CVE-2022-41897 - Critical Vulnerability in TensorFlow's FractionMaxPoolGrad Function Results in Crash

A critical vulnerability has been identified in TensorFlow, an open-source platform for machine learning that could lead to a crash if the FractionMaxPoolGrad function is given outsize input values for row_pooling_sequence and col_pooling_sequence. The TensorFlow team has successfully patched the issue in the GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927, which will be included in TensorFlow 2.11. The patch will also be backported to TensorFlow 2.10.1, 2.9.3, and 2.8.4, as these versions are within the supported range and have been confirmed to be affected.

Body

TensorFlow is a popular open-source platform designed for machine learning, and it has recently come to light that there is a critical vulnerability (CVE-2022-41897) that could lead to a crash. The vulnerability exists in the FractionMaxPoolGrad function, specifically when it is supplied with outsize inputs for the row_pooling_sequence and col_pooling_sequence.

The problematic code snippet

def FractionMaxPoolGrad(op, grad):
    grid = op.inputs[]
    batch_size, height, width, channels = array_ops.shape_n([grid])[]
    row_pooling_sequence, col_pooling_sequence = op.inputs[1:3]

    # Vulnerable code here - Outsize inputs may crash TensorFlow

Upon discovering this vulnerability, the TensorFlow team took the initiative to patch it. The patch can be found in the following GitHub commit: d71090c3e5ca325bdf4b02eb236cfb3ee823e927.

To provide a more comprehensive solution, the team has decided to include the fix not only in TensorFlow 2.11 but also backport it to previous versions that are still supported, such as 2.10.1, 2.9.3, and 2.8.4, as they have been confirmed to be affected by the vulnerability.

Exploit Details

The vulnerability's main concern is how outsize input values for row_pooling_sequence and col_pooling_sequence could cause TensorFlow to crash when using the FractionMaxPoolGrad function. The team's decision to patch this issue focuses on providing a more robust and secure platform for the machine learning community.

For end-users, the primary takeaway is the importance of updating to the latest TensorFlow version or implementing the patched versions (TensorFlow 2.11, 2.10.1, 2.9.3, and 2.8.4) when they become available, thereby minimizing the risk of being impacted by any potential exploit related to CVE-2022-41897.

Conclusion

In conclusion, CVE-2022-41897 highlights the need for regular security updates and patches in the open-source community. As the TensorFlow team has demonstrated, addressing vulnerabilities proactively can save users from potential crashes and other service disruptions. This case underscores the importance of regular software maintenance and user vigilance when it comes to updating platforms with essential patches. Stay tuned for the release of TensorFlow 2.11 and the backported fixes for 2.10.1, 2.9.3, and 2.8.4 to ensure your TensorFlow environment remains stable and secure.

Timeline

Published on: 11/18/2022 22:15:00 UTC
Last modified on: 11/22/2022 19:34:00 UTC