Use of Uninitialized Variable in golang (Red Hat package)

#VU98022 Use of Uninitialized Variable in golang (Red Hat package)

Cybersecurity Help s.r.o.

Published: 2024-10-03

Vulnerability identifier: #VU98022

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9355

CWE-ID: CWE-457

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
golang (Red Hat package)
Operating systems & Components / Operating system package or component

Vendor:

Description

The vulnerability allows a remote attacker to weaken TLS encryption.

The vulnerability exists due to an uninitialized buffer length variable in the CGO bindings that intermittently return a zeroed buffer from (*boringHMAC).Sum() in FIPS mode. A remote attacker can randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode and weaken TLS security.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://bugzilla.redhat.com/show_bug.cgi?id=2315719

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat Enterprise Linux 8 update for grafana-pcp

Red Hat Enterprise Linux 9 update for grafana

Red Hat Enterprise Linux 8 update for grafana

Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.17

Multiple vulnerabilities in Oracle Linux

Red Hat Enterprise Linux 9 update for golang

Red Hat Enterprise Linux 8 update for the go-toolset:rhel8 module