中危 Golang-fips/openssl:加密和解密 rsa 有效负载的代码中存在内存泄漏 (CVE-2024-1394)

CVE编号

CVE-2024-1394

利用情况

暂无

补丁情况

官方补丁

披露时间

2024-03-21
漏洞描述
在Golang中发现了一种内存泄漏漏洞,位于RSA加密/解密代码中,可能导致使用攻击者控制的输入造成资源耗尽漏洞。内存泄漏发生在github.com/golang-fips/openssl/openssl/rsa.go#L113。泄漏的对象是pkey和ctx。该函数使用命名返回参数来释放pkey和ctx,如果在初始化上下文或设置不同属性时出现错误。所有与错误情况有关的返回语句都遵循"return nil, nil, fail(...)"模式,这意味着pkey和ctx将在应该释放它们的延迟函数内部为nil。
解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接
https://access.redhat.com/errata/RHSA-2024:1462
https://access.redhat.com/errata/RHSA-2024:1468
https://access.redhat.com/errata/RHSA-2024:1472
https://access.redhat.com/errata/RHSA-2024:1501
https://access.redhat.com/errata/RHSA-2024:1502
https://access.redhat.com/errata/RHSA-2024:1561
https://access.redhat.com/errata/RHSA-2024:1563
https://access.redhat.com/errata/RHSA-2024:1566
https://access.redhat.com/errata/RHSA-2024:1567
https://access.redhat.com/errata/RHSA-2024:1574
https://access.redhat.com/errata/RHSA-2024:1640
https://access.redhat.com/errata/RHSA-2024:1644
https://access.redhat.com/errata/RHSA-2024:1646
https://access.redhat.com/errata/RHSA-2024:1763
https://access.redhat.com/errata/RHSA-2024:1897
https://access.redhat.com/errata/RHSA-2024:2562
https://access.redhat.com/errata/RHSA-2024:2568
https://access.redhat.com/errata/RHSA-2024:2569
https://access.redhat.com/errata/RHSA-2024:2729
https://access.redhat.com/errata/RHSA-2024:2730
https://access.redhat.com/errata/RHSA-2024:2767
https://access.redhat.com/errata/RHSA-2024:3265
https://access.redhat.com/errata/RHSA-2024:3352
https://access.redhat.com/errata/RHSA-2024:4146
https://access.redhat.com/errata/RHSA-2024:4371
https://access.redhat.com/errata/RHSA-2024:4378
https://access.redhat.com/errata/RHSA-2024:4379
https://access.redhat.com/errata/RHSA-2024:4502
https://access.redhat.com/errata/RHSA-2024:4581
https://access.redhat.com/errata/RHSA-2024:4591
https://access.redhat.com/errata/RHSA-2024:4672
https://access.redhat.com/errata/RHSA-2024:4699
https://access.redhat.com/errata/RHSA-2024:4761
https://access.redhat.com/errata/RHSA-2024:4762
https://access.redhat.com/errata/RHSA-2024:4960
https://access.redhat.com/errata/RHSA-2024:5258
https://access.redhat.com/errata/RHSA-2024:5634
https://access.redhat.com/errata/RHSA-2024:7262
https://access.redhat.com/security/cve/CVE-2024-1394
https://bugzilla.redhat.com/show_bug.cgi?id=2262921
https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae...
https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6
https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602...
https://pkg.go.dev/vuln/GO-2024-2660
https://vuln.go.dev/ID/GO-2024-2660.json
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
系统 alma_linux_9 golang * Up to
(excluding)
1.20.12-2.el9_3
运行在以下环境
系统 oracle_9 golang * Up to
(excluding)
1.20.12-2.el9_3
运行在以下环境
系统 redhat_9 golang * Up to
(excluding)
1.20.12-2.el9_3
阿里云评分
6.2
  • 攻击路径
    本地
  • 攻击复杂度
    复杂
  • 权限要求
    普通权限
  • 影响范围
    越权影响
  • EXP成熟度
    未验证
  • 补丁情况
    官方补丁
  • 数据保密性
    无影响
  • 数据完整性
    无影响
  • 服务器危害
    无影响
  • 全网数量
    N/A
CWE-ID 漏洞类型
CWE-401 在移除最后引用时对内存的释放不恰当(内存泄露)
阿里云安全产品覆盖情况