Headline
CVE-2021-24036: Security Update
Passing an attacker controlled size when creating an IOBuf could cause integer overflow, leading to an out of bounds write on the heap with the possibility of remote code execution. This issue affects versions of folly prior to v2021.07.22.00. This issue affects HHVM versions prior to 4.80.5, all versions between 4.81.0 and 4.102.1, all versions between 4.103.0 and 4.113.0, and versions 4.114.0, 4.115.0, 4.116.0, 4.117.0, 4.118.0 and 4.118.1.
A security update has been released for all supported HHVM versions. Please update to one of the following versions to get the update:
- 4.80.5
- 4.102.2
- 4.113.1
- 4.114.1
- 4.115.1
- 4.116.1
- 4.117.1
- 4.118.2
4.80.6 and 4.102.3 are also released for Debian 10 Buster and Ubuntu 18.04 Bionic, updating build system compatibility with those platforms.
This security update addresses:
- CVE-2021-24036, a remote code execution vulnerability in Folly’s IOBuf class
- an issue in HHVM that could lead to specially crafted XBox request parameter data being interpreted as other RPCServer commands.