CVE-2021-37650 : What You Need to Know

TensorFlow is an open-source platform for machine learning. This CVE affects versions >= 2.3.4 and < 2.5.1, triggering heap buffer overflow and segmentation fault in

tf.raw_ops.ExperimentalDatasetToTFRecord

and

tf.raw_ops.DatasetToTFRecord

.

Understanding CVE-2021-37650

This CVE in TensorFlow can lead to a high impact on confidentiality, integrity, and availability of affected systems.

What is CVE-2021-37650?

In TensorFlow versions >= 2.3.4 and < 2.5.1, a heap buffer overflow and segmentation fault can occur due to incorrect assumptions in data processing.

The Impact of CVE-2021-37650

The vulnerability can result in a high severity attack, impacting the confidentiality, integrity, and availability of the system, with low privileges required for exploitation.

Technical Details of CVE-2021-37650

This section explains the specific details of the vulnerability.

Vulnerability Description

The issue stems from incorrect assumptions in the implementation of specific functions in TensorFlow, leading to buffer overflow and segmentation fault.

Affected Systems and Versions

Versions >= 2.3.4 and < 2.5.1 of TensorFlow are affected by this vulnerability.

Exploitation Mechanism

The vulnerability can be exploited locally with low attack complexity, resulting in high availability impact.

Mitigation and Prevention

To secure systems from CVE-2021-37650, immediate actions and long-term security practices are essential.

Immediate Steps to Take

Users should update TensorFlow to version 2.5.1 or apply the provided patch to mitigate the vulnerability.

Long-Term Security Practices

Implement strict input validation and regularly update TensorFlow to prevent similar security flaws.

Patching and Updates

GitHub commit e0b6e58c328059829c3eb968136f17aa72b6c876 resolves the issue and is included in TensorFlow 2.6.0. The fix is also backported to TensorFlow 2.5.1, 2.4.3, and 2.3.4 for supported versions.