CVE-2021-29567

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier

Description The issue is due to a lack of validation in tf.raw ops.SparseDenseCwiseMul, allowing an attacker to trigger denial of service via CHECK-fails or accesses to outside the bounds of heap allocated data. This can be achieved by abusing the lack of constraints between dimensions in the input arguments, which can trigger internal CHECK assertions or write to memory outside of bounds of heap allocated tensor buffers.

Recommendations For versions prior to 2.5.0, update to TensorFlow 2.5.0 or later. For versions 2.4.2 and earlier, update to TensorFlow 2.4.2 or later. For versions 2.3.3 and earlier, update to TensorFlow 2.3.3 or later. For versions 2.2.3 and earlier, update to TensorFlow 2.2.3 or later. For versions 2.1.4 and earlier, update to TensorFlow 2.1.4 or later. As a temporary workaround, consider restricting the use of tf.raw ops.SparseDenseCwiseMul until a patch is available.