If you are running any of these versions, we suggest you upgrade to TensorFlow 2.10.0. We are not aware of any mitigations or workarounds. An updated version of TensorFlow (2.10.0) was released yesterday. This release has a potential security vulnerability that can lead to denial-of-service attacks.
This vulnerability has been patched in TensorFlow 2.10.0. If you are running any of these versions, we suggest you upgrade to TensorFlow 2.10.0 as soon as possible. You can update your installation by running pip install --upgrade tensorflow Alternatively, you can download the source code from GitHub and run make upgrade to upgrade from the version released on January 30. To upgrade on Linux, run `sudo make install-x86_64` instead. An updated version of TensorFlow (2.10.0) was released yesterday. This release has a potential security vulnerability that can lead to denial-of-service attacks. In a nutshell, this vulnerability has been reported to allow a malicious user to crash a TensorFlow instance running on Google Cloud Platform. In order to exploit this vulnerability, a malicious user must first send a tensor of a non-zero size. If `Requantize` is given `input_min`, `input_max`, `requested_output_min`, `requested_output_max` tensors of a non-zero
Installing TensorFlow from source on Unix-like systems
This vulnerability has been patched in TensorFlow 2.10.0. If you are running any of these versions, we suggest you upgrade to TensorFlow 2.10.0 as soon as possible. You can update your installation by running pip install --upgrade tensorflow Alternatively, you can download the source code from GitHub and run make upgrade to upgrade from the version released on January 30. To update from a previous version, run `sudo make install-x86_64` on Linux or `sudo make install-i386` on MacOSX instead of their default installation methods.
If you are not familiar with installing from source, please follow these instructions for Unix-like systems:
What you need to know before upgrading to TensorFlow 2.10.0
The following is a list of key things you need to know before upgrading to TensorFlow 2.10.0 and beyond:
- If you are running any of these versions, we suggest you upgrade to TensorFlow 2.10.0 as soon as possible:
- When upgrading from a version prior to 2.9, `Requantize` will return an error claiming that the input and output tensors have incompatible shapes if they do not conform to the shape specified in the parameters or have a value of 0 in the last dimension.
- You can install TensorFlow using pip install --upgrade tensorflow on Linux or pip3 install --upgrade tensorflow on macOS or Windows 10
- To upgrade on Linux, run `sudo make install-x86_64` instead
Version of TensorFlow you are running
If you are running any of these versions, we suggest you upgrade to TensorFlow 2.10.0 as soon as possible. You can update your installation by running pip install --upgrade tensorflow Alternatively, you can download the source code from GitHub and run make upgrade to upgrade from the version released on January 30. To upgrade on Linux, run `sudo make install-x86_64` instead.
An updated version of TensorFlow (2.10.0) was released yesterday. This release has a potential security vulnerability that can lead to denial-of-service attacks - in a nutshell, this vulnerability has been reported to allow a malicious user to crash a TensorFlow instance running on Google Cloud Platform. In order to exploit this vulnerability, a malicious user must first send a tensor of a non-zero size, then call `Requantize` with an input_min and input_max tensors of zero size and `requested_output_min` and requested_output_max tensors of zero size:
What is TensorFlow?
TensorFlow is an open-source software library for numerical computation using data flow graphs. The system comes with two APIs, one of them allowing the developer to write code in a functional style and the other one allowing execution of programs written in either Python or C++.
The library itself consists of multiple modules with different functionality: Tensors, which are multi-dimensional arrays of data; Graphs and Sessions, which manage the computation graph; Estimators and RNNs, which provide efficient implementations for neural networks; and Protobuf, an efficient way to serialize data used by TensorFlow.
This vulnerability has been patched in TensorFlow 2.10.0. If you are running any of these versions, we suggest you upgrade to TensorFlow 2.10.0 as soon as possible. You can update your installation by running pip install --upgrade tensorflow Alternatively, you can download the source code from GitHub and run make upgrade to upgrade from the version released on January 30. To upgrade on Linux, run `sudo make install-x86_64` instead.
Timeline
Published on: 09/16/2022 23:15:00 UTC
Last modified on: 09/20/2022 14:38:00 UTC