PT-2023-32975 · Unknown+1 · Torchserve+1
Publicado
2023-10-02
·
Atualizado
2023-10-02
CVSS v3.1
9.9
Crítica
| Vetor | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
TorchServe versions 0.3.0 through 0.8.1
Description
The issue is related to the use of a vulnerable version of the SnakeYAML open source library, which potentially exposes users to unsafe deserialization of Java objects. This could allow third parties to execute arbitrary code on the target system.
Recommendations
For TorchServe versions 0.3.0 through 0.8.1, update to TorchServe release 0.8.2, which includes fixes to address the issue. Users can use the following new image tags to pull DLCs that ship with the patched TorchServe version 0.8.2:
- For x86 GPU: v1.9-pt-ec2-2.0.1-inf-gpu-py310 or v1.8-pt-sagemaker-2.0.1-inf-gpu-py310
- For x86 CPU: v1.8-pt-ec2-2.0.1-inf-cpu-py310 or v1.7-pt-sagemaker-2.0.1-inf-cpu-py310
- For Graviton: v1.7-pt-graviton-ec2-2.0.1-inf-cpu-py310 or v1.5-pt-graviton-sagemaker-2.0.1-inf-cpu-py310
- For Neuron: 1.13.1-neuron-py310-sdk2.13.2-ubuntu20.04, 1.13.1-neuronx-py310-sdk2.13.2-ubuntu20.04, or 1.13.1-neuronx-py310-sdk2.13.2-ubuntu20.04
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Snakeyaml
Torchserve