CVE-2021-37668 : Security Advisory and Response
Learn about CVE-2021-37668, a TensorFlow vulnerability allowing an attacker to cause denial of service through division by zero in `tf.raw_ops.UnravelIndex`. Understand the impact, affected versions, and mitigation steps.
TensorFlow is an end-to-end open source platform for machine learning. In affected versions, an attacker can cause denial of service by triggering a division by 0 in applications serving models using
tf.raw_ops.UnravelIndexUnderstanding CVE-2021-37668
This CVE involves a vulnerability in TensorFlow Lite's
tf.raw_ops.UnravelIndexWhat is CVE-2021-37668?
In TensorFlow versions >= 2.3.4 and < 2.5.1, a flaw in the implementation of
tf.raw_ops.UnravelIndexThe Impact of CVE-2021-37668
The impact of this vulnerability is rated as MEDIUM with a CVSS base score of 5.5. Attack complexity is LOW, with LOCAL attack vector and HIGH availability impact.
Technical Details of CVE-2021-37668
The vulnerability arises due to the lack of checking whether the tensor subsumed by
dimsVulnerability Description
The flaw in TensorFlow allows an attacker to exploit
tf.raw_ops.UnravelIndexAffected Systems and Versions
Affected versions include TensorFlow >= 2.5.0, < 2.5.1, >= 2.4.0, < 2.4.3, and < 2.3.4.
Exploitation Mechanism
By triggering a division by 0 in the implementation of
tf.raw_ops.UnravelIndexMitigation and Prevention
It is crucial to take immediate steps, implement long-term security practices, and apply available patches and updates.
Immediate Steps to Take
Users are advised to update to TensorFlow 2.6.0 to mitigate this vulnerability and to apply the provided patches to TensorFlow 2.5.1, 2.4.3, and 2.3.4.
Long-Term Security Practices
Maintain updated software, conduct regular security audits, and adhere to best practices to enhance system security.
Patching and Updates
Ensure timely application of security patches provided by TensorFlow to address this vulnerability.