata/RHSA-2024:4581

https://access.redhat.com/errata/RHSA-2024:4591

https://access.redhat.com/errata/RHSA-2024:4672

https://access.redhat.com/errata/RHSA-2024:4699

https://access.redhat.com/errata/RHSA-2024:4761

https://access.redhat.com/errata/RHSA-2024:4762

https://access.redhat.com/errata/RHSA-2024:4960

https://access.redhat.com/errata/RHSA-2024:5258

https://access.redhat.com/errata/RHSA-2024:5634

https://access.redhat.com/errata/RHSA-2024:7262

https://access.redhat.com/errata/RHSA-2025:7118

https://access.redhat.com/security/cve/CVE-2024-1394

https://bugzilla.redhat.com/show_bug.cgi?id=2262921

https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136

https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6

https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f

https://pkg.go.dev/vuln/GO-2024-2660

https://vuln.go.dev/ID/GO-2024-2660.json

https://access.redhat.com/errata/RHSA-2024:1462

https://access.redhat.com/errata/RHSA-2024:1468

https://access.redhat.com/errata/RHSA-2024:1472

https://access.redhat.com/errata/RHSA-2024:1501

https://access.redhat.com/errata/RHSA-2024:1502

https://access.redhat.com/errata/RHSA-2024:1561

https://access.redhat.com/errata/RHSA-2024:1563

https://access.redhat.com/errata/RHSA-2024:1566

https://access.redhat.com/errata/RHSA-2024:1567

https://access.redhat.com/errata/RHSA-2024:1574

https://access.redhat.com/errata/RHSA-2024:1640

https://access.redhat.com/errata/RHSA-2024:1644

https://access.redhat.com/errata/RHSA-2024:1646

https://access.redhat.com/errata/RHSA-2024:1763

https://access.redhat.com/errata/RHSA-2024:1897

https://access.redhat.com/errata/RHSA-2024:2562

https://access.redhat.com/errata/RHSA-2024:2568

https://access.redhat.com/errata/RHSA-2024:2569

https://access.redhat.com/errata/RHSA-2024:2729

https://access.redhat.com/errata/RHSA-2024:2730

https://access.redhat.com/errata/RHSA-2024:2767

https://access.redhat.com/errata/RHSA-2024:3265

https://access.redhat.com/errata/RHSA-2024:3352

https://access.redhat.com/errata/RHSA-2024:4146

https://access.redhat.com/errata/RHSA-2024:4371

https://access.redhat.com/errata/RHSA-2024:4378

https://access.redhat.com/errata/RHSA-2024:4379

https://access.redhat.com/errata/RHSA-2024:4502

https://access.redhat.com/errata/RHSA-2024:4581

https://access.redhat.com/errata/RHSA-2024:4591

https://access.redhat.com/errata/RHSA-2024:4672

https://access.redhat.com/errata/RHSA-2024:4699

https://access.redhat.com/errata/RHSA-2024:4761

https://access.redhat.com/errata/RHSA-2024:4762

https://access.redhat.com/security/cve/CVE-2024-1394

https://bugzilla.redhat.com/show_bug.cgi?id=2262921

https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136

https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6

https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f

https://pkg.go.dev/vuln/GO-2024-2660

https://vuln.go.dev/ID/GO-2024-2660.json