CVE-2021-41195 : What You Need to Know
Discover the impact and mitigation of CVE-2021-41195, a TensorFlow vulnerability leading to denial of service due to a `CHECK` failure in segment operations.
TensorFlow experienced a vulnerability in its
tf.math.segment_*CHECKUnderstanding CVE-2021-41195
This CVE highlights a critical vulnerability in TensorFlow versions regarding specific operations that could result in a denial of service attack.
What is CVE-2021-41195?
In TensorFlow versions, a flaw in the implementation of
tf.math.segment_*segment_idsCHECKThe Impact of CVE-2021-41195
The vulnerability's impact is rated as MEDIUM with a base score of 5.5. The attack complexity is low, but the availability impact is high, requiring low privileges for exploitation and having no confidentiality or integrity impact.
Technical Details of CVE-2021-41195
This section delves into the technical aspects of the vulnerability.
Vulnerability Description
The issue arises in the calculation of output shape using
AddDimCHECKstd::abortAddDimWithStatusAffected Systems and Versions
- TensorFlow version >= 2.6.0 and < 2.6.1
- TensorFlow version >= 2.5.0 and < 2.5.2
- TensorFlow version < 2.4.4
Exploitation Mechanism
- Attack Vector: LOCAL
- Privileges Required: LOW
- User Interaction: NONE
- Scope: UNCHANGED
Mitigation and Prevention
Taking immediate steps and implementing long-term security measures are crucial to mitigate risks effectively.
Immediate Steps to Take
- Update TensorFlow to version 2.7.0, or apply the necessary patches if available
- Be cautious when processing large segment ids in
segment_idsLong-Term Security Practices
- Regularly update TensorFlow to the latest secure versions
- Conduct regular security assessments to identify and address vulnerabilities
Patching and Updates
- The fix will be included in TensorFlow 2.7.0, with cherry-picked commits for versions 2.6.1, 2.5.2, and 2.4.4