Facebook has now patched two high severity vulnerabilities in its server application that could allow the remote attackers to unauthorisedly obtain sensitive information or cause a denial of service just by uploading a maliciously constructed JPEG image file. The vulnerabilities reside in HHVM.Since the affected HHVM server application is open-source and free then the both issues may also impact other websites that use HHVM including Wikipedia, Box and especially those which allow their users to upload images on the server.
Both the vulnerabilities affect all supported HHVM versions prior to 3.30.9, all versions between HHVM 4.0.0 and 4.8.3, all versions between HHVM 4.9.0 and 4.15.2, and HHVM versions 4.16.0 to 4.16.3, 4.17.0 to 4.17.2, 4.18.0 to 4.18.1, 4.19.0, 4.20.0 to 4.20.1.
The HHVM team has addressed the vulnerabilities with the release of HHVM versions 4.21.0, 4.20.2, 4.19.1, 4.18.2, 4.17.3, 4.16.4, 4.15.3, 4.8.4, and 3.30.10.If your website or server is also using HHVM ,then you are highly recommended to update it to the latest version of the software.