CVE-2022-35966 Explained : Impact and Mitigation

TensorFlow, an open-source platform for machine learning, is affected by a vulnerability in the

QuantizedAvgPool

function. Exploiting this vulnerability may lead to a denial of service attack. The issue has been patched in TensorFlow versions 2.7.2, 2.8.1, 2.9.1, and will be included in TensorFlow 2.10.0.

Understanding CVE-2022-35966

This CVE pertains to a vulnerability in TensorFlow's

QuantizedAvgPool

function that can result in a denial of service attack.

What is CVE-2022-35966?

CVE-2022-35966 is a vulnerability in TensorFlow where providing certain inputs to the

QuantizedAvgPool

function can cause a segfault, leading to a denial of service attack.

The Impact of CVE-2022-35966

The impact of this vulnerability is rated as MEDIUM based on CVSS v3.1 metrics. It has a base score of 5.9 with a HIGH availability impact due to its network attack vector.

Technical Details of CVE-2022-35966

The following technical aspects are associated with CVE-2022-35966:

Vulnerability Description

The vulnerability in

QuantizedAvgPool

in TensorFlow can be exploited to trigger a denial of service attack.

Affected Systems and Versions

The affected versions of TensorFlow include < 2.7.2, >= 2.8.0 and < 2.8.1, >= 2.9.0 and < 2.9.1.

Exploitation Mechanism

Exploiting this vulnerability involves providing

min_input

or

max_input

tensors of a nonzero rank to the

QuantizedAvgPool

function in TensorFlow.

Mitigation and Prevention

To address CVE-2022-35966, consider the following mitigation strategies:

Immediate Steps to Take

Update TensorFlow to the patched versions: 2.7.2, 2.8.1, 2.9.1, or upgrade to 2.10.0 once available.

Long-Term Security Practices

Ensure regular updates and monitoring for security vulnerabilities in TensorFlow.

Patching and Updates

Stay informed about security advisories from TensorFlow and apply patches promptly to mitigate potential risks.