刘力源

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier **Description** The implementation of SobolSampleOp is vulnerable to a denial of service via CHECK-failure (assertion failure) caused by assuming `input(0)`, `input(1)`, and `input(2)` to be scalar. This issue can be triggered by providing non-scalar inputs to the SobolSampleOp function. **Recommendations** For versions prior to 2.10.0, update to TensorFlow 2.10.0 or later. For versions 2.9.1 and earlier, update to TensorFlow 2.9.1 or later. For versions 2.8.1 and earlier, update to TensorFlow 2.8.1 or later. For versions 2.7.2 and earlier, update to TensorFlow 2.7.2 or later. As a temporary workaround, consider avoiding the use of the SobolSampleOp function with non-scalar inputs until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier **Description** The `UnbatchGradOp` function in TensorFlow takes an argument `id` that is assumed to be a scalar. A nonscalar `id` can trigger a `CHECK` failure and crash the program. It also requires its argument `batch index` to contain three times the number of elements as indicated in its `batch index.dim size(0)`. An incorrect `batch index` can trigger a `CHECK` failure and crash the program. **Recommendations** For versions prior to 2.10.0, update to TensorFlow 2.10.0 or later. For versions 2.9.1 and earlier, update to TensorFlow 2.9.1 or later. For versions 2.8.1 and earlier, update to TensorFlow 2.8.1 or later. For versions 2.7.2 and earlier, update to TensorFlow 2.7.2 or later. As a temporary workaround, consider disabling the `UnbatchGradOp` function until a patch is available. Restrict access to the `batch index` and `id` parameters in the affected API endpoint until the issue is resolved. Avoid using the `id` parameter with nonscalar values in the affected API endpoint until the issue is resolved. Avoid using the `batch index` parameter with incorrect sizes in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1, 2.8.1, and 2.7.2 **Description** The issue arises when `FakeQuantWithMinMaxVars` is given `min` or `max` tensors of a nonzero rank, resulting in a `CHECK` fail that can be used to trigger a denial of service attack. There are no known workarounds for this issue. **Recommendations** For TensorFlow versions prior to 2.10.0, update to version 2.10.0 or later. For TensorFlow versions 2.9.1, 2.8.1, and 2.7.2, update to the respective patched versions. As a temporary workaround, consider avoiding the use of `FakeQuantWithMinMaxVars` with `min` or `max` tensors of a nonzero rank until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier **Description** The issue occurs when `tf.quantization.fake quant with min max vars per channel gradient` receives input `min` or `max` of rank other than 1, resulting in a `CHECK` fail that can trigger a denial of service attack. **Recommendations** For versions prior to 2.10.0, update to TensorFlow 2.10.0 or later. For versions 2.9.1 and earlier, update to TensorFlow 2.9.1 or later. For versions 2.8.1 and earlier, update to TensorFlow 2.8.1 or later. For versions 2.7.2 and earlier, update to TensorFlow 2.7.2 or later. As a temporary workaround, consider avoiding the use of `tf.quantization.fake quant with min max vars per channel gradient` with input `min` or `max` of rank other than 1 until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier **Description** TensorFlow is an open source platform for machine learning. When `TensorListScatter` and `TensorListScatterV2` receive an `element shape` of a rank greater than one, they give a `CHECK` fail that can trigger a denial of service attack. **Recommendations** For versions prior to 2.10.0, update to TensorFlow 2.10.0 or later. For versions 2.9.1 and earlier, update to TensorFlow 2.9.1 or later. For versions 2.8.1 and earlier, update to TensorFlow 2.8.1 or later. For versions 2.7.2 and earlier, update to TensorFlow 2.7.2 or later. As a temporary workaround, consider avoiding the use of `TensorListScatter` and `TensorListScatterV2` with an `element shape` of a rank greater than one until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1, 2.8.1, and 2.7.2 are also affected **Description** The issue occurs when `TensorListFromTensor` receives an `element shape` of a rank greater than one, resulting in a `CHECK` fail that can trigger a denial of service attack. There are no known workarounds for this issue. **Recommendations** For TensorFlow versions prior to 2.10.0, update to version 2.10.0 or later to resolve the issue. For TensorFlow versions 2.9.1, 2.8.1, and 2.7.2, update to the respective cherrypicked versions to resolve the issue. As a temporary workaround, consider avoiding the use of `TensorListFromTensor` with an `element shape` of a rank greater than one until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier **Description** The issue occurs when the `SetSize` function receives an input `set shape` that is not a 1D tensor, resulting in a `CHECK` failure that can be used to trigger a denial of service attack. There are no known workarounds for this issue. **Recommendations** For versions prior to 2.10.0, update to TensorFlow 2.10.0 or later. For versions 2.9.1 and earlier, update to TensorFlow 2.9.1 or later. For versions 2.8.1 and earlier, update to TensorFlow 2.8.1 or later. For versions 2.7.2 and earlier, update to TensorFlow 2.7.2 or later. As a temporary workaround, consider avoiding the use of the `SetSize` function with non-1D tensor inputs until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier **Description** The issue occurs when `CollectiveGather` receives a scalar input `input`, resulting in a `CHECK` failure that can be used to trigger a denial of service attack. There are no known workarounds for this issue. **Recommendations** For versions prior to 2.10.0, update to TensorFlow 2.10.0 or later. For versions 2.9.1 and earlier, update to TensorFlow 2.9.1 or later. For versions 2.8.1 and earlier, update to TensorFlow 2.8.1 or later. For versions 2.7.2 and earlier, update to TensorFlow 2.7.2 or later. As a temporary workaround, consider avoiding the use of `CollectiveGather` with scalar inputs until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1, 2.8.1, and 2.7.2 are also affected **Description** The issue occurs when `AudioSummaryV2` receives an input `sample rate` with more than one element, resulting in a `CHECK` failure that can be used to trigger a denial of service attack. There are no known workarounds for this issue. **Recommendations** For TensorFlow versions prior to 2.10.0, update to version 2.10.0 or later to resolve the issue. For TensorFlow versions 2.9.1, 2.8.1, and 2.7.2, update to the respective patched versions to resolve the issue. As a temporary workaround, consider avoiding the use of `AudioSummaryV2` with input `sample rate` having more than one element until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier **Description** The issue arises when `mlir::tfg::ConvertGenericFunctionToFunctionDef` is given empty function attributes, resulting in a null dereference. Additionally, the `Eig` function can be fed an incorrect `Tout` input, leading to a `CHECK` fail that can trigger a denial of service attack. The `Eig` function is vulnerable when given specific inputs, such as `arg 0` with a shape of (2, 2) and `arg 1` set to `tf.complex128`. There are no known workarounds for this issue. **Recommendations** For TensorFlow versions prior to 2.10.0, update to TensorFlow 2.10.0 or later to resolve the issue. For TensorFlow versions 2.9.1 and earlier, update to TensorFlow 2.9.1 or later to resolve the issue. For TensorFlow versions 2.8.1 and earlier, update to TensorFlow 2.8.1 or later to resolve the issue. For TensorFlow versions 2.7.2 and earlier, update to TensorFlow 2.7.2 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the `Eig` function with incorrect `Tout` inputs until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier **Description** The issue occurs when the `DrawBoundingBoxes` function receives an input `boxes` that is not of dtype `float`, resulting in a `CHECK` fail that can trigger a denial of service attack. This can happen when the input `boxes` has a different data type, such as `tf.half`. The estimated number of potentially affected devices is not provided. There are no known real-world incidents where this issue was exploited. **Recommendations** For TensorFlow versions prior to 2.10.0, update to version 2.10.0 or later. For TensorFlow versions 2.9.1 and earlier, update to version 2.9.1 or later. For TensorFlow versions 2.8.1 and earlier, update to version 2.8.1 or later. For TensorFlow versions 2.7.2 and earlier, update to version 2.7.2 or later. As a temporary workaround, consider validating the input data type for the `boxes` parameter in the `DrawBoundingBoxes` function to ensure it is of dtype `float` before passing it to the function.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier **Description** The issue occurs when the `Unbatch` function receives a nonscalar input `id`, resulting in a `CHECK` fail that can trigger a denial of service attack. This can happen when the `Unbatch` function is called with specific arguments, such as `batched tensor`, `batch index`, and `id`. The estimated number of potentially affected devices worldwide is not available. There are no known real-world incidents where this issue was exploited. **Recommendations** For versions prior to 2.10.0, update to TensorFlow 2.10.0 or later. For versions 2.9.1 and earlier, update to TensorFlow 2.9.1 or later. For versions 2.8.1 and earlier, update to TensorFlow 2.8.1 or later. For versions 2.7.2 and earlier, update to TensorFlow 2.7.2 or later. As a temporary workaround, consider avoiding the use of the `Unbatch` function with nonscalar input `id` until a patch is available. Restrict access to the `Unbatch` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier **Description** The issue occurs when `RandomPoissonV2` receives large input shape and rates, resulting in a `CHECK` fail that can trigger a denial of service attack. This can happen when the `shape` and `rate` parameters are set to large values. For example, when `arg 0` is set to a large shape and `arg 1` is set to a large rate, the `tf.raw ops.RandomPoissonV2` function can fail and cause a denial of service attack. **Recommendations** For TensorFlow versions prior to 2.10.0, update to TensorFlow 2.10.0 or later. For TensorFlow versions 2.9.1 and earlier, update to TensorFlow 2.9.1 or later. For TensorFlow versions 2.8.1 and earlier, update to TensorFlow 2.8.1 or later. For TensorFlow versions 2.7.2 and earlier, update to TensorFlow 2.7.2 or later. As a temporary workaround, consider restricting the input shape and rates to `RandomPoissonV2` to prevent large values from causing a denial of service attack.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier **Description** The issue occurs when `tf.random.gamma` receives large input shape and rates, resulting in a `CHECK` fail that can trigger a denial of service attack. This can happen when the function is called with specific arguments, such as large shapes and rates. There are no known workarounds for this issue. **Recommendations** For TensorFlow versions prior to 2.10.0, update to version 2.10.0 or later to resolve the issue. For TensorFlow versions 2.9.1 and earlier, update to version 2.9.1 or later to resolve the issue. For TensorFlow versions 2.8.1 and earlier, update to version 2.8.1 or later to resolve the issue. For TensorFlow versions 2.7.2 and earlier, update to version 2.7.2 or later to resolve the issue. As a temporary workaround, consider avoiding the use of `tf.random.gamma` with large input shapes and rates until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier **Description** The issue occurs when `tf.quantization.fake quant with min max vars gradient` receives input `min` or `max` that is nonscalar, resulting in a `CHECK` fail that can trigger a denial of service attack. There are no known workarounds for this issue. **Recommendations** For versions prior to 2.10.0, update to TensorFlow 2.10.0 or later. For versions 2.9.1 and earlier, update to TensorFlow 2.9.1 or later. For versions 2.8.1 and earlier, update to TensorFlow 2.8.1 or later. For versions 2.7.2 and earlier, update to TensorFlow 2.7.2 or later. As a temporary workaround, consider avoiding the use of `tf.quantization.fake quant with min max vars gradient` with nonscalar `min` or `max` inputs until a patch is available.