CVE-2022-35992 : Vulnerability Insights and Analysis

This article provides detailed information about CVE-2022-35992, a vulnerability in TensorFlow that could lead to a denial of service attack.

Understanding CVE-2022-35992

The vulnerability lies in the

TensorListFromTensor

function in TensorFlow, affecting versions prior to 2.7.2, between 2.8.0 and 2.8.1, and between 2.9.0 and 2.9.1.

What is CVE-2022-35992?

TensorFlow, an open-source machine learning platform, is susceptible to a denial of service attack when

TensorListFromTensor

processes an

element_shape

with a rank greater than one, triggering a

CHECK

fail.

The Impact of CVE-2022-35992

With a CVSS base score of 5.9 and a base severity of MEDIUM, this vulnerability has a high attack complexity and can cause significant availability impact.

Technical Details of CVE-2022-35992

Vulnerability Description

The flaw in

TensorListFromTensor

can be exploited to launch denial of service attacks.

Affected Systems and Versions

TensorFlow versions prior to 2.7.2, 2.8.0 to 2.8.1, and 2.9.0 to 2.9.1 are affected by this vulnerability.

Exploitation Mechanism

The vulnerability arises when

TensorListFromTensor

processes an

element_shape

with a rank greater than one, leading to a

CHECK

fail.

Mitigation and Prevention

Immediate Steps to Take

It is recommended to update TensorFlow to version 2.10.0, which includes a patch for this vulnerability. For versions 2.9.1, 2.8.1, and 2.7.2, patches have been cherrypicked to address the issue.

Long-Term Security Practices

Regularly update TensorFlow to the latest version to ensure protection against known vulnerabilities.

Patching and Updates

Stay informed about security advisories and apply patches promptly to mitigate the risk of exploitation.