Facebook has patched two high-severity vulnerabilities in its server application that could have allowed remote attackers to unauthorisedly obtain sensitive information or cause a denial of service just by uploading a maliciously constructed JPEG image file.
The vulnerabilities reside in HHVM (HipHop Virtual Machine)—a high-performance, open source virtual machine developed by Facebook for executing programs written in PHP and Hack programming languages.
HHVM uses a just-in-time (JIT) compilation approach to achieve superior performance of your Hack and PHP code while maintaining the development flexibility that the PHP language provides.
Since the affected HHVM server application is open-source and free, both issues may also impact other websites that use HHVM, including Wikipedia, Box and especially those which allow their users to upload images on the server.
Both the vulnerabilities, as listed below, reside due to a possible memory overflow in the GD extension of HHVM when a specially constructed invalid JPEG input is passed in, leading to out-of-bounds read—a flaw that allows a malformed program to read data from outside the bounds of allocated memory.
- CVE-2019-11925: Insufficient boundary check issues occur when processing the JPEG APP12 block marker in the GD extension, allowing potential attackers to access out-of-bounds memory via a maliciously crafted invalid JPEG input.
- CVE-2019-11926: Insufficient boundary check issues occur when processing M_SOFx markers from JPEG headers in the GD extension, allowing potential attackers to access out-of-bounds memory via a maliciously crafted invalid JPEG input.
Both the vulnerabilities affect all supported HHVM versions prior to 3.30.9, all versions between HHVM 4.0.0 and 4.8.3, all versions between HHVM 4.9.0 and 4.15.2, and HHVM versions 4.16.0 to 4.16.3, 4.17.0 to 4.17.2, 4.18.0 to 4.18.1, 4.19.0, 4.20.0 to 4.20.1.
The HHVM team has addressed the vulnerabilities with the release of HHVM versions 4.21.0, 4.20.2, 4.19.1, 4.18.2, 4.17.3, 4.16.4, 4.15.3, 4.8.4, and 3.30.10.
If your website or server is also using HHVM, you are highly recommended to update it to the latest version of the software.