David Benoit

**Name of the Vulnerable Software and Affected Versions** Golang FIPS OpenSSL (affected versions not specified) **Description** A flaw in Golang FIPS OpenSSL allows a malicious user to cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. This may also lead to a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker sends a zeroed buffer in place of a pre-computed sum. Additionally, it is possible to force a derived key to be all zeros instead of an unpredictable value, which may have implications for the Go TLS stack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Red Hat OpenShift Container Platform (affected versions not specified) **Description** A compliance issue was discovered in the Red Hat OpenShift Container Platform, where not all cryptographic modules in use were FIPS-validated when FIPS mode was enabled. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.