What is the severity of REDHAT-BUG-2315719?

REDHAT-BUG-2315719 is considered a moderate severity vulnerability as it can lead to insecure handling of cryptographic operations.

How do I fix REDHAT-BUG-2315719?

To address REDHAT-BUG-2315719, you should update to the latest version of golang that includes the appropriate patches.

What are the potential impacts of REDHAT-BUG-2315719?

The impact of REDHAT-BUG-2315719 includes the risk of returning a zeroed buffer from cryptographic functions, potentially compromising data integrity.

Is REDHAT-BUG-2315719 specific to particular configurations?

Yes, REDHAT-BUG-2315719 occurs intermittently based on the stack layout at the time, particularly in FIPS mode.

Vulnerability/
REDHAT-BUG-2315719

medium

CWE

119

30/9/2024

18/4/2025

REDHAT-BUG-2315719: Buffer Overflow

First published: Mon Sep 30 2024(Updated: )

Binaries built with golang-1.21.13-3.el9_4 and golang-1.21.13-2.module+el8.10.0+22329+6cd5c9c6 may intermittently return a zeroed buffer from (*boringHMAC).Sum() in FIPS mode due to an uninitialized buffer length variable in the CGO bindings. This bug occurs randomly based on the stack layout at the time of the function call. It is not vulnerable to eg. buffer overflow attack because the underlying openssl routine checks the bounds of the buffer before writing to it. However, it may be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker is able to send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.

Affected Software	Affected Version	How to fix
Go (Golang) language by Google

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of REDHAT-BUG-2315719?
REDHAT-BUG-2315719 is considered a moderate severity vulnerability as it can lead to insecure handling of cryptographic operations.
How do I fix REDHAT-BUG-2315719?
To address REDHAT-BUG-2315719, you should update to the latest version of golang that includes the appropriate patches.
What are the potential impacts of REDHAT-BUG-2315719?
The impact of REDHAT-BUG-2315719 includes the risk of returning a zeroed buffer from cryptographic functions, potentially compromising data integrity.
Which software versions are affected by REDHAT-BUG-2315719?
REDHAT-BUG-2315719 affects binaries built with golang-1.21.13-3.el9_4 and golang-1.21.13-2.module+el8.10.0+22329+6cd5c9c6.
Is REDHAT-BUG-2315719 specific to particular configurations?
Yes, REDHAT-BUG-2315719 occurs intermittently based on the stack layout at the time, particularly in FIPS mode.

agent/severity
agent/weakness
agent/first-publish-date
agent/description
agent/event
agent/type
agent/references
agent/last-modified-date
agent/source
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/softwarecombine
agent/tags
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2024-9355
vendor/go
canonical/go (golang) language by google

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.