About

Popular Posts

Search This Blog

Facebook Patches "Memory Disclosure Using JPEG Images" Flaws in HHVM Servers

Share it:

Facebook Patches "Memory Disclosure Using JPEG Images" Flaws in HHVM Servers




Facebook has patched 2 high-severity vulnerabilities in its server application that might have allowed remote attackers to unauthorisedly acquire sensitive info or cause a denial of service simply by uploading a maliciously made JPEG image file.

The vulnerabilities reside in HHVM (HipHop Virtual Machine)—a superior, open supply virtual machine developed by Facebook for death penalty programs written in PHP and Hack programming languages.HHVM uses a just-in-time (JIT) compilation approach to attain superior performance of your Hack and PHP code whereas maintaining the event flexibility that the PHP language provides.Since the affected HHVM server application is ASCII text file and free, each problems may impact alternative websites that use HHVM, together with Wikipedia, Box and particularly those which permit their users to transferpictures on the server.
Both the vulnerabilities, as listed below, reside because of a doable memory overflow within the GD extension of HHVM once a specially made invalid JPEG input is passed in, resulting in out-of-bounds scan—a flaw that enables a unshapely program to read information from outside the bounds of allotted memory.

⏩ALSO READ: ETHICAL HACKING
  • CVE-2019-11925: meagerly boundary check problems occur once process the JPEG APP12 block marker within the GD extension, permitting potential attackers to access out-of-bounds memory via a maliciously crafted invalid JPEG input.
  • CVE-2019-11926: meagerly boundary check problems occur once process M_SOFx markers from JPEG headers within the GD extension, permitting potential attackers to access out-of-bounds memory via a maliciously crafted invalid JPEG input.
Both the vulnerabilities have an effect on all supported HHVM versions before three.30.9, all versions between HHVM four.0.0 and 4.8.3, all versions between HHVM four.9.0 and 4.15.2, and HHVM versions four.16.0 to 4.16.3, 4.17.0 to 4.17.2, 4.18.0 to 4.18.1, 4.19.0, 4.20.0 to 4.20.1.The HHVM team has self-addressed the vulnerabilities with the discharge of HHVM versions four.21.0, 4.20.2, 4.19.1, 4.18.2, 4.17.3, 4.16.4, 4.15.3, 4.8.4, and 3.30.10.If your web site or server is additionally victimisation HHVM, you're extremely counseled to update it to the newest version of the software system.


Thank You✌✌✌>>>ReadMOre<<

Share it:

Tech News