Learn about CVE-2022-35969, a vulnerability in TensorFlow affecting versions prior to 2.7.2, as well as 2.8.0-2.8.1 and 2.9.0-2.9.1. Understand the impact, technical details, and mitigation strategies.
This article provides an overview of CVE-2022-35969, a vulnerability affecting TensorFlow versions prior to 2.7.2, as well as versions 2.8.0 to 2.8.1, and 2.9.0 to 2.9.1.
Understanding CVE-2022-35969
In this section, we will delve into the details of the vulnerability found in TensorFlow.
What is CVE-2022-35969?
TensorFlow, an open-source machine learning platform, contains a vulnerability in the
Conv2DBackpropInput
implementation. This vulnerability requires the input_sizes
parameter to be 4-dimensional. Failure to meet this requirement can result in a CHECK
failure, which could potentially lead to a denial of service attack.
The Impact of CVE-2022-35969
The impact of this vulnerability is rated as medium severity with a CVSS base score of 5.9. It has a high availability impact but does not affect confidentiality or integrity. The attack complexity is considered high, and it can be exploited over a network without requiring user interaction.
Technical Details of CVE-2022-35969
This section will cover the technical aspects of CVE-2022-35969.
Vulnerability Description
The vulnerability stems from the requirement of the
input_sizes
parameter to be 4-dimensional in the Conv2DBackpropInput
implementation.
Affected Systems and Versions
The vulnerability affects TensorFlow versions prior to 2.7.2, as well as versions 2.8.0 to 2.8.1, and 2.9.0 to 2.9.1.
Exploitation Mechanism
The vulnerability can be exploited to trigger a denial of service attack.
Mitigation and Prevention
In this section, we will outline steps to mitigate and prevent exploitation of CVE-2022-35969.
Immediate Steps to Take
Users are advised to update TensorFlow to version 2.10.0 or apply the patch available in GitHub commit 50156d547b9a1da0144d7babe665cf690305b33c.
Long-Term Security Practices
It is recommended to regularly update TensorFlow to the latest version to mitigate potential vulnerabilities.
Patching and Updates
The issue has been patched in TensorFlow 2.10.0, and the fix will be included in TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2.