Main Vulnerability Database Vulnerabilities #VU98022

Use of Uninitialized Variable in golang (Red Hat package) - CVE-2024-9355

Published: October 3, 2024

Vulnerability identifier: #VU98022

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-9355

CWE-ID: CWE-457

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Red Hat Inc.

Affected software:
golang (Red Hat package)

Detailed vulnerability description

The vulnerability allows a remote attacker to weaken TLS encryption.

The vulnerability exists due to an uninitialized buffer length variable in the CGO bindings that intermittently return a zeroed buffer from (*boringHMAC).Sum() in FIPS mode. A remote attacker can randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode and weaken TLS security.

How to mitigate CVE-2024-9355

Install updates from vendor's website.

Sources

https://bugzilla.redhat.com/show_bug.cgi?id=2315719

Use of Uninitialized Variable in golang (Red Hat package) - CVE-2024-9355

Detailed vulnerability description

How to mitigate CVE-2024-9355

Sources

Please verify you're human