CVE-2022-26477

Name of the Vulnerable Software and Affected Versions SystemDS versions prior to 2.2.1

Description The termination condition of the for loop in the readExternal method is a controllable variable, which, if tampered with, may lead to CPU exhaustion. SystemDS is a distributed system and needs to serialize/deserialize data, but in many code paths, the byte stream is protected by additional CRC fingerprints. The number of decoders is upper-bounded by twice the number of columns, which means an attacker would need to modify two entries in the byte stream in a consistent manner.

Recommendations For versions prior to 2.2.1, update to a version higher than 2.2.1 to apply the fix that adds an upper bound and termination condition in the read and write logic, improving robustness with almost zero overhead.