Vulnerability Description
folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. That will result in multiple forked children producing repeat (or similar) results. This affects HHVM 3.26 prior to 3.26.3 and the folly library between v2017.12.11.00 and v2018.08.09.00.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Folly | >= 2017.12.11.00, <= 2018.08.09.00 | |
| Hhvm | >= 3.26, < 3.26.3 |
Related Weaknesses (CWE)
References
- https://github.com/facebook/folly/commit/8e927ee48b114c8a2f90d0cbd5ac753795a6761PatchThird Party Advisory
- https://github.com/facebook/hhvm/commit/e2d10a1e32d01f71aaadd81169bcb9ae86c5d6b8PatchThird Party Advisory
- https://hhvm.com/blog/2018/05/24/hhvm-3.26.3.htmlRelease NotesVendor Advisory
- https://github.com/facebook/folly/commit/8e927ee48b114c8a2f90d0cbd5ac753795a6761PatchThird Party Advisory
- https://github.com/facebook/hhvm/commit/e2d10a1e32d01f71aaadd81169bcb9ae86c5d6b8PatchThird Party Advisory
- https://hhvm.com/blog/2018/05/24/hhvm-3.26.3.htmlRelease NotesVendor Advisory
FAQ
What is CVE-2018-6337?
CVE-2018-6337 is a vulnerability with a CVSS score of 7.5 (HIGH). folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. That will result in multiple forked children producing repeat (or similar) results. This affects HHVM...
How severe is CVE-2018-6337?
CVE-2018-6337 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-6337?
Check the references section above for vendor advisories and patch information. Affected products include: Facebook Folly, Facebook Hhvm.