CVE-2022-21731

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.1 and earlier TensorFlow versions 2.6.3 and earlier TensorFlow versions 2.5.3 and earlier

Description The implementation of shape inference for ConcatV2 can be used to trigger a denial of service attack via a segfault caused by a type confusion. The axis argument is translated into concat dim in the ConcatShapeHelper helper function. Then, a value for min rank is computed based on concat dim. This is then used to validate that the values tensor has at least the required rank. However, WithRankAtLeast receives the lower bound as a 64-bits value and then compares it against the maximum 32-bits integer value that could be represented. Due to the fact that min rank is a 32-bits value and the value of axis, the rank argument is a negative value, so the error check is bypassed.

Recommendations For TensorFlow versions prior to 2.8.0, update to version 2.8.0 or later to resolve the issue. For TensorFlow versions 2.7.1 and earlier, update to version 2.7.1 or later to resolve the issue. For TensorFlow versions 2.6.3 and earlier, update to version 2.6.3 or later to resolve the issue. For TensorFlow versions 2.5.3 and earlier, update to version 2.5.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the ConcatV2 function until a patch is available.