PT-2023-32975 · Unknown+1 · Torchserve+1
Published
2023-10-02
·
Updated
2023-10-02
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
TorchServe versions 0.3.0 through 0.8.1
Description
The issue is related to the use of a vulnerable version of the SnakeYAML open source library, which potentially exposes users to unsafe deserialization of Java objects. This could allow third parties to execute arbitrary code on the target system.
Recommendations
For TorchServe versions 0.3.0 through 0.8.1, update to TorchServe release 0.8.2, which includes fixes to address the issue. Users can use the following new image tags to pull DLCs that ship with the patched TorchServe version 0.8.2:
- For x86 GPU: v1.9-pt-ec2-2.0.1-inf-gpu-py310 or v1.8-pt-sagemaker-2.0.1-inf-gpu-py310
- For x86 CPU: v1.8-pt-ec2-2.0.1-inf-cpu-py310 or v1.7-pt-sagemaker-2.0.1-inf-cpu-py310
- For Graviton: v1.7-pt-graviton-ec2-2.0.1-inf-cpu-py310 or v1.5-pt-graviton-sagemaker-2.0.1-inf-cpu-py310
- For Neuron: 1.13.1-neuron-py310-sdk2.13.2-ubuntu20.04, 1.13.1-neuronx-py310-sdk2.13.2-ubuntu20.04, or 1.13.1-neuronx-py310-sdk2.13.2-ubuntu20.04
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Snakeyaml
Torchserve