CVE-2022-36937

Summary

HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3.

Applications that call stream_socket_server or stream_socket_client functions with a URL starting with tls:// are affected.

Affected Software

VendorProductVersion RangeStatus
FacebookHHVM4.172.0 < 4.172.1affected
FacebookHHVM4.171.0 < 4.171.1affected
FacebookHHVM4.170.0 < 4.170.2affected
FacebookHHVM4.169.0 < 4.169.2affected
FacebookHHVM4.154.0 < 1.168.2affected
FacebookHHVM0 < 4.153.4affected

Weaknesses

  • CWE-1104: Use of Unmaintained Third Party Components

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References