CVE-2019-3556

Name of the Vulnerable Software and Affected Versions HHVM versions prior to 4.56.2 HHVM versions 4.57.0 through 4.78.0 HHVM versions 4.79.0, 4.80.0, 4.81.0, 4.82.0, 4.83.0

Description HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. One of those request handlers, dump-pcre-cache, can be used to output cached regular expressions from the current execution context into a file. The handler takes a parameter which specifies where on the filesystem to write this data. The parameter is not validated, allowing a malicious user to overwrite arbitrary files where the user running HHVM has write access.

Recommendations For HHVM versions prior to 4.56.2, update to version 4.56.2 or later. For HHVM versions 4.57.0 through 4.78.0, update to version 4.78.1 or later. For HHVM versions 4.79.0, 4.80.0, 4.81.0, 4.82.0, and 4.83.0, update to a version that is not affected by this issue. As a temporary workaround, consider disabling the dump-pcre-cache request handler until a patch is available.