Vulnerability Details CVE-2018-6337
folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. That will result in multiple forked children producing repeat (or similar) results. This affects HHVM 3.26 prior to 3.26.3 and the folly library between v2017.12.11.00 and v2018.08.09.00.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 52.0%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://github.com/facebook/folly/commit/8e927ee48b114c8a2f90d0cbd5ac753795a6761f
- https://github.com/facebook/hhvm/commit/e2d10a1e32d01f71aaadd81169bcb9ae86c5d6b8
- https://hhvm.com/blog/2018/05/24/hhvm-3.26.3.html
- https://github.com/facebook/folly/commit/8e927ee48b114c8a2f90d0cbd5ac753795a6761f
- https://github.com/facebook/hhvm/commit/e2d10a1e32d01f71aaadd81169bcb9ae86c5d6b8
- https://hhvm.com/blog/2018/05/24/hhvm-3.26.3.html
Products affected by CVE-2018-6337
-
cpe:2.3:a:facebook:folly:2017.12.11.00
-
cpe:2.3:a:facebook:folly:2017.12.18.00
-
cpe:2.3:a:facebook:folly:2017.12.25.00
-
cpe:2.3:a:facebook:folly:2018.01.01.00
-
cpe:2.3:a:facebook:folly:2018.01.08.00
-
cpe:2.3:a:facebook:folly:2018.01.15.00
-
cpe:2.3:a:facebook:folly:2018.01.22.00
-
cpe:2.3:a:facebook:folly:2018.01.29.00
-
cpe:2.3:a:facebook:folly:2018.02.05.00
-
cpe:2.3:a:facebook:folly:2018.02.12.00
-
cpe:2.3:a:facebook:folly:2018.02.19.00
-
cpe:2.3:a:facebook:folly:2018.02.26.00
-
cpe:2.3:a:facebook:folly:2018.03.05.00
-
cpe:2.3:a:facebook:folly:2018.03.12.00
-
cpe:2.3:a:facebook:folly:2018.03.19.00
-
cpe:2.3:a:facebook:folly:2018.03.26.00
-
cpe:2.3:a:facebook:folly:2018.04.02.00
-
cpe:2.3:a:facebook:folly:2018.04.09.00
-
cpe:2.3:a:facebook:folly:2018.04.16.00
-
cpe:2.3:a:facebook:folly:2018.04.23.00
-
cpe:2.3:a:facebook:folly:2018.04.30.00
-
cpe:2.3:a:facebook:folly:2018.05.07.00
-
cpe:2.3:a:facebook:folly:2018.05.14.00
-
cpe:2.3:a:facebook:folly:2018.05.21.00
-
cpe:2.3:a:facebook:folly:2018.05.28.00
-
cpe:2.3:a:facebook:folly:2018.06.04.00
-
cpe:2.3:a:facebook:folly:2018.06.11.00
-
cpe:2.3:a:facebook:folly:2018.06.18.00
-
cpe:2.3:a:facebook:folly:2018.06.25.00
-
cpe:2.3:a:facebook:folly:2018.07.02.00
-
cpe:2.3:a:facebook:folly:2018.07.09.00
-
cpe:2.3:a:facebook:folly:2018.07.16.00
-
cpe:2.3:a:facebook:folly:2018.07.23.00
-
cpe:2.3:a:facebook:folly:2018.07.30.00
-
cpe:2.3:a:facebook:folly:2018.08.06.00
-
cpe:2.3:a:facebook:folly:2018.08.09.00
-
cpe:2.3:a:facebook:hhvm:3.26.0
-
cpe:2.3:a:facebook:hhvm:3.26.1
-
cpe:2.3:a:facebook:hhvm:3.26.2