CVE-2021-29613 : Security Advisory and Response
Learn about CVE-2021-29613 impacting TensorFlow versions < 2.1.4 to < 2.4.2. An out-of-bounds read vulnerability in `tf.raw_ops.CTCLoss` with a CVSS base score of 6.3.
TensorFlow is an open-source platform for machine learning. A vulnerability in
tf.raw_ops.CTCLossUnderstanding CVE-2021-29613
This CVE involves incomplete validation in a specific TensorFlow operation, enabling a potential OOB read attack.
What is CVE-2021-29613?
CVE-2021-29613 is a vulnerability in TensorFlow that permits an attacker to conduct an out-of-bounds read due to inadequate validation in
tf.raw_ops.CTCLossThe Impact of CVE-2021-29613
The vulnerability poses a medium-severity risk, with a CVSS base score of 6.3. An attacker exploiting this flaw could trigger an OOB read from the heap.
Technical Details of CVE-2021-29613
The vulnerability lies in incomplete validation within
tf.raw_ops.CTCLossVulnerability Description
Incomplete validation in
tf.raw_ops.CTCLossAffected Systems and Versions
The impacted versions of TensorFlow range from < 2.1.4 to < 2.4.2.
Exploitation Mechanism
An attacker can exploit this vulnerability by manipulating certain inputs to
tf.raw_ops.CTCLossMitigation and Prevention
To address CVE-2021-29613, users are advised to take immediate steps and implement long-term security practices.
Immediate Steps to Take
- Upgrade TensorFlow to version 2.5.0, where the fix is included.
- Apply patches for versions 2.4.2, 2.3.3, 2.2.3, and 2.1.4, as the vulnerability affects these versions.
Long-Term Security Practices
- Regularly update TensorFlow to the latest versions to ensure vulnerabilities are patched promptly.
Patching and Updates
Stay informed about security advisories and apply relevant patches to keep your TensorFlow installation secure.