CVE-2022-35983 : Security Advisory and Response

TensorFlow is an open-source platform for machine learning. A vulnerability in TensorFlow versions prior to 2.7.2, between 2.8.0 and 2.8.1, and between 2.9.0 and 2.9.1 allows for a denial of service attack. The vulnerability arises when running

Save

or

SaveSlices

over tensors of an unsupported

dtype

, leading to a

CHECK

fail. The issue has been addressed in GitHub commit 5dd7b86b84a864b834c6fa3d7f9f51c87efa99d4 and will be included in TensorFlow 2.10.0. The fix will also be backported to versions 2.9.1, 2.8.1, and 2.7.2.

Understanding CVE-2022-35983

This section will provide insights into the impact and technical details of the vulnerability.

What is CVE-2022-35983?

CVE-2022-35983 is a vulnerability in TensorFlow that can be exploited to trigger a denial of service attack. It occurs when certain operations are applied to tensors of an unsupported

dtype

.

The Impact of CVE-2022-35983

The vulnerability poses a moderate risk, with a CVSS base score of 5.9. As it requires high attack complexity and can impact system availability severely, immediate action is advised to mitigate the risk.

Technical Details of CVE-2022-35983

Let's delve into the technical aspects of the vulnerability, including the description, affected systems and versions, and exploitation mechanism.

Vulnerability Description

The vulnerability allows attackers to exploit the

Save

and

SaveSlices

functions in TensorFlow to cause a denial of service attack by triggering a

CHECK

fail condition.

Affected Systems and Versions

TensorFlow versions prior to 2.7.2, between 2.8.0 and 2.8.1, and between 2.9.0 and 2.9.1 are affected by this vulnerability.

Exploitation Mechanism

By manipulating tensors of an unsupported

dtype

using the

Save

or

SaveSlices

functions, attackers can induce a

CHECK

fail condition, leading to a denial of service.

Mitigation and Prevention

To address CVE-2022-35983, immediate steps should be taken to protect systems and data. Implementing long-term security practices is essential to prevent similar vulnerabilities in the future.

Immediate Steps to Take

Update TensorFlow to version 2.10.0 or apply the necessary patches on versions 2.9.1, 2.8.1, and 2.7.2 to mitigate the vulnerability.

Long-Term Security Practices

Regularly update software and libraries, conduct security assessments, and educate users on best security practices to enhance overall system security.

Patching and Updates

Stay informed about security updates for TensorFlow and promptly apply patches to ensure systems are protected against known vulnerabilities.