CVE-2021-29611

Description

TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseReshape` results in a denial of service based on a `CHECK`-failure. The implementation(https://github.com/tensorflow/tensorflow/blob/e87b51ce05c3eb172065a6ea5f48415854223285/tensorflow/core/kernels/sparse_reshape_op.cc#L40) has no validation that the input arguments specify a valid sparse tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are the only affected versions.

How to fix CVE-2021-29611

To remediate CVE-2021-29611, upgrade the affected package to a fixed version below.

• —upgrade to 2.1.4 or later
• —upgrade to 2.3.3 or later
• —upgrade to 1d04d7d93f4ed3854abf75d6b712d72c3f70d6b6 or later
• —upgrade to 1d04d7d93f4ed3854abf75d6b712d72c3f70d6b6 or later
• —upgrade to 2.3.3 or later
• —upgrade to 1d04d7d93f4ed3854abf75d6b712d72c3f70d6b6 or later
• —upgrade to 2.3.3 or later

Is CVE-2021-29611 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

• from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
• >= 2.3.0, < 2.3.3
• from 0, < 1d04d7d93f4ed3854abf75d6b712d72c3f70d6b6 | from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
• from 0, < 1d04d7d93f4ed3854abf75d6b712d72c3f70d6b6 | from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
• >= 2.3.0, < 2.3.3
• from 0, < 1d04d7d93f4ed3854abf75d6b712d72c3f70d6b6 | from 0, < 2.1.4, >= 2.2.0, < 2.2.3, >= 2.3.0, < 2.3.3, >= 2.4.0, < 2.4.2
• >= 2.3.0, < 2.3.3

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-29611
• PATCHgithub.com/tensorflow/tensorflow
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-539.yaml
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-737.yaml