Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. Fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

**HashiCorpVault does not correctly validate OCSP responses**

Moderate severity GitHub Reviewed Published Apr 4, 2024 to the GitHub Advisory Database • Updated Apr 4, 2024

GHSA-j2rp-gmqv-frhv: HashiCorpVault does not correctly validate OCSP responses

A vulnerability was found in the quarkus-core component. Quarkus captures the local environment variables from the Quarkus namespace during the application's build. Thus, running the resulting application inherits the values captured at build time. 

However, some local environment variables may have been set by the developer / CI environment for testing purposes, such as dropping the database during the application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application. It leads to dangerous behavior if the application does not override these values.

This behavior only happens for configuration properties from the `quarkus.*` namespace. So, application-specific properties are not captured.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-2700

**quarkus-core leaks local environment variables from Quarkus namespace during application's build**

High severity GitHub Reviewed Published Apr 4, 2024 to the GitHub Advisory Database • Updated Apr 4, 2024

**Package**

maven io.quarkus:quarkus-core (Maven)

**Affected versions**

<= 3.9.1

A vulnerability was found in the quarkus-core component. Quarkus captures the local environment variables from the Quarkus namespace during the application's build. Thus, running the resulting application inherits the values captured at build time.

However, some local environment variables may have been set by the developer / CI environment for testing purposes, such as dropping the database during the application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application. It leads to dangerous behavior if the application does not override these values.

This behavior only happens for configuration properties from the quarkus.* namespace. So, application-specific properties are not captured.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2024-2700
*   https://access.redhat.com/security/cve/CVE-2024-2700
*   https://bugzilla.redhat.com/show\_bug.cgi?id=2273281

Published to the GitHub Advisory Database

Apr 4, 2024

GHSA-f8h5-v2vg-46rr: quarkus-core leaks local environment variables from Quarkus namespace during application's build

GnuTLS is a secure communications library implementing the SSL and TLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols, as well as APIs to parse and write X.509, PKCS #12, OpenPGP, and other required structures. It is intended to be portable and efficient with a focus on security and interoperability.

GNU Transport Layer Security Library 3.8.5

By Cyber Newswire
Center Identity, a pioneering cybersecurity company, is excited to unveil its patented secret location authentication, reshaping how businesses…
This is a post from HackRead.com Read the original post: Center Identity Launches Patented Passwordless Authentication for Businesses

Center Identity, a pioneering cybersecurity company, is excited to unveil its patented secret location authentication, reshaping how businesses manage workforce digital identity. This proprietary technology enables users to authenticate their identity using a secret location selected on a map.

The benefits of this novel approach to digital identity management include:

*   **Simplicity:** There is no need to remember a long list of complicated passwords or seed phrases.
*   **Security:** Secret locations are less likely to be shared and far less susceptible to brute-force hacking.
*   **Recovery:** The use of Artificial Intelligence ensures that hints for selected secret locations meet robust cybersecurity standards, offering users an easy recovery mechanism.

Compared with other passwordless authentication solutions which require the user to possess one or more hardware devices, secret locations are a cost-effective solution which does not require purchasing devices for your entire workforce. Center Identity is also launching the integration of secret location authentication with OpenID Connect, a widely adopted open standard, making integration a straightforward process.

> _“Traditional password management and account recovery methods fail to keep pace with the rising tide of security threats. Our secret location-based algorithm changes all that by authenticating based on geo-coordinates. Users only need to remember a place of personal significance, which is both intuitive and incredibly secure.”_
> 
> Matt Vogel – Founder and CTO of Center Identity.

Moreover, Center Identity addresses the security concerns of businesses with stringent endpoint security measures, taking advantage of firewalls and VPNs to enhance protection even further. “Our technology allows these organizations to block satellite map traffic based on which website the user is on, effectively neutralizing the threat of phishing by ensuring that only whitelisted websites can access map-based authentication services,” says Vogel.

This new protocol transforms access management in a way that mitigates the risks and reduces the hassles associated with traditional password-based systems. “We know that businesses lose around 30% of their time resetting passwords. Our solution not only plugs this productivity drain but also enhances security without compromising convenience,” adds Vogel.

Users and businesses can visit Center Identity’s passwordless solutions here.

****About Center Identity****

Center Identity is a pioneering cybersecurity company based in the United States with a patented approach to digital identity management. Leveraging cutting-edge solutions and blockchain technology, the expert team at Center Identity ensures unparalleled security for data and networks, empowering both individuals and businesses to navigate the digital landscape with confidence.

****About Matt Vogel****

Matt Vogel is a distinguished software engineer with a profound impact on digital security, holding key patents in digital identity, cybersecurity, and artificial intelligence. His contributions have significantly influenced technological standards and innovations. As a recognized author and advisor, Vogel’s expertise has been instrumental in shaping industry discourse and guiding the future of technology.

****Contact****

**Stoyan Bojinov**  
**\[email protected\]**

Center Identity Launches Patented Passwordless Authentication for Businesses

PRESS RELEASE

Austin, TX – April 3, 2024 – CyberRatings.org (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has completed an independent test of eleven market leading Cloud Network Firewall vendors. Six products were Recommended, one product received a Neutral rating, and four received a Caution rating.

Cloud network firewalls are considered to be the first line of defense when deployed in public cloud providers such as Amazon Web Services, Google Cloud Platform and Microsoft Azure. But implementing security in the cloud can be complex, with multiple factors influencing effectiveness. 

CyberRatings tested the cloud firewall products to determine how they handled TLS/SSL (authentication) 1.2 and 1.3 cipher suites (algorithms), how they defended against 984 exploits (attacks that take advantage of a software flaw or install malware), and whether any of 1,645 evasions could bypass protection. At all times the devices needed to remain stable under adverse conditions. To provide a more realistic rating based on modern network traffic, both clear text (HTTP) and encrypted traffic (HTTPS) were measured. Amazon Web Services (AWS) was the public cloud service chosen to run the test.

The combination of Security Effectiveness and Value dictated where products landed on the Security Value Map™ (SVM). Six out of the eleven products were Recommended for their Security Effectiveness with scores ranging from 99.70% to 100%. Recommended ratings are based on threat prevention (how many exploits and evasions were blocked?), TLS/SSL functionality, routing and policy enforcement, and stability and reliability to achieve a final Security Effectiveness score. These same products also demonstrated competitive pricing in the Total Cost per Protected Mbps (Value). The product rated Neutral received a 48.44% Security Effectiveness score. Four products rated Caution had Security Effectiveness scores ranging from 5.39% to 48.37%. 

“We have been testing firewalls for years, and more recently cloud network firewalls,” said Vikram Phatak, CEO of CyberRatings.org. “All of the products chosen were market leaders and the range of scores clearly shows that building a product for the cloud is different than building a product on an appliance where you control the environment,” said Phatak. “We recommend that enterprises check with their service providers or IT teams to see which cloud firewall products are currently deployed in their networks.”

As part of the cloud firewall test, CyberRatings also checked to see if products were secure by default. It was discovered that some firewall evasion defenses are not on by default, potentially leaving customers at significant risk. In response, CyberRatings is providing a policy and configuration guide to help enterprises ensure that their firewalls are configured properly.

Encryption matters: roughly 80% of web traffic is encrypted. The top four cipher suites account for over 95% of HTTPS traffic. In some products, decryption was not on by default. Firewalls will not see attacks delivered via HTTPS unless configured to do so. Performance is significantly different when TLS/SSL is turned on. With the exception of one vendor that failed to handle TLS 1.3 despite claiming support, all other vendors supported encryption. 

Enterprises should monitor security and performance capabilities, and update firewalls regularly. With the everchanging cloud platform and agile development, something can go wrong even when the security vendor does not make a change. 

The following products were evaluated:

Cloud Network Firewall

Rating

Security

Effectiveness

Rated Throughput

(Mbps)

Price per Protected Mbps

Amazon Web Services (AWS) Network Firewall

Caution

5.39%

1,000

$601.34

Barracuda CloudGen Firewall

Caution

11.38%

441

$287.86 

Check Point CloudGuard

Recommended

99.80%

1,180

$12.70 

Cisco Secure Firewall Threat Defense Virtual 

Caution

20.86%

373

$76.91 

Forcepoint NGFW

Recommended

99.80%

698

$8.45 

Fortinet FortiGate-VM

Recommended

100%

1,458

$10.56 

Juniper Networks vSRX

Recommended

99.70%

1,228

$5.72 

Palo Alto Networks VM-Series Next-Generation Firewall w/ Advanced Threat Prevention

Recommended

100%

1,036

$5.83 

Sophos Firewall

Caution

48.37%

135

$83.16 

Versa Networks NGFW

Recommended

99.90%

2,553

$7.58 

WatchGuard Firebox Cloud

Neutral

48.44%

291

$27.06 

Additional Resources:

Cloud Network Firewall Comparative Report and Test Reports

2024 Best Practices for Cloud Network Firewall Deployment

Exploring the Landscape of Cloud Network Firewalls Available on AWS

Why Firewalls Should be Secure by Default

About CyberRatings.org 

CyberRatings.org is a 501(c)6 non-profit organization dedicated to providing confidence in cybersecurity products and services through our research and testing programs. We provide enterprises with independent, objective ratings of security product efficacy to make informed decisions. To become a member, visit www.cyberratings.org and follow us on LinkedIn.

CyberRatings.org Announces Test Results for Cloud Network Firewall

PRESS RELEASE

MINNEAPOLIS, April 2, 2024 – Businesses are facing a critical gap when it comes to protecting endpoint data, according to a study released today by TAG Infosphere, Inc., a leading  cybersecurity research and advisory firm. The report, conducted in partnership with CrashPlan, identified the ever-growing potential for ransomware attacks, frequent misuse of cloud collaboration tools as a substitute for backup, and an over-reliance on manual policies as the break in the chain for current enterprise security configurations. 

For the study, TAG surveyed a group of CISOs and security practitioners, and the key findings were clear: The overwhelming majority (93%) of IT and cybersecurity teams aren’t confident in their policies to protect their enterprise data. Furthermore, survey respondents acknowledged the likelihood of a severe data breach through an employee’s endpoint.

“We were surprised to learn that a whopping 71% of those asked responded that they would not be surprised if they had a serious data breach on their PCs and laptops. If the question was extended to include that they might be surprised, the number grew to 86%,” said Dr. Edward Amoroso, Chief Executive Officer and founder of TAG Infosphere. “This is important because it implies that serious risk exists in this area. If that many CISOs would not be surprised if something bad happened, then that’s a problem.”

TAG introduces the MEAD framework (Malware, EDR, Analytics, and Data) for modernizing endpoint security. Central to MEAD is the adoption of endpoint backup solutions as a pivotal measure for enhancing cyber resilience. The report advocates for endpoint backup to reduce risks to data on endpoints, detailing how this strategy safeguards data against hardware malfunctions, user errors, and cyber threats. 

“New cybersecurity technologies are introduced every year, yet data breaches continue to happen,” said Todd Thorsen, Chief Information Security Officer for CrashPlan. “The reality is work habits have changed. Most companies now have a hybrid work model—and this has shined a light on just how ineffective manual policies are when it comes to protecting endpoint data. To improve resiliency, you simply can’t lose sight of the foundation. Despite new tools and technology designed to identify, detect and protect against bad actors and malicious activity, breaches will still happen. Which is why having strong data backup and resilience capabilities are critical for effective response and recovery.”

CrashPlan offers a cloud-native platform designed to address the aggregate risk associated with data stored on endpoints within organizations. It offers a comprehensive backup and data protection system that safeguards valuable business data from loss, theft, or accidental deletion. Businesses of all sizes, across all different business sectors, use CrashPlan today to ensure a more robust data protection and resilience approach.                                          

About CrashPlan  
CrashPlan® enables organizational resilience through secure, scalable, and straightforward endpoint data backup. With automatic backup and customizable file version retention, you can bounce back from any data calamity. What starts as endpoint backup and recovery becomes a solution for ransomware recovery, breaches, migrations, and legal holds. So, you can work fearlessly and grow confidently.

About Tag Infosphere

TAG is a trusted research and advisory company that provides insights and recommendations in cybersecurity, artificial intelligence, and climate science to thousands of commercial solution providers and Fortune 500 enterprises. Founded in 2016 and headquartered in New York City, TAG bucks the trend of pay-for-play research by offering unbiased and in-depth guidance, market analysis, project consulting, and personalized content—all from a practitioner perspective.

About Dr. Edward Amoroso

Dr. Ed Amoroso is currently Chief Executive Officer of TAG Infosphere Inc, a global research and advisory company that supports enterprise cyber security teams and commercial security vendors around the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016.

Ed has served as Research Professor at the Tandon School of Engineering at NYU since 2017. He has also been Adjunct Professor of Computer Science at the Stevens Institute of Technology for the past thirty years, where he has introduced nearly two thousand graduate students to the topic of information security. Ed also serves the Applied Physics Laboratory at Johns Hopkins University as a senior advisor. He is author of six books on cyber security and dozens of major research and technical papers and articles in peer-reviewed and major publications.

TAG Report Reveals Endpoint Backup Is Essential to Improving Data Resiliency

PRESS RELEASE

PALO ALTO, Calif., April 2, 2024/PRNewswire-PRWeb/ -- TruCentive, a leader in incentive automation solutions, announced a significant enhancement to its platform: HIPAA-compliant personal information de-identification (PII) capabilities. This new feature is designed to strengthen privacy protections and ensure the security of sensitive information, marking a significant step forward in TruCentive's commitment to data protection for researchers worldwide.

With the healthcare industry's increasing reliance on digital platforms, the need for stringent data protection measures has never been more critical. TruCentive's latest update addresses this need by providing a robust solution for de-identifying personally identifiable information, ensuring that all data processed through its platform meets the rigorous standards set by the Health Insurance Portability and Accountability Act (HIPAA).

"This enhancement is a testament to TruCentive's dedication to privacy, security, and compliance," said Lori Laub, CEO of TruCentive. "By integrating HIPAA-compliant de-identification, we're safeguarding participants' personal information and providing our clients with the peace of mind that comes from knowing their incentive programs are fully compliant with federal regulations."

The de-identification process removes all identifiers that could potentially link back to an individual, such as email addresses, names, dates, and compensation selections directly related to an individual. This allows TruCentive's clients to utilize the platform for research compensation while ensuring the anonymity and privacy of individuals' data.

"We are excited to expand Shaip's expertise in data privacy to the Incentive Automation marketplace," said Hardik Parikh, co-founder and CRO of Shaip. "This marks a milestone in blending technological innovation with strict compliance to protect sensitive information and build client trust."

TruCentive's HIPAA compliant personal information de-identification feature is immediately available to Enterprise platform users, reaffirming the company's position at the forefront of secure and compliant incentive automation solutions.

Please visit https://trucentive.com/research-compensation/ for more information about TruCentive and its new HIPAA compliant de-identification capabilities.

About TruCentive

TruCentive helps organizations engage with employees, partners, and customers in personalized, innovative ways. By seamlessly integrating the delivery of merchandise, gift cards, and payments, companies increase the effectiveness of their existing incentive programs and improve relationships. With thousands of merchandise options, 3,000+ gift cards worldwide, 85,000+ local merchant options, Visa, AmEx, and MasterCard cards, payment options including Deposit-to-Debit-Card, PayPal, and Venmo, and integrations with popular marketing, sales, and HR tools, TruCentive is essential to successful HR, demand generation, account-based, and customer appreciation and incentive programs.

About Shaip

Headquartered in Louisville, Kentucky, Shaip is a fully managed data platform designed for companies looking to solve their most demanding AI challenges, enabling smarter, faster, and better results. Shaip supports all aspects of AI training data, from data collection to licensing, labeling, transcribing, and de-identifying, by seamlessly scaling our people, platform, and processes to help companies develop their AI and ML models. To learn how to make your data science team and leaders' lives easier, visit us at www.shaip.com.

TruCentive Enhances Privacy With HIPAA Compliant Personal Information De-identification

Google has issued patches for 28 security vulnerabilities, including a critical patch for Androids with Qualcomm chips.

In April’s update for the Android operating system (OS), Google has patched 28 vulnerabilities, one of which is rated critical for Android devices equipped with Qualcomm chips.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

If your Android phone is at patch level 2024-04-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 12, 12L and 13. Android partners are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Qualcomm CVE is listed as CVE-2023-28582. It has a CVSS score of 9.8 out of 20 and is described as a memory corruption in Data Modem while verifying hello-verify message during the Datagram Transport Layer Security (DTLS) handshake.

The cause of the memory corruption lies in a buffer copy without checking the size of the input. Practically, this means that a remote attacker can cause a buffer overflow during the verification of a DTLS handshake, allowing them to execute code on the affected device.

Another vulnerability highlighted by Google is CVE-2024-23704, an elevation of privilege (EoP) vulnerability in the System component that affects Android 13 and Android 14.

This vulnerability could lead to local escalation of privilege with no additional execution privileges needed. Local privilege escalation happens when one user acquires the system rights of another user. This could allow an attacker to access information they shouldn’t have access to, or perform actions at a higher level of permissions.

**Pixel users**

Google warns Pixel users that there are indications that two high severity vulnerabilities may be under limited, targeted exploitation. These vulnerabilities are:

*   CVE-2024-29745: An information disclosure vulnerability in the bootloader component. Bootloaders are one of the first programs to load and ensure that all relevant operating system data is loaded into the main memory when a device is started.
*   CVE-2024-29748: An elevation of privilege (EoP) vulnerability in the Pixel firmware. Firmware is device-specific software that provides basic machine instructions that allow the hardware to function and communicate with other software running on the device.

On Pixel devices, a security patch level of 2024-04-05 resolves all these security vulnerabilities.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Google patches critical vulnerability for Androids with Qualcomm chips 

Red Hat Security Advisory 2024-1662-03 - An update is now available for Red Hat build of Quarkus. Issues addressed include denial of service, information leakage, and memory leak vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1662.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat build of Quarkus 3.2.11 release and security update  
Advisory ID:        RHSA-2024:1662-03  
Product:            Red Hat build of Quarkus  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1662  
Issue date:         2024-04-03  
Revision:           03  
CVE Names:          CVE-2024-1023  
====================================================================

Summary: 

An update is now available for Red Hat build of Quarkus.

Red Hat Product Security has rated this update as having a security impact of  
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives  
a  
detailed severity rating, is available for each vulnerability. For more  
information, see the CVE links in the References section.

Description:

This release of Red Hat build of Quarkus 3.2.11 includes security updates,  
bug fixes, and enhancements. For more information, see the release notes page  
listed in the References section.

Security Fix(es):

* CVE-2024-1597 org.postgresql/postgresql: pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE [quarkus-3.2]

* CVE-2024-1979 io.quarkus/quarkus-kubernetes-deployment: quarkus: information leak in annotation [quarkus-3.2]

* CVE-2024-1726 io.quarkus.resteasy.reactive/resteasy-reactive: quarkus: security checks for some inherited endpoints performed after serialization in RESTEasy Reactive may trigger a denial of service [quarkus-3.2]

* CVE-2024-25710 org.apache.commons/commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file [quarkus-3.2]

* CVE-2024-26308 org.apache.commons/commons-compress: OutOfMemoryError unpacking broken Pack200 file [quarkus-3.2]

* CVE-2024-1300 io.vertx/vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support [quarkus-3.2]

* CVE-2024-1023 io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx [quarkus-3.2]

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-1023

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/3.2/  
https://access.redhat.com/articles/4966181  
https://bugzilla.redhat.com/show_bug.cgi?id=2260840  
https://bugzilla.redhat.com/show_bug.cgi?id=2263139  
https://bugzilla.redhat.com/show_bug.cgi?id=2264988  
https://bugzilla.redhat.com/show_bug.cgi?id=2264989  
https://bugzilla.redhat.com/show_bug.cgi?id=2265158  
https://bugzilla.redhat.com/show_bug.cgi?id=2266523  
https://bugzilla.redhat.com/show_bug.cgi?id=2266690  
https://issues.redhat.com/browse/QUARKUS-4022  
https://issues.redhat.com/browse/QUARKUS-4036  
https://issues.redhat.com/browse/QUARKUS-4097  
https://issues.redhat.com/browse/QUARKUS-4103  
https://issues.redhat.com/browse/QUARKUS-4104  
https://issues.redhat.com/browse/QUARKUS-4106

Red Hat Security Advisory 2024-1662-03

Red Hat Security Advisory 2024-1646-03 - An update for grafana is now available for Red Hat Enterprise Linux 8. Issues addressed include a memory leak vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1646.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: grafana security and bug fix update  
Advisory ID:        RHSA-2024:1646-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1646  
Issue date:         2024-04-03  
Revision:           03  
CVE Names:          CVE-2024-1394  
====================================================================

Summary: 

An update for grafana is now available for Red Hat Enterprise Linux 8.

'Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. 

Security Fix(es):

* golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)

Bug Fix(es):

* TRIAGE CVE-2024-1394 grafana: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (JIRA:RHEL-30543)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-1394

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2262921

Tag

#ssl