CVE-2019-3570

Name of the Vulnerable Software and Affected Versions HHVM versions 3.30.5 and below HHVM versions 4.0 through 4.2 HHVM versions 4.3.0 through 4.8.0

Description A call to the scrypt enc() function in HHVM can lead to heap corruption by using specifically crafted parameters (N, r, and p). This occurs when an attacker can configure these parameters, for instance, by providing the output of scrypt enc() in a context where Hack/PHP code attempts to verify it by re-running scrypt enc() with the same parameters. This could result in information disclosure, memory being overwritten, or crashes of the HHVM process.

Recommendations For HHVM versions 3.30.5 and below, update to a version above 3.30.5. For HHVM versions 4.0 through 4.2, update to a version above 4.2. For HHVM versions 4.3.0 through 4.8.0, update to a version above 4.8.0. As a temporary workaround, consider restricting the use of the scrypt enc() function until a patch is available.