CVE-2018-6337 vulnerability in Facebook Products
Published on December 31, 2018
folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. That will result in multiple forked children producing repeat (or similar) results. This affects HHVM 3.26 prior to 3.26.3 and the folly library between v2017.12.11.00 and v2018.08.09.00.
Vulnerability Analysis
CVE-2018-6337 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.
Weakness Type
Improper Removal of Sensitive Information Before Storage or Transfer
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
Products Associated with CVE-2018-6337
stack.watch emails you whenever new vulnerabilities are published in Facebook Folly or Facebook Hhvm. Just hit a watch button to start following.
Affected Versions
Facebook HHVM:- Version 3.26.3 is affected.
- Version 3.26.0 and below unspecified is affected.
- Version unspecified and below 3.26.0 is unaffected.
- Version v2018.08.09.00 is affected.
- Version v2017.12.11.00 and below unspecified is affected.
- Version unspecified and below v2017.12.11.00 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.