PT-2021-21793 · Google · Tensorflow
Yakun Zhang
·
Published
2021-08-12
·
Updated
2024-03-06
·
CVE-2021-37675
CVSS v4.0
6.8
Medium
| Vector | AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
TensorFlow versions prior to 2.6.0
TensorFlow version 2.5.1
TensorFlow version 2.4.3
TensorFlow version 2.3.4
Description
The issue is related to a division by 0 vulnerability in most implementations of convolution operators in TensorFlow, where an attacker can trigger a denial of service via a crash. The shape inference implementation is missing several validations before doing divisions and modulo operations.
Recommendations
For TensorFlow versions prior to 2.6.0, update to version 2.6.0 or later.
For TensorFlow version 2.5.1, apply the patch from GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4.
For TensorFlow version 2.4.3, apply the patch from GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4.
For TensorFlow version 2.3.4, apply the patch from GitHub commit 8a793b5d7f59e37ac7f3cd0954a750a2fe76bad4.
Fix
Divide By Zero
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tensorflow