Discover how the TensorFlow CVE-2021-29555 vulnerability exposes a division by 0 flaw in `FusedBatchNorm`, enabling denial of service attacks. Learn about the impact and mitigation steps.
TensorFlow, an open-source platform for machine learning, is impacted by CVE-2021-29555 due to a division by 0 vulnerability in
FusedBatchNorm
. An attacker can exploit this issue to cause a denial of service. Here's all you need to know about this CVE.
Understanding CVE-2021-29555
TensorFlow's vulnerability, CVE-2021-29555, stems from a division by 0 flaw in the
FusedBatchNorm
component, allowing attackers to launch denial-of-service attacks.
What is CVE-2021-29555?
CVE-2021-29555 is a vulnerability in TensorFlow that enables attackers to trigger a denial of service by exploiting a division by 0 error within the
FusedBatchNorm
operation.
The Impact of CVE-2021-29555
The impact of CVE-2021-29555 is rated as low severity. While it requires a low level of privileges for exploitation, the attack complexity is high due to the local attack vector. The confidentiality and integrity impacts are both none, with low availability impact.
Technical Details of CVE-2021-29555
The vulnerability in TensorFlow's
FusedBatchNorm
operation arises from a division error based on the last dimension of the x
tensor provided by users, leading to denial-of-service possibilities.
Vulnerability Description
The flaw allows attackers to exploit a division by 0 condition in
FusedBatchNorm
, triggering a denial-of-service scenario due to the user-controlled 'x' tensor dimension.
Affected Systems and Versions
The versions affected include TensorFlow < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2.
Exploitation Mechanism
By manipulating the last dimension of the input tensor, attackers can induce a division by 0 error within the
FusedBatchNorm
implementation, resulting in denial-of-service conditions.
Mitigation and Prevention
To safeguard against CVE-2021-29555:
Immediate Steps to Take
Long-Term Security Practices
Patching and Updates