#VU87830 Memory leak in openssl - CVE-2024-1394

Cybersecurity Help s.r.o.

Published: 2024-03-26

Vulnerability identifier: #VU87830

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-1394

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
openssl
Universal components / Libraries / Programming Languages & Components

Vendor: golang-fips

Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the RSA encrypting/decrypting code when handling untrusted input. A remote attacker can pass specially crafted data to the application and perform denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

openssl: 2.0.0 - 2.0.1

External links
http://bugzilla.redhat.com/show_bug.cgi?id=2262921
http://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak System

Multiple vulnerabilities in Oracle Linux

IBM Watson CP4D Data Stores update for Golang golang-fips/openssl

Red Hat Enterprise Linux 8 update for osbuild-composer

Multiple vulnerabilities in Storage Protect Plus Server

Red Hat Enterprise Linux 8 update for the container-tools:rhel8 module

Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.14

Red Hat Enterprise Linux 9 update for podman

Red Hat Enterprise Linux 9 update for containernetworking-plugins

Multiple vulnerabilities in Red Hat OpenShift Data Foundation