Description
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
References (14)
Scores
CVSS v3
6.5
EPSS
0.0007
EPSS Percentile
21.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-457
Status
published
Products (37)
golang-fips/openssl
0Go
Red Hat/NBDE Tang Server
Red Hat/OpenShift Developer Tools and Services
Red Hat/OpenShift Pipelines
Red Hat/OpenShift Serverless
Red Hat/Red Hat Ansible Automation Platform 1.2
Red Hat/Red Hat Ansible Automation Platform 2
Red Hat/Red Hat Enterprise Linux 10
Red Hat/Red Hat Enterprise Linux 7
Red Hat/Red Hat Enterprise Linux 7 Extended Lifecycle Support
0:0.10-2.el7_9
... and 27 more
Published
Oct 01, 2024
Tracked Since
Feb 18, 2026