TLS 1.0 Vulnerability in HHVM by Facebook
CVE-2022-36937

9.8CRITICAL

Key Information:

Vendor

Facebook

Status
Hhvm
Vendor
CVE Published:
10 May 2023

What is CVE-2022-36937?

HHVM versions prior to 4.173.0 use TLS 1.0 for secure connections when processing tls:// URLs, a protocol with known vulnerabilities and now deprecated. This exposes applications that utilize stream_socket_server or stream_socket_client functions to potential security risks. To mitigate these vulnerabilities, users are strongly advised to upgrade to HHVM versions that implement TLS 1.3, which offers enhanced security when handling secure connections.

Affected Version(s)

HHVM 4.172.0 < 4.172.1

HHVM 4.171.0 < 4.171.1

HHVM 4.170.0 < 4.170.2

References

https://hhvm.com/blog/2023/01/20/security-update.html
x_refsource_CONFIRM
https://github.com/facebook/hhvm/commit/083f5ffdee661f615...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.