CVE-2022-35991 Explained : Impact and Mitigation

TensorFlow is an open source platform for machine learning that has recently been impacted by a vulnerability tracked as CVE-2022-35991. This vulnerability occurs when

TensorListScatter

and

TensorListScatterV2

receive an

element_shape

of a rank greater than one, resulting in a

CHECK

fail that can potentially lead to a denial of service attack.

Understanding CVE-2022-35991

This section dives into the details regarding the vulnerability, its impact, technical aspects, and mitigation strategies.

What is CVE-2022-35991?

The CVE-2022-35991 vulnerability in TensorFlow arises due to improper handling of

element_shape

in

TensorListScatter

and

TensorListScatterV2

, which can be exploited to trigger a denial of service attack.

The Impact of CVE-2022-35991

With a CVSS base score of 5.9 and a medium severity rating, this vulnerability has a high attack complexity and availability impact. The integrity and confidentiality of affected systems remain uncompromised, while no user interaction or privileges are required for exploitation. The discovery source of this vulnerability is marked as 'UNKNOWN'.

Technical Details of CVE-2022-35991

Let's delve into the specific technical details of the CVE-2022-35991 vulnerability.

Vulnerability Description

The vulnerability in TensorFlow allows for a denial of service attack when specific conditions related to

element_shape

are met in

TensorListScatter

and

TensorListScatterV2

functions.

Affected Systems and Versions

The affected versions of TensorFlow include < 2.7.2, >= 2.8.0 and < 2.8.1, and >= 2.9.0 and < 2.9.1. Users on these versions are at risk of exploitation if not updated.

Exploitation Mechanism

Attackers can exploit this vulnerability by leveraging the improper validation of

element_shape

in the mentioned TensorFlow functions to cause a denial of service.

Mitigation and Prevention

To address the CVE-2022-35991 vulnerability, consider the following mitigation strategies.

Immediate Steps to Take

Upgrade TensorFlow to version 2.10.0, which includes a patch for this vulnerability.
For users on affected versions (2.7.2, 2.8.0 - 2.8.1, 2.9.0 - 2.9.1), apply the cherrypicked commit bb03fdf4aae944ab2e4b35c7daa051068a8b7f61 to ensure protection.

Long-Term Security Practices

Regularly update TensorFlow to the latest versions to address security vulnerabilities promptly.
Monitor TensorFlow security advisories and apply patches as soon as they are released.

Patching and Updates

Ensure timely installation of security patches and updates provided by TensorFlow to safeguard against known vulnerabilities.