CVE-2022-36937

Name of the Vulnerable Software and Affected Versions HHVM versions 4.172.0 and all prior versions

Description The issue arises from HHVM using TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS 1.0 has numerous published vulnerabilities and is deprecated. Applications that call stream socket server or stream socket client functions with a URL starting with tls:// are affected.

Recommendations For HHVM versions 4.172.0 and all prior versions, update to a version that replaces TLS 1.0 with TLS 1.3, such as HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, or 4.173.0. As a temporary workaround, consider avoiding the use of tls:// URLs in the stream extension until a patch is available. Restrict access to the stream socket server and stream socket client functions to minimize the risk of exploitation.