CVE-2022-36015 TensorFlow is an open source platform for machine learning. When RangeSize receives values that don't fit into an int64_t, it crashes. We have patched the issue in a GitHub commit.

If you are on TensorFlow 2.9.1, TensorFlow 2.8.1, or TensorFlow 2.7.2, please update your installations immediately. You can also check for the update in the PIP package list. If you are on TensorFlow 2.10.0 or higher, this issue will be fixed in a future release. We are sorry for any inconvenience caused. REGEX FIX: We have implemented a fix for the issue where the `RangeSize` of `int64_t` values would crash TensorFlow. This should be available in the next version of TensorFlow. For now, you can get the fix at this GitHub PR.

How to Update the TensorFlow Version on Ubuntu 18.04 LTS sudo add-apt-repository ppa:tensorflow/tensorflow-stable

sudo apt update && sudo apt install -y tensorflow=2.11.1

If you are on TensorFlow  2.9.1, 2.8.1, 2.7.2

If you are on TensorFlow 2.9.1, TensorFlow 2.8.1, or TensorFlow 2.7.2, please update your installations immediately. You can also check for the update in the PIP package list. If you are on TensorFlow 2.10.0 or higher, this issue will be fixed in a future release from Google or your distribution may have already fixed it in a stable release of their own.

TensorFlow versions supported

TensorFlow versions supported are:

TensorFlow and Microsoft Office: How to prevent data loss

I recently became aware of a critical vulnerability affecting TensorFlow 2.9.1 and higher that was found in a Microsoft Office application (CVE-2022-36015). The vulnerability is caused by improper handling of the `RangeSize` of `int64_t` values when parsing text from a TensorFlow program. The vulnerability can be exploited to cause an out-of-bounds read which may lead to information disclosure, execution of arbitrary code, or denial of service.
TensorFlow is an open source software library for machine learning developed by Google under the Apache 2 license. It is used in many different projects and applications including Microsoft Office products such as Word, Excel, and Power BI. In order to prevent data loss on your system due to this issue, please follow these steps:

Timeline

Published on: 09/16/2022 23:15:00 UTC
Last modified on: 09/20/2022 14:39:00 UTC

References

• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rh87-q4vg-m45j
• https://github.com/tensorflow/tensorflow/commit/37e64539cd29fcfb814c4451152a60f5d107b0f0
• https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ops/math_ops.cc
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36015