CVE-2022-36003

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier

Description The issue occurs when RandomPoissonV2 receives large input shape and rates, resulting in a CHECK fail that can trigger a denial of service attack. This can happen when the shape and rate parameters are set to large values. For example, when arg 0 is set to a large shape and arg 1 is set to a large rate, the tf.raw ops.RandomPoissonV2 function can fail and cause a denial of service attack.

Recommendations For TensorFlow versions prior to 2.10.0, update to TensorFlow 2.10.0 or later. For TensorFlow versions 2.9.1 and earlier, update to TensorFlow 2.9.1 or later. For TensorFlow versions 2.8.1 and earlier, update to TensorFlow 2.8.1 or later. For TensorFlow versions 2.7.2 and earlier, update to TensorFlow 2.7.2 or later. As a temporary workaround, consider restricting the input shape and rates to RandomPoissonV2 to prevent large values from causing a denial of service attack.