Zizhuang Deng

Researcher fromIIE, UCAS
#21257of 53,633
11.6Total CVSS
Vulnerabilities · 2
Medium
2
PT-2022-26114
6.8
2022-11-18
Google · Tensorflow · CVE-2022-41883
**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.11 TensorFlow version 2.10.1 TensorFlow version 2.9.3 TensorFlow version 2.8.4 **Description** The issue occurs when ops with specified input sizes receive a differing number of inputs, causing the executor to crash. This is demonstrated in the `tf.raw ops.DynamicStitch` operation, which specifies input sizes when registered. When it receives a differing number of inputs, such as when called with an `indices` size 1 and a `data` size 2, it will crash. The estimated number of potentially affected devices is not provided. **Recommendations** For TensorFlow versions prior to 2.11, update to version 2.11 or later. For TensorFlow version 2.10.1, apply the patch from GitHub commit f5381e0e10b5a61344109c1b7c174c68110f7629 or update to a later version. For TensorFlow version 2.9.3, apply the patch from GitHub commit f5381e0e10b5a61344109c1b7c174c68110f7629 or update to a later version. For TensorFlow version 2.8.4, apply the patch from GitHub commit f5381e0e10b5a61344109c1b7c174c68110f7629 or update to a later version. As a temporary workaround, consider avoiding the use of the `tf.raw ops.DynamicStitch` operation with differing input sizes until a patch is applied or the version is updated.
PT-2022-26130
4.8
2022-11-18
Google · Tensorflow · CVE-2022-41899
**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.11 TensorFlow versions 2.10.1 and earlier TensorFlow versions 2.9.3 and earlier TensorFlow versions 2.8.4 and earlier **Description** TensorFlow is an open source platform for machine learning. Inputs `dense features` or `example state data` not of rank 2 will trigger a `CHECK` fail in `SdcaOptimizer`. **Recommendations** For versions prior to 2.11, update to TensorFlow 2.11 or later. For versions 2.10.1 and earlier, update to TensorFlow 2.10.1 or later. For versions 2.9.3 and earlier, update to TensorFlow 2.9.3 or later. For versions 2.8.4 and earlier, update to TensorFlow 2.8.4 or later. As a temporary workaround, consider disabling the `SdcaOptimizer` function until a patch is available. Restrict access to the `dense features` and `example state data` parameters to minimize the risk of exploitation.