CVE-2021-29517

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow version 2.4.2 TensorFlow version 2.3.3 TensorFlow version 2.2.3 TensorFlow version 2.1.4

Description: A malicious user could trigger a division by 0 in the Conv3D implementation. The implementation does a modulo operation based on user-controlled input, and when the filter has a 0 as the fifth element, this results in a division by 0. Additionally, if the shape of the two tensors is not valid, an Eigen assertion can be triggered, resulting in a program crash.

Recommendations: For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow version 2.4.2, apply the cherrypicked commit. For TensorFlow version 2.3.3, apply the cherrypicked commit. For TensorFlow version 2.2.3, apply the cherrypicked commit. For TensorFlow version 2.1.4, apply the cherrypicked commit. As a temporary workaround, consider disabling the Conv3D function until a patch is available. Avoid using the filter tensor with a 0 as the fifth element in the affected Conv3D implementation until the issue is resolved.