Buffer Re-use Vulnerability in HHVM and Folly Library
CVE-2018-6337

7.5HIGH

Key Information:

Vendor: Facebook
Status: Hhvm; Folly
Vendor: CVE Published:; 31 December 2018

What is CVE-2018-6337?

A vulnerability in the HHVM and Folly library arises when the secureRandom function re-uses a buffer between parent and child processes after a fork() call. This behavior may lead to multiple forked children generating similar or identical outputs, compromising the randomness required for secure operations. Users of HHVM versions earlier than 3.26.3 and the folie library versions between 2017.12.11.00 and 2018.08.09.00 are particularly affected. It is crucial for users to update to patched versions to mitigate this issue.

Affected Version(s)

folly v2018.08.09.00

folly v2017.12.11.00

HHVM 3.26.3

References

https://hhvm.com/blog/2018/05/24/hhvm-3.26.3.html

x_refsource_MISC

https://github.com/facebook/folly/commit/8e927ee48b114c8a...

x_refsource_MISC

https://github.com/facebook/hhvm/commit/e2d10a1e32d01f71a...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 31, 2018
Vulnerability Reserved
Jan 26, 2018

Facebook

What is CVE-2018-6337?

Affected Version(s)

References

CVSS V3.1

Timeline