Fb has patched two significant-severity vulnerabilities in its server application that could have permitted distant attackers to unauthorisedly attain sensitive info or lead to a denial of assistance just by uploading a maliciously built JPEG graphic file.
The vulnerabilities reside in HHVM (HipHop Virtual Equipment)—a superior-efficiency, open supply virtual device designed by Fb for executing applications prepared in PHP and Hack programming languages.
HHVM utilizes a just-in-time (JIT) compilation tactic to realize outstanding effectiveness of your Hack and PHP code even though protecting the advancement versatility that the PHP language provides.
Considering the fact that the afflicted HHVM server software is open-source and cost-free, both problems might also impact other web sites that use HHVM, such as Wikipedia, Box and specially these which allow for their buyers to add photos on the server.
Both equally the vulnerabilities, as listed down below, reside due to a doable memory overflow in the GD extension of HHVM when a specifically made invalid JPEG enter is passed in, major to out-of-bounds read—a flaw that will allow a malformed software to go through facts from exterior the bounds of allocated memory.
- CVE-2019-11925: Insufficient boundary test challenges occur when processing the JPEG App12 block marker in the GD extension, permitting possible attackers to accessibility out-of-bounds memory through a maliciously crafted invalid JPEG enter.
- CVE-2019-11926: Inadequate boundary examine difficulties happen when processing M_SOFx markers from JPEG headers in the GD extension, letting likely attackers to accessibility out-of-bounds memory through a maliciously crafted invalid JPEG enter.
Each the vulnerabilities impact all supported HHVM variations prior to 3.30.9, all variations amongst HHVM 4.. and 4.8.3, all versions involving HHVM 4.9. and 4.15.2, and HHVM versions 4.16. to 4.16.3, 4.17. to 4.17.2, 4.18. to 4.18.1, 4.19., 4.20. to 4.20.1.
The HHVM staff has resolved the vulnerabilities with the launch of HHVM versions 4.21., 4.20.2, 4.19.1, 4.18.2, 4.17.3, 4.16.4, 4.15.3, 4.8.4, and 3.30.10.
If your internet site or server is also making use of HHVM, you are highly encouraged to update it to the most recent version of the program.