The best way to avoid this issue is to do a complete code audit and make sure that all NodeDefs have op names. This is especially important for internal NodeDefs.
How do I find out which NodeDefs have op names?
If you have a NodeDef, you can use the following command to find out what op names it has:
Node.opNames
If your NodeDef does not have an op name, you should make sure that it is internal. This is because external NodeDefs are usually made public and will have an op name. Internal NodeDefs are not exposed to the public and do not need to be named.
Drop privileges to avoid “noupable” errors
Many developers make the mistake of not taking preventative measures against CVE-2022-36013. This can be fixed by simply dropping privileges to avoid “noupable” errors.
One example of this is that you might have created a NodeDef that was meant to be private, but the NodeDef wasn't closed off from other users. If you drop privileges on your NodeDef, it will no longer allow any user access to it and protect your application from this vulnerability.
References
- https://www.quora.com/Why-is-use-of-NodeDefs-in-an-internal-function-confusing
Using the NodeDefs in an internal function can be confusing for developers and lead to bugs like CVE-2022-36013
Timeline
Published on: 09/16/2022 23:15:00 UTC
Last modified on: 09/20/2022 14:40:00 UTC
References
- https://github.com/tensorflow/tensorflow/commit/a0f0b9a21c9270930457095092f558fbad4c03e5
- https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ir/importexport/graphdef_import.cc
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-828c-5j5q-vrjq
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36013