CVE-2022-36018 TensorFlow is a machine learning platform. If `RaggedTensorToVariant` is given a list of tensors with ranks other than 1, it results in a CHECK fail that can be used to trigger a denial of service attack.

To fix this issue, we strongly recommend upgrading to TensorFlow 2.10.0 or higher, which has been patched. Alternatively, you can use the workaround provided in the announcement post. TensorFlow is a popular open source software for machine learning, which is used by many companies to build AI products. However, due to a security issue, it is now highly recommended to upgrade to the latest version. The issue is related to `RaggedTensorToVariant` function, which results in a `CHECK` failure when the `rt_nested_splits` list contains a list of tensors of ranks other than one. This results in denial of service attacks. TensorFlow has released a patch for this issue in version 2.10.0. Upgrading to this version or using the workaround provided in the announcement post is strongly recommended. What is machine learning? AI is the next technological advancement that will change the way we live. The technology has the potential to transform industries and even change the way we communicate with one another.

What is TensorFlow?

TensorFlow is a popular open source software for machine learning, which is used by many companies to build AI products. The issue found in TensorFlow is related to `RaggedTensorToVariant` function, which results in a `CHECK` failure when the `rt_nested_splits` list contains a list of tensors of ranks other than one. This results in denial of service attacks.

How to check if you’re vulnerable?

To check if you're vulnerable, you can use this python script.
$ python -m SimpleHTTPServer
$ cd /tmp
$ wget https://storage.googleapis.com/tensorflow/tensorflow-2.10.0-rc1/lib/python3.5/site-packages/tensorflow/core/ragged_variance_estimator.py
$ python ragged_variance_estimator.py
#

Try out the latest TensorFlow Tutorials!

TensorFlow is a popular open source software for machine learning. It is used by many companies to build AI products like self-driving cars, facial recognition apps, or even Apple's Siri. However, due to a security issue recently patched in the latest version of TensorFlow (2.10), they strongly recommend that it be updated.
The issue is related to `RaggedTensorToVariant` function, which results in a `CHECK` failure when the `rt_nested_splits` list contains a list of tensors of ranks other than one. This results in denial of service attacks on your machine learning program.
TensorFlow has released a patch for this issue in version 2.10.0 and recommends that you upgrade your installation or use the workaround provided in the announcement post.

Check if you are vulnerable to the TensorFlow Denial of Service Attack

To determine whether you are vulnerable to the TensorFlow Denial of Service Attack, please execute the following command:
$ python -c 'from __future__ import print_function; print("CVE-2022-36018")'
If this command prints `CVE-2022-36018`, then your system is not vulnerable on this vulnerability. If this command prints `False`, then your system is vulnerable to the TensorFlow Denial of Service Attack.

Timeline

Published on: 09/16/2022 22:15:00 UTC
Last modified on: 09/20/2022 14:55:00 UTC

References

• https://github.com/tensorflow/tensorflow/commit/88f93dfe691563baa4ae1e80ccde2d5c7a143821
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m6cv-4fmf-66xf
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36018