x/vulndb: potential Go vuln in github.com/golang-fips/openssl/v2: GHSA-3h3x-2hwv-hr52

[GoVulnBot]

Advisory GHSA-3h3x-2hwv-hr52 references a vulnerability in the following Go modules:

Module
github.com/golang-fips/openssl
github.com/golang-fips/openssl/v2

Description: A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.

References:

• ADVISORY: https://github.com/advisories/GHSA-3h3x-2hwv-hr52
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-9355
• WEB: https://access.redhat.com/security/cve/CVE-2024-9355
• WEB: https://bugzilla.redhat.com/show_bug.cgi?id=2315719

Cross references:

• github.com/golang-fips/openssl/v2 appears in 1 other report(s):
  • data/reports/GO-2024-2660.yaml (https://github.com/golang/vulndb/issues/2660)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/golang-fips/openssl
      vulnerable_at: 0.0.0-20230605154532-724e32b0f4b8
    - module: github.com/golang-fips/openssl/v2
      vulnerable_at: 2.0.3
summary: Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl
cves:
    - CVE-2024-9355
ghsas:
    - GHSA-3h3x-2hwv-hr52
references:
    - advisory: https://github.com/advisories/GHSA-3h3x-2hwv-hr52
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9355
    - web: https://access.redhat.com/security/cve/CVE-2024-9355
    - web: https://bugzilla.redhat.com/show_bug.cgi?id=2315719
source:
    id: GHSA-3h3x-2hwv-hr52
    created: 2024-10-01T23:01:14.720185962Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/619135 mentions this issue: data/reports: add 15 reports

[gopherbot]

Change https://go.dev/cl/623935 mentions this issue: data/reports: update GO-2024-3167