CVE-2021-41223 : Security Advisory and Response

TensorFlow is an open-source platform for machine learning that was found to have a heap out-of-bounds read vulnerability in its

FusedBatchNorm

kernels affecting multiple versions.

Understanding CVE-2021-41223

What is CVE-2021-41223?

TensorFlow versions >= 2.4.4 and < 2.6.1 are susceptible to a heap out-of-bounds read due to a vulnerability in the implementation of

FusedBatchNorm

kernels.

The Impact of CVE-2021-41223

The vulnerability has a CVSS v3.1 base score of 7.1 (High), with high impact on confidentiality and availability. The attack complexity is Low, and it requires low privileges to exploit locally.

Technical Details of CVE-2021-41223

Vulnerability Description

The issue stems from a heap out-of-bounds read in the

FusedBatchNorm

kernels within TensorFlow, potentially leading to unauthorized access to sensitive information.

Affected Systems and Versions

TensorFlow >= 2.6.0, < 2.6.1
TensorFlow >= 2.5.0, < 2.5.2
TensorFlow < 2.4.4

Exploitation Mechanism

The vulnerability allows an attacker to exploit the

FusedBatchNorm

kernels to read out-of-bounds heap memory, potentially leading to data leakage or a denial of service.

Mitigation and Prevention

Immediate Steps to Take

Users should update TensorFlow to version 2.7.0 to mitigate the vulnerability.
Apply patches provided by TensorFlow to versions 2.6.1, 2.5.2, and 2.4.4.

Long-Term Security Practices

Regularly update software to the latest versions to address known vulnerabilities.
Deploy additional security measures like network segmentation and access controls.

Patching and Updates

TensorFlow users should implement patches provided by the vendor to secure their systems against the heap out-of-bounds read vulnerability.