CVE-2022-36937

moderate-risk

Published 2023-05-10

HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3. Applications that call stream_socket_server or stream_socket_client functions with a URL starting with tls:// are affected.

Do I need to act?

0.49% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: 96eb858013228b977f7ecb0d9516a138f07d0caa, 268f75e53fe151332273129ea5a42221481a1f39, 083f5ffdee661f61512909d16f9a5b98cff3cf0b

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (3)

Hhvm

Affected Vendors

Facebook

References (4)

Patch https://github.com/facebook/hhvm/commit/083f5ffdee661f61512909d16f9a5b98cff3cf0b

Vendor Advisory https://hhvm.com/blog/2023/01/20/security-update.html

Patch https://github.com/facebook/hhvm/commit/083f5ffdee661f61512909d16f9a5b98cff3cf0b

Vendor Advisory https://hhvm.com/blog/2023/01/20/security-update.html

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 2/34 · Minimal

Exposure 9/34 · Low