CVE-2021-29516
Null pointer dereference via invalid Ragged Tensors
Description
TensorFlow is an end-to-end open source platform for machine learning. Calling `tf.raw_ops.RaggedTensorToVariant` with arguments specifying an invalid ragged tensor results in a null pointer dereference. The implementation of `RaggedTensorToVariant` operations(https://github.com/tensorflow/tensorflow/blob/904b3926ed1c6c70380d5313d282d248a776baa1/tensorflow/core/kernels/ragged_tensor_to_variant_op.cc#L39-L40) does not validate that the ragged tensor argument is non-empty. Since `batched_ragged` contains no elements, `batched_ragged.splits` is a null vector, thus `batched_ragged.splits(0)` will result in dereferencing `nullptr`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
How to fix CVE-2021-29516
To remediate CVE-2021-29516, upgrade the affected package to a fixed version below.
- —upgrade to 2.1.4 or later
- —upgrade to 2.1.4 or later
- —upgrade to b055b9c474cd376259dde8779908f9eeaf097d93 or later
- —upgrade to b055b9c474cd376259dde8779908f9eeaf097d93 or later
- —upgrade to 2.1.4 or later
- —upgrade to b055b9c474cd376259dde8779908f9eeaf097d93 or later
- —upgrade to 2.1.4 or later
Is CVE-2021-29516 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (7)
- from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
- from 0, < 2.1.4
- from 0, < b055b9c474cd376259dde8779908f9eeaf097d93 | from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
- from 0, < b055b9c474cd376259dde8779908f9eeaf097d93 | from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
- from 0, < 2.1.4
- from 0, < b055b9c474cd376259dde8779908f9eeaf097d93 | from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
- from 0, < 2.1.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | LOW2.5 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L |
References (6)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-29516
- WEBgithub.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-444.yaml
- WEBgithub.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-642.yaml
- WEBgithub.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-153.yaml