CVE-2022-35981 Explained : Impact and Mitigation

This article provides details about CVE-2022-35981, a vulnerability in TensorFlow related to

CHECK

failures in

FractionalMaxPoolGrad

function.

Understanding CVE-2022-35981

This CVE involves a vulnerability in TensorFlow that allows a denial of service attack due to

CHECK

failures in the

FractionalMaxPoolGrad

function.

What is CVE-2022-35981?

TensorFlow, an open-source platform for machine learning, contains a vulnerability where

FractionalMaxPoolGrad

does not handle incorrectly sized inputs correctly, leading to denial of service.

The Impact of CVE-2022-35981

The vulnerability has a CVSS base score of 5.9, with a medium severity rating. It affects systems with high availability impact but no confidentiality or integrity impact.

Technical Details of CVE-2022-35981

This section outlines the vulnerability description, affected systems, versions, and exploitation mechanism.

Vulnerability Description

FractionalMaxPoolGrad

in TensorFlow validates inputs with

CHECK

failures, allowing attackers to trigger denial of service attacks.

Affected Systems and Versions

TensorFlow versions < 2.7.2
TensorFlow versions >= 2.8.0, < 2.8.1
TensorFlow versions >= 2.9.0, < 2.9.1

Exploitation Mechanism

Attackers can exploit this vulnerability by providing incorrectly sized inputs to

FractionalMaxPoolGrad

function.

Mitigation and Prevention

In response to CVE-2022-35981, immediate steps need to be taken to secure systems and prevent potential attacks.

Immediate Steps to Take

Update TensorFlow to version 2.10.0 where the issue has been patched.
For versions 2.7.2, 2.8.1, and 2.9.1, cherrypick the commit 8741e57d163a079db05a7107a7609af70931def4 to apply the fix.

Long-Term Security Practices

Regularly update TensorFlow to the latest version to address security vulnerabilities.

Patching and Updates

Stay informed about TensorFlow security advisories and apply patches promptly to protect systems.