CVE-2024-1394 identifies a memory leak vulnerability in the RSA encryption/decryption code within the Golang FIPS OpenSSL wrapper used by Red Hat Ansible Automation Platform 2.4 on Red Hat Enterprise Linux 8. The vulnerability arises from improper handling of memory objects 'pkey' and 'ctx' during error conditions in the function located at github.com/golang-fips/openssl/openssl/rsa.go#L113. Specifically, the function uses named return parameters and deferred cleanup logic intended to free these objects on error, but all error return paths use the pattern 'return nil, nil, fail(...)', causing the deferred function to receive nil pointers and skip freeing the allocated memory. This results in a memory leak that can be triggered by attacker-controlled inputs during RSA operations. The leak can accumulate over time, leading to resource exhaustion and denial of service. The CVSS 3.1 base score is 7.5 (high), reflecting network attack vector, no required privileges or user interaction, and a significant impact on availability. No known exploits are currently reported. The vulnerability affects Red Hat Ansible Automation Platform 2.4 running on RHEL 8, a widely used automation tool in enterprise environments. The flaw does not impact confidentiality or integrity but can disrupt operations by exhausting system memory resources.

For European organizations, the primary impact of CVE-2024-1394 is on availability. Red Hat Ansible Automation Platform is commonly used for automating IT infrastructure, application deployment, and configuration management. A successful exploitation causing memory leaks can degrade system performance or cause crashes, interrupting automated workflows and potentially delaying critical business operations. This can be particularly damaging in sectors relying heavily on automation such as finance, telecommunications, manufacturing, and public services. While the vulnerability does not expose sensitive data or allow unauthorized access, the denial of service effect can lead to operational downtime and increased incident response costs. Organizations with large-scale Ansible deployments or those running automation in production environments are at higher risk. The lack of required authentication or user interaction means attackers can remotely trigger the vulnerability, increasing exposure. The absence of known exploits provides some time for mitigation, but proactive patching and monitoring are essential to prevent service disruption.

1. Apply official patches or updates from Red Hat as soon as they become available to address the memory leak in the Golang FIPS OpenSSL RSA code. 2. Until patches are deployed, implement resource monitoring on systems running Ansible Automation Platform to detect abnormal memory usage trends that may indicate exploitation attempts. 3. Restrict network access to Ansible Automation Platform interfaces to trusted IPs and networks to reduce exposure to remote attackers. 4. Employ input validation and sanitization where possible to limit attacker-controlled inputs triggering RSA operations. 5. Consider deploying rate limiting or throttling mechanisms on automation API endpoints to mitigate resource exhaustion attempts. 6. Regularly audit and review automation workflows to identify and isolate critical systems to minimize impact in case of disruption. 7. Maintain up-to-date incident response plans that include scenarios involving denial of service due to resource exhaustion vulnerabilities.