Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability
High severity
GitHub Reviewed
Published
Oct 1, 2024
to the GitHub Advisory Database
•
Updated Nov 15, 2024
Description
Published by the National Vulnerability Database
Oct 1, 2024
Published to the GitHub Advisory Database
Oct 1, 2024
Reviewed
Oct 1, 2024
Last updated
Nov 15, 2024
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
References