CVE-2022-23569: `CHECK`-fails when building invalid tensor shapes in Tensorflow
First published: Thu Feb 03 2022(Updated: )
### Impact Multiple operations in TensorFlow can be used to trigger a denial of service via `CHECK`-fails (i.e., assertion failures). This is similar to [TFSA-2021-198](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-198.md) (CVE-2021-41197) and has similar fixes. ### Patches We have patched the reported issues in multiple GitHub commits. It is possible that other similar instances exist in TensorFlow, we will issue fixes as these are discovered. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. ### Attribution This vulnerability has been reported by Faysal Hossain Shezan from University of Virginia.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/tensorflow-gpu | =2.7.0 | 2.7.1 |
| pip/tensorflow-gpu | >=2.6.0<2.6.3 | 2.6.3 |
| pip/tensorflow-gpu | <2.5.3 | 2.5.3 |
| pip/tensorflow-cpu | =2.7.0 | 2.7.1 |
| pip/tensorflow-cpu | >=2.6.0<2.6.3 | 2.6.3 |
| pip/tensorflow-cpu | <2.5.3 | 2.5.3 |
| pip/tensorflow | =2.7.0 | 2.7.1 |
| pip/tensorflow | >=2.6.0<2.6.3 | 2.6.3 |
| pip/tensorflow | <2.5.3 | 2.5.3 |
| TensorFlow Keras | <=2.5.2 | |
| TensorFlow Keras | >=2.6.0<=2.6.2 | |
| TensorFlow Keras | =2.7.0 |
Remedy
https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-198.md
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-198.md
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qj5r-f9mv-rffh
- https://nvd.nist.gov/vuln/detail/CVE-2022-23569
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-78.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-133.yaml
- https://github.com/advisories/GHSA-qj5r-f9mv-rffh (Advisory)
Frequently Asked Questions
What is the severity of CVE-2022-23569?
CVE-2022-23569 has been classified as a denial of service vulnerability.
How do I fix CVE-2022-23569?
To mitigate CVE-2022-23569, upgrade TensorFlow to version 2.7.1 or newer.
What versions of TensorFlow are affected by CVE-2022-23569?
CVE-2022-23569 affects TensorFlow versions up to 2.7.0 inclusive.
What is the impact of CVE-2022-23569?
The vulnerability can lead to denial of service by triggering assertion failures in multiple TensorFlow operations.
Is there any workaround for CVE-2022-23569?
There are no documented workarounds for CVE-2022-23569, so upgrading is the recommended action.
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/severity
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-qj5r-f9mv-rffh
- alias/CVE-2022-23569
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- agent/description
- agent/softwarecombine
- agent/event
- agent/author
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/pip
- vendor/google
- canonical/tensorflow keras
- version/tensorflow keras/2.5.2
- version/tensorflow keras/2.6.0
- version/tensorflow keras/2.6.2
- version/tensorflow keras/2.7.0