CVE-2021-29618 : Security Advisory and Response

TensorFlow is an open-source machine learning platform. A vulnerability exists in passing a complex argument to

tf.transpose

simultaneously with

conjugate=True

, leading to a crash. The affected versions are TensorFlow < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, and >= 2.4.0, < 2.4.2. The impact is rated as LOW.

Understanding CVE-2021-29618

This section provides insights into the vulnerability found in TensorFlow.

What is CVE-2021-29618?

CVE-2021-29618 involves a vulnerability in TensorFlow where passing specific arguments together results in a crash.

The Impact of CVE-2021-29618

The impact of this vulnerability is considered LOW, affecting versions within specific ranges of TensorFlow.

Technical Details of CVE-2021-29618

Below are the technical details related to this vulnerability.

Vulnerability Description

The vulnerability arises from passing a complex argument to

tf.transpose

concurrently with

conjugate=True

.

Affected Systems and Versions

The affected versions are TensorFlow < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, and >= 2.4.0, < 2.4.2.

Exploitation Mechanism

Successful exploitation occurs when the specific argument conditions are met concurrently in TensorFlow.

Mitigation and Prevention

To address CVE-2021-29618, consider the following mitigation strategies.

Immediate Steps to Take

Users should update TensorFlow to versions where the fix has been included, such as TensorFlow 2.5.0 or the cherry-picked commits in TensorFlow 2.4.2, 2.3.3, 2.2.3, and 2.1.4.

Long-Term Security Practices

Implement secure coding practices and stay informed about TensorFlow's security updates to prevent future vulnerabilities.

Patching and Updates

Regularly update TensorFlow to the latest versions where the vulnerability has been fixed to ensure system security.