CVE-2024-9355: 
Grafana vulnerability analysis and mitigation

A vulnerability (CVE-2024-9355) was discovered in Golang FIPS OpenSSL that allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. The vulnerability was first reported on October 1, 2024, affecting Golang FIPS implementations (NVD).

The vulnerability occurs due to an uninitialized buffer length variable in the CGO bindings, specifically in the (*boringHMAC).Sum() function when operating in FIPS mode. The bug manifests randomly based on the stack layout at the time of the function call. While the underlying OpenSSL routine checks buffer bounds before writing, preventing buffer overflow attacks, the issue can still lead to security implications. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L (Red Hat).

The vulnerability can lead to two significant security impacts: 1) It may enable an attacker to force a false positive match between non-equal hashes when comparing a trusted computed HMAC sum to an untrusted input sum if they can send a zeroed buffer in place of a pre-computed sum, and 2) It can allow forcing a derived key to be all zeros instead of an unpredictable value, which may have implications for the Go TLS stack (NVD).

Red Hat has released security updates to address this vulnerability across multiple products including Red Hat Enterprise Linux versions 7, 8, and 9. Users are advised to update their systems with the latest security patches provided through various security advisories (RHSA-2024:7502, RHSA-2024:7550, RHSA-2024:8327, RHSA-2024:8678, RHSA-2024:8847, RHSA-2024:9551, RHSA-2024:10133) (Red Hat).