The vulnerability CVE-2024-9355 involves the use of an uninitialized variable in Golang FIPS OpenSSL, which can cause a zeroed buffer length to be returned in FIPS mode. This may allow an attacker to cause false positive matches between non-equal HMAC sums if a zeroed buffer is sent instead of a pre-computed sum. Additionally, it can cause a derived cryptographic key to be all zeros rather than an unpredictable value, potentially affecting the Go TLS stack's security. The issue has been assigned a CVSS 3.1 score of 6.5 (medium severity) with attack vector local, high attack complexity, low privileges required, no user interaction, unchanged scope, and high impact on confidentiality and integrity with low impact on availability. Red Hat has released security advisories with patches for affected versions of their Enterprise Linux distributions.

The vulnerability can lead to incorrect cryptographic operations such as false positive HMAC comparisons and predictable derived keys, which compromises the integrity and confidentiality of cryptographic processes in affected Golang FIPS OpenSSL implementations. This may have downstream effects on the Go TLS stack, potentially weakening TLS security. The CVSS score of 6.5 reflects a moderate risk due to the local attack vector and high complexity required for exploitation. There are no known exploits in the wild at this time.

Red Hat has released official security updates addressing CVE-2024-9355 for Red Hat Enterprise Linux 7 Extended Lifecycle Support and Red Hat Enterprise Linux 8 (including various architectures and extended lifecycle versions). Users should apply these updates promptly following Red Hat's guidance at https://access.redhat.com/articles/11258. The advisories confirm that patches are available and remediation is provided by the vendor. No additional mitigation steps are indicated beyond applying the official fixes.