CVE-2021-29543

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.5.0 TensorFlow version 2.4.2 TensorFlow version 2.3.3 TensorFlow version 2.2.3 TensorFlow version 2.1.4

Description An attacker can trigger a denial of service via a CHECK-fail in tf.raw ops.CTCGreedyDecoder. This is because the implementation has a CHECK LT inserted to validate some invariants. When this condition is false, the program aborts, instead of returning a valid error to the user. This abnormal termination can be weaponized in denial of service attacks.

Recommendations For TensorFlow versions prior to 2.5.0, update to version 2.5.0 or later. For TensorFlow version 2.4.2, apply the patch from GitHub commit ea3b43e98c32c97b35d52b4c66f9107452ca8fb2. For TensorFlow version 2.3.3, apply the patch from GitHub commit ea3b43e98c32c97b35d52b4c66f9107452ca8fb2. For TensorFlow version 2.2.3, apply the patch from GitHub commit ea3b43e98c32c97b35d52b4c66f9107452ca8fb2. For TensorFlow version 2.1.4, apply the patch from GitHub commit ea3b43e98c32c97b35d52b4c66f9107452ca8fb2. As a temporary workaround, consider avoiding the use of tf.raw ops.CTCGreedyDecoder until a patch is applied.