#VU87830 Memory leak in openssl


Published: 2024-03-26

Vulnerability identifier: #VU87830

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-1394

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
openssl
Universal components / Libraries / Programming Languages & Components

Vendor: golang-fips

Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the RSA encrypting/decrypting code when handling untrusted input. A remote attacker can pass specially crafted data to the application and perform denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

openssl: 2.0.0 - 2.0.1

External links
http://bugzilla.redhat.com/show_bug.cgi?id=2262921
http://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM MQ Operator and Queue manager container images
Red Hat Enterprise Linux 9 update for golang
Red Hat Enterprise Linux 9 update for grafana
Red Hat Enterprise Linux 9 update for grafana
Multiple vulnerabilities in Red Hat build of Cryostat 2 on RHEL 8
Multiple vulnerabilities in Red Hat OpenShift Container Platform release 4.14
Multiple vulnerabilities in Red Hat OpenShift Service Mesh Containers 2.5
Denial of service in OpenShift Container Platform 4.13
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.14
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.15