CVE-2018-6337

Summary

folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. That will result in multiple forked children producing repeat (or similar) results. This affects HHVM 3.26 prior to 3.26.3 and the folly library between v2017.12.11.00 and v2018.08.09.00.

Affected Software

VendorProductVersion RangeStatus
FacebookHHVM3.26.3affected
FacebookHHVM3.26.0 < unspecifiedaffected
FacebookHHVMunspecified < 3.26.0unaffected
Facebookfollyv2018.08.09.00affected
Facebookfollyv2017.12.11.00 < unspecifiedaffected
Facebookfollyunspecified < v2017.12.11.00unaffected

Weaknesses

  • CWE-212: Improper Cross-boundary Removal of Sensitive Data (CWE-212)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References