CVE-2021-41228 : Security Advisory and Response

TensorFlow's

saved_model_cli

tool in affected versions is vulnerable to code injection. Attackers can exploit this to run arbitrary code, mitigated by a

safe

flag addition and warnings. Learn about the impact, technical details, and mitigation steps.

Understanding CVE-2021-41228

What is CVE-2021-41228?

TensorFlow's

saved_model_cli

tool has a code injection vulnerability due to the execution of

eval

on user-supplied strings, enabling attackers to run malicious code on the platform.

The Impact of CVE-2021-41228

The vulnerability has a CVSS base score of 7.5 (High) with impacts on availability, confidentiality, and integrity, requiring high privileges and locally accessible.

Technical Details of CVE-2021-41228

Vulnerability Description

The vulnerability stems from improper handling of user input by TensorFlow's

saved_model_cli

tool, allowing code injection via

eval

Affected Systems and Versions

TensorFlow versions >= 2.6.0 and < 2.6.1
TensorFlow versions >= 2.5.0 and < 2.5.2
TensorFlow versions < 2.4.4

Exploitation Mechanism

Attackers utilize user-supplied strings to execute arbitrary code on the platform where the CLI tool operates.

Mitigation and Prevention

Immediate Steps to Take

Upgrade to TensorFlow 2.7.0 or apply patches from TensorFlow 2.6.1, 2.5.2, and 2.4.4
Enable the

safe

flag and heed warnings

Long-Term Security Practices

Implement input validation and sanitization practices
Conduct regular security audits and code reviews

Patching and Updates

Apply official patches from TensorFlow to address the code injection vulnerability