CVE-2022-36937: 
HHVM vulnerability analysis and mitigation

HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. This vulnerability affects applications that call streamsocketserver or streamsocketclient functions with a URL starting with tls:// (NVD).

The vulnerability exists in the stream extension's functions streamsocketserver and streamsocketclient which accept URLs. When a URL starts with tls://, these functions would allow TLS 1.0 connections, which is considered insecure. The issue has been assigned a CVSS v3.1 Base Score of 9.8 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The use of TLS 1.0, which has numerous published vulnerabilities, could allow attackers to exploit known weaknesses in the protocol. This potentially impacts the confidentiality, integrity, and availability of data transmitted through these connections (NVD).

The issue has been fixed in HHVM versions 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, and 4.173.0, which replace TLS 1.0 with TLS 1.3. Users should upgrade to one of these patched versions to resolve the vulnerability (HHVM Blog, GitHub Patch).