CVE-2021-41200 : What You Need to Know

TensorFlow is an open-source platform for machine learning affected by incomplete validation in

tf.summary.create_file_writer

.

Understanding CVE-2021-41200

What is CVE-2021-41200?

TensorFlow versions >= 2.4.4, >= 2.5.0, < 2.5.2, and >= 2.6.0, < 2.6.1 are impacted by a code crashing issue due to incomplete validation in

tf.summary.create_file_writer

.

The Impact of CVE-2021-41200

The vulnerability has a CVSS base score of 5.5 (Medium severity) and can lead to high availability impact when invoked with non-scalar arguments.

Technical Details of CVE-2021-41200

Vulnerability Description

When

tf.summary.create_file_writer

is used with non-scalar arguments in affected TensorFlow versions, it results in a

CHECK

-fail, causing code crashes.

Affected Systems and Versions

TensorFlow versions < 2.4.4, >= 2.5.0, < 2.5.2, and >= 2.6.0, < 2.6.1

Exploitation Mechanism

The vulnerability can be exploited locally with low attack complexity and low privileges required, leading to high availability impact.

Mitigation and Prevention

Immediate Steps to Take

Update TensorFlow to version 2.7.0 or apply the fix cherrypicked to versions 2.6.1, 2.5.2, and 2.4.4.

Long-Term Security Practices

Regularly monitor for TensorFlow updates and security advisories.

Patching and Updates

Keep TensorFlow up to date with the latest patches and security fixes.