Vulnerabilidad en Golang (CVE-2024-1394)
Gravedad CVSS v3.1:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
21/03/2024
Última modificación:
13/05/2025
Descripción
Se encontró una falla de pérdida de memoria en Golang en el código de cifrado/descifrado RSA, lo que podría conducir a una vulnerabilidad de agotamiento de recursos mediante entradas controladas por el atacante. La pérdida de memoria ocurre en github.com/golang-fips/openssl/openssl/rsa.go#L113. Los objetos filtrados son pkey? y ctx?. Esa función utiliza parámetros de retorno con nombre para liberar pkey? y ctx? si hay un error al inicializar el contexto o al configurar las diferentes propiedades. Todas las declaraciones de devolución relacionadas con casos de error siguen el patrón "return nil, nil, fail(...)", lo que significa que pkey? y ctx? serán nulos dentro de la función diferida que debería liberarlos.
Impacto
Puntuación base 3.x
7.50
Gravedad 3.x
ALTA
Referencias a soluciones, herramientas e información
- https://access.redhat.com/errata/RHSA-2024:1462
- https://access.redhat.com/errata/RHSA-2024:1468
- https://access.redhat.com/errata/RHSA-2024:1472
- https://access.redhat.com/errata/RHSA-2024:1501
- https://access.redhat.com/errata/RHSA-2024:1502
- https://access.redhat.com/errata/RHSA-2024:1561
- https://access.redhat.com/errata/RHSA-2024:1563
- https://access.redhat.com/errata/RHSA-2024:1566
- https://access.redhat.com/errata/RHSA-2024:1567
- https://access.redhat.com/errata/RHSA-2024:1574
- https://access.redhat.com/errata/RHSA-2024:1640
- https://access.redhat.com/errata/RHSA-2024:1644
- https://access.redhat.com/errata/RHSA-2024:1646
- https://access.redhat.com/errata/RHSA-2024:1763
- https://access.redhat.com/errata/RHSA-2024:1897
- https://access.redhat.com/errata/RHSA-2024:2562
- https://access.redhat.com/errata/RHSA-2024:2568
- https://access.redhat.com/errata/RHSA-2024:2569
- https://access.redhat.com/errata/RHSA-2024:2729
- https://access.redhat.com/errata/RHSA-2024:2730
- https://access.redhat.com/errata/RHSA-2024:2767
- https://access.redhat.com/errata/RHSA-2024:3265
- https://access.redhat.com/errata/RHSA-2024:3352
- https://access.redhat.com/errata/RHSA-2024:4146
- https://access.redhat.com/errata/RHSA-2024:4371
- https://access.redhat.com/errata/RHSA-2024:4378
- https://access.redhat.com/errata/RHSA-2024:4379
- https://access.redhat.com/errata/RHSA-2024:4502
- https://access.redhat.com/errata/RHSA-2024:4581
- https://access.redhat.com/errata/RHSA-2024:4591
- https://access.redhat.com/errata/RHSA-2024:4672
- https://access.redhat.com/errata/RHSA-2024:4699
- https://access.redhat.com/errata/RHSA-2024:4761
- https://access.redhat.com/errata/RHSA-2024:4762
- https://access.redhat.com/errata/RHSA-2024:4960
- https://access.redhat.com/errata/RHSA-2024:5258
- https://access.redhat.com/errata/RHSA-2024:5634
- https://access.redhat.com/errata/RHSA-2024:7262
- https://access.redhat.com/errata/RHSA-2025:7118
- https://access.redhat.com/security/cve/CVE-2024-1394
- https://bugzilla.redhat.com/show_bug.cgi?id=2262921
- https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136
- https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6
- https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f
- https://pkg.go.dev/vuln/GO-2024-2660
- https://vuln.go.dev/ID/GO-2024-2660.json
- https://access.redhat.com/errata/RHSA-2024:1462
- https://access.redhat.com/errata/RHSA-2024:1468
- https://access.redhat.com/errata/RHSA-2024:1472
- https://access.redhat.com/errata/RHSA-2024:1501
- https://access.redhat.com/errata/RHSA-2024:1502
- https://access.redhat.com/errata/RHSA-2024:1561
- https://access.redhat.com/errata/RHSA-2024:1563
- https://access.redhat.com/errata/RHSA-2024:1566
- https://access.redhat.com/errata/RHSA-2024:1567
- https://access.redhat.com/errata/RHSA-2024:1574
- https://access.redhat.com/errata/RHSA-2024:1640
- https://access.redhat.com/errata/RHSA-2024:1644
- https://access.redhat.com/errata/RHSA-2024:1646
- https://access.redhat.com/errata/RHSA-2024:1763
- https://access.redhat.com/errata/RHSA-2024:1897
- https://access.redhat.com/errata/RHSA-2024:2562
- https://access.redhat.com/errata/RHSA-2024:2568
- https://access.redhat.com/errata/RHSA-2024:2569
- https://access.redhat.com/errata/RHSA-2024:2729
- https://access.redhat.com/errata/RHSA-2024:2730
- https://access.redhat.com/errata/RHSA-2024:2767
- https://access.redhat.com/errata/RHSA-2024:3265
- https://access.redhat.com/errata/RHSA-2024:3352
- https://access.redhat.com/errata/RHSA-2024:4146
- https://access.redhat.com/errata/RHSA-2024:4371
- https://access.redhat.com/errata/RHSA-2024:4378
- https://access.redhat.com/errata/RHSA-2024:4379
- https://access.redhat.com/errata/RHSA-2024:4502
- https://access.redhat.com/errata/RHSA-2024:4581
- https://access.redhat.com/errata/RHSA-2024:4591
- https://access.redhat.com/errata/RHSA-2024:4672
- https://access.redhat.com/errata/RHSA-2024:4699
- https://access.redhat.com/errata/RHSA-2024:4761
- https://access.redhat.com/errata/RHSA-2024:4762
- https://access.redhat.com/security/cve/CVE-2024-1394
- https://bugzilla.redhat.com/show_bug.cgi?id=2262921
- https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136
- https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6
- https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f
- https://pkg.go.dev/vuln/GO-2024-2660
- https://vuln.go.dev/ID/GO-2024-2660.json