CVE-2022-23583: `CHECK`-failures in binary ops in Tensorflow
First published: Fri Feb 04 2022(Updated: )
### Impact A malicious user can cause a denial of service by altering a `SavedModel` such that [any binary op](https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/cwise_ops_common.h#L88-L137) would trigger `CHECK` failures. This occurs when the protobuf part corresponding to the tensor arguments is modified such that the `dtype` no longer matches the `dtype` expected by the op. In that case, calling the templated binary operator for the binary op would receive corrupted data, due to the type confusion involved: ```cc functor::BinaryFunctor<Device, Functor, 1>()( eigen_device, out->template flat<Tout>(), input_0.template flat<Tin>(), input_1.template flat<Tin>(), error_ptr); ``` If `Tin` and `Tout` don't match the type of data in `out` and `input_*` tensors then `flat<*>` would interpret it wrongly. In most cases, this would be a silent failure, but we have noticed scenarios where this results in a `CHECK` crash, hence a denial of service. ### Patches We have patched the issue in GitHub commit [a7c02f1a9bbc35473969618a09ee5f9f5d3e52d9](https://github.com/tensorflow/tensorflow/commit/a7c02f1a9bbc35473969618a09ee5f9f5d3e52d9). The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Google TensorFlow | <=2.5.2 | |
| Google TensorFlow | >=2.6.0<=2.6.2 | |
| Google TensorFlow | =2.7.0 | |
| pip/tensorflow-gpu | =2.7.0 | 2.7.1 |
| pip/tensorflow-gpu | >=2.6.0<2.6.3 | 2.6.3 |
| pip/tensorflow-gpu | <2.5.3 | 2.5.3 |
| pip/tensorflow-cpu | =2.7.0 | 2.7.1 |
| pip/tensorflow-cpu | >=2.6.0<2.6.3 | 2.6.3 |
| pip/tensorflow-cpu | <2.5.3 | 2.5.3 |
| pip/tensorflow | =2.7.0 | 2.7.1 |
| pip/tensorflow | >=2.6.0<2.6.3 | 2.6.3 |
| pip/tensorflow | <2.5.3 | 2.5.3 |
| <=2.5.2 | ||
| >=2.6.0<=2.6.2 | ||
| =2.7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/cwise_ops_common.h#L88-L137
- https://github.com/tensorflow/tensorflow/commit/a7c02f1a9bbc35473969618a09ee5f9f5d3e52d9
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gjqc-q9g6-q2j3
- https://nvd.nist.gov/vuln/detail/CVE-2022-23583
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-92.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-147.yaml
- https://github.com/advisories/GHSA-gjqc-q9g6-q2j3 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2022-23583?
The severity of CVE-2022-23583 is classified as a denial of service risk due to potential crashes caused by malformed SavedModel changes.
How do I fix CVE-2022-23583?
To fix CVE-2022-23583, upgrade to TensorFlow version 2.5.3, 2.6.3, or 2.7.1 depending on your current version.
Which versions of TensorFlow are affected by CVE-2022-23583?
CVE-2022-23583 affects TensorFlow versions up to 2.5.2, versions 2.6.0 to 2.6.2, and version 2.7.0.
What type of attack does CVE-2022-23583 enable?
CVE-2022-23583 enables an attacker to perform a denial-of-service attack by triggering CHECK failures in TensorFlow.
Is there a workaround for CVE-2022-23583?
There is no specific workaround for CVE-2022-23583; the recommended approach is to upgrade to a secure version of TensorFlow.
- collector/nvd-index
- agent/type
- agent/weakness
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/severity
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-gjqc-q9g6-q2j3
- alias/CVE-2022-23583
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/description
- agent/author
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/trending
- agent/tags
- agent/source
- vendor/google
- canonical/google tensorflow
- version/google tensorflow/2.5.2
- version/google tensorflow/2.6.0
- version/google tensorflow/2.6.2
- version/google tensorflow/2.7.0
- package-manager/pip