CVE-2024-1394 identifies a memory leak vulnerability in the RSA encrypting/decrypting code within the Golang FIPS OpenSSL wrapper used by Red Hat Ansible Automation Platform 2.4 on RHEL 8. The root cause is a coding flaw in github.com/golang-fips/openssl/openssl/rsa.go at line 113, where memory objects 'pkey' and 'ctx' are not properly freed after their effective lifetime during error handling. Specifically, the function uses named return parameters to free these objects if an error occurs during context initialization or property setting. However, all error return statements follow a pattern that returns nil for these objects, causing the deferred cleanup function to receive nil pointers and thus skip freeing the allocated memory. This leads to a memory leak that can be triggered by attacker-controlled inputs, potentially exhausting system resources. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting network attack vector, low attack complexity, no privileges or user interaction required, and high impact on availability. No known exploits are currently reported, but the flaw poses a significant risk of denial-of-service attacks against systems running the affected platform.

The primary impact of CVE-2024-1394 is resource exhaustion due to memory leaks, which can lead to denial of service (DoS) conditions on systems running Red Hat Ansible Automation Platform 2.4 on RHEL 8. This can disrupt automated IT operations, configuration management, and orchestration tasks critical to enterprise environments. Since the vulnerability can be exploited remotely without authentication or user interaction, attackers can cause service outages or degrade performance, impacting availability. Organizations relying heavily on Ansible Automation for infrastructure management may face operational disruptions, increased incident response costs, and potential cascading failures in dependent systems. While confidentiality and integrity are not directly impacted, the availability degradation can have severe business consequences, especially in environments requiring high uptime and reliability.

Organizations should prioritize applying official patches or updates from Red Hat addressing CVE-2024-1394 once they become available. Until patches are deployed, administrators should monitor memory usage of Ansible Automation Platform instances closely to detect abnormal resource consumption. Limiting network exposure of affected Ansible services by implementing strict firewall rules and network segmentation can reduce attack surface. Employing runtime memory monitoring and automated alerts can help identify exploitation attempts early. Additionally, consider deploying rate limiting or input validation mechanisms to reduce the risk of triggering the memory leak via malformed inputs. Engaging with Red Hat support for guidance and applying any recommended workarounds or configuration changes is advised. Regularly updating Golang dependencies and verifying secure coding practices in custom Ansible modules can further mitigate risks.