CVE-2019-3557
First published: Tue Jan 15 2019(Updated: )
The implementations of streams for bz2 and php://output improperly implemented their readImpl functions, returning -1 consistently. This behavior caused some stream functions, such as stream_get_line, to trigger an out-of-bounds read when operating on such malformed streams. The implementations were updated to return valid values consistently. This affects all supported versions of HHVM (3.30 and 3.27.4 and below).
Credit: cve-assign@fb.com cve-assign@fb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Facebook HHVM | <=3.27.4 | |
| Facebook HHVM | >=3.28.0<=3.30.0 | |
| <=3.27.4 | ||
| >=3.28.0<=3.30.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2019-3557.
What is the severity of CVE-2019-3557?
The severity of CVE-2019-3557 is critical with a severity value of 9.8.
Which software is affected by CVE-2019-3557?
The software affected by CVE-2019-3557 is Facebook HHVM versions 3.27.4 to 3.30.0.
What is the impact of CVE-2019-3557?
CVE-2019-3557 allows for an out-of-bounds read and can cause a denial-of-service condition or potentially leak sensitive information.
How can I fix CVE-2019-3557?
To fix CVE-2019-3557, update your Facebook HHVM installation to version 3.30.2 or later.
- collector/nvd-index
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- agent/weakness
- agent/description
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/author
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/facebook
- canonical/facebook hhvm
- version/facebook hhvm/3.27.4
- version/facebook hhvm/3.28.0
- version/facebook hhvm/3.30.0