PT-2022-15077 · Google · Tensorflow

Faysal Hossain Shezan

Published

2022-02-03

Updated

2024-03-06

CVE-2022-21737

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.8.0 TensorFlow versions 2.7.1 and earlier TensorFlow versions 2.6.3 and earlier TensorFlow versions 2.5.3 and earlier

Description The implementation of *Bincount operations in TensorFlow allows malicious users to cause denial of service by passing in arguments that trigger a CHECK-fail. There are several conditions that the input arguments must satisfy, some of which are not caught during shape inference and others during kernel implementation, resulting in CHECK failures when output tensors are allocated.

Recommendations For versions prior to 2.8.0, update to TensorFlow 2.8.0 or later. For versions 2.7.1 and earlier, update to TensorFlow 2.7.1 or later. For versions 2.6.3 and earlier, update to TensorFlow 2.6.3 or later. For versions 2.5.3 and earlier, update to TensorFlow 2.5.3 or later. As a temporary workaround, consider restricting the use of *Bincount operations until a patch is available.

Exploit

Fix

Improper Check for Exceptional Conditions

Assertion Failure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-754CWE-617

Related Identifiers

BIT-TENSORFLOW-2022-21737

CVE-2022-21737

GHSA-F2VV-V9CG-QHH7

OPENSUSE-SU-2024:12116-1

PYSEC-2022-116

PYSEC-2022-61

Affected Products

Tensorflow

PT-2022-15077 · Google · Tensorflow

CVE-2022-21737

Weakness Enumeration

Related Identifiers

Affected Products

References · 14