CVE-2022-23587 TensorFlow is an Open Source Machine Learning Framework. The Grappler component is vulnerable to an integer overflow during cost estimation for crop and resize.

The fix will be integrated into Grappler in TensorFlow 2.8.0. We recommend users to upgrade to this version as soon as it is released. In the meantime, you can disable the functionality that is susceptible to integer overflow, by setting the parameter “unbounded” to true. This can be done by adding the line:
This can be done by adding the line: to the constants.py file.

Dependencies and prerequisites

We recommend users to upgrade to a later version of Grappler in TensorFlow 2.8.0, which fixes this issue.
The fix will be integrated into Grappler in TensorFlow 2.8.0, which we recommend users to upgrade to.
In the meantime, you can disable the functionality that is susceptible to integer overflow by setting the parameter “unbounded” to true. This can be done by adding the line:
to the constants.py file.

Timeline

Published on: 02/04/2022 23:15:00 UTC
Last modified on: 02/10/2022 17:38:00 UTC

References

• https://github.com/tensorflow/tensorflow/commit/0aaaae6eca5a7175a193696383f582f53adab23f
• https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/grappler/costs/op_level_cost_estimator.cc#L2621-L2689
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8jj7-5vxc-pg2q
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23587