Memory Leak in Go RSA (golang-fips/openssl) Leads to Resource Exhaustion
CVE-2024-1394 Published on March 21, 2024

Golang-fips/openssl: memory leaks in code encrypting and decrypting rsa payloads
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2024-1394 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

NONE

Integrity Impact:

NONE

Availability Impact:

HIGH

Timeline

2024-02-06

Reported to Red Hat.

2024-03-20

Made public. 43 days later.

Weakness Type

What is a Memory Leak Vulnerability?

The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release.

CVE-2024-1394 has been classified to as a Memory Leak vulnerability or weakness.

Products Associated with CVE-2024-1394

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Ansible Automation Platform Inside

Red Hat Ansible Automation Platform

Red Hat Ansible Automation Platform Developer

Red Hat Devtools

Red Hat Enterprise Linux (RHEL)

Red Hat Rhel E4s

Red Hat Rhel Eus

Red Hat Openshift

Red Hat Openstack

Red Hat Openshift Data Foundation

Red Hat Network Bound Disk Encryption Tang

Red Hat Ocp Tools

Red Hat Openshift Pipelines

Red Hat Serverless

Red Hat Certifications

Red Hat Openshift Container Storage

Red Hat Openshift Devspaces

Red Hat Openshift Gitops

Red Hat Openshift Service On Aws

Red Hat Container Native Virtualization

Red Hat Service Interconnect

Red Hat Rhel Software Collections

Red Hat Storage

Affected Versions

Red Hat Ansible Automation Platform 2.4 for RHEL 8:

Version 0:1.4.5-1.el8ap and below * is unaffected.

Red Hat Ansible Automation Platform 2.4 for RHEL 9:

Version 0:1.4.5-1.el9ap and below * is unaffected.

Red Hat Developer Tools:

Version 0:1.19.13-6.el7_9 and below * is unaffected.

Red Hat Enterprise Linux 8:

Version 8090020240313170136.26eb71ac and below * is unaffected.

Red Hat Enterprise Linux 8:

Version 0:5.1.1-2.el8_9 and below * is unaffected.

Red Hat Enterprise Linux 8:

Version 0:9.2.10-8.el8_9 and below * is unaffected.

Red Hat Enterprise Linux 8:

Version 0:9.2.10-16.el8_10 and below * is unaffected.

Red Hat Enterprise Linux 8:

Version 8100020240808093819.afee755d and below * is unaffected.

Red Hat Enterprise Linux 8:

Version 0:101-2.el8_10 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 0:1.20.12-2.el9_3 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 0:9.2.10-8.el9_3 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 0:5.1.1-2.el9_3 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 0:1.21.9-2.el9_4 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 0:9.2.10-16.el9_4 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 0:5.1.1-2.el9_4 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 2:1.33.7-3.el9_4 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 4:4.9.4-5.el9_4 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 6:0.7.3-4.el9_4 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 2:1.14.3-3.el9_4 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 1:1.4.0-4.el9_4 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 4:1.1.12-3.el9_4 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 0:132-1.el9 and below * is unaffected.

Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions:

Version 2:4.2.0-4.el9_0 and below * is unaffected.

Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions:

Version 1:1.0.1-6.el9_0 and below * is unaffected.

Red Hat Enterprise Linux 9.2 Extended Update Support:

Version 0:1.19.13-7.el9_2 and below * is unaffected.

Red Hat Enterprise Linux 9.2 Extended Update Support:

Version 2:4.4.1-20.el9_2 and below * is unaffected.

Red Hat OpenShift Container Platform 4.12:

Version 1:1.23.4-5.2.rhaos4.12.el9 and below * is unaffected.

Red Hat OpenShift Container Platform 4.12:

Version 0:0.16.0-2.2.rhaos4.12.el8 and below * is unaffected.

Red Hat OpenShift Container Platform 4.12:

Version 1:1.4.0-1.1.rhaos4.12.el8 and below * is unaffected.

Red Hat OpenShift Container Platform 4.12:

Version 0:1.25.3-5.2.rhaos4.12.git44a2cb2.el9 and below * is unaffected.

Red Hat OpenShift Container Platform 4.12:

Version 0:1.25.0-2.2.el8 and below * is unaffected.

Red Hat OpenShift Container Platform 4.12:

Version 0:2.14.0-7.1.rhaos4.12.el8 and below * is unaffected.

Red Hat OpenShift Container Platform 4.12:

Version 0:4.12.0-202403251017.p0.gd4c9e3c.assembly.stream.el8 and below * is unaffected.

Red Hat OpenShift Container Platform 4.12:

Version 3:4.2.0-7.2.rhaos4.12.el9 and below * is unaffected.

Red Hat OpenShift Container Platform 4.12:

Version 3:1.1.6-5.2.rhaos4.12.el8 and below * is unaffected.

Red Hat OpenShift Container Platform 4.12:

Version 2:1.9.4-3.2.rhaos4.12.el8 and below * is unaffected.

Red Hat OpenShift Container Platform 4.13:

Version 1:1.29.1-2.2.rhaos4.13.el8 and below * is unaffected.

Red Hat OpenShift Container Platform 4.13:

Version 1:1.4.0-1.1.rhaos4.13.el8 and below * is unaffected.

Red Hat OpenShift Container Platform 4.13:

Version 0:1.26.5-11.1.rhaos4.13.git919cc6e.el8 and below * is unaffected.

Red Hat OpenShift Container Platform 4.13:

Version 0:1.26.0-4.2.el9 and below * is unaffected.

Red Hat OpenShift Container Platform 4.13:

Version 0:2.15.0-7.1.rhaos4.13.el9 and below * is unaffected.

Red Hat OpenShift Container Platform 4.13:

Version 0:4.13.0-202404020737.p0.gd192e90.assembly.stream.el9 and below * is unaffected.

Red Hat OpenShift Container Platform 4.13:

Version 3:4.4.1-5.2.rhaos4.13.el8 and below * is unaffected.

Red Hat OpenShift Container Platform 4.13:

Version 4:1.1.12-1.1.rhaos4.13.el9 and below * is unaffected.

Red Hat OpenShift Container Platform 4.13:

Version 2:1.11.2-2.2.rhaos4.13.el9 and below * is unaffected.