CVE-2021-37664
Heap OOB in boosted trees in TensorFlow
Description
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to `BoostedTreesSparseCalculateBestFeatureSplit`. The [implementation](https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/boosted_trees/stats_ops.cc) needs to validate that each value in `stats_summary_indices` is in range. We have patched the issue in GitHub commit e84c975313e8e8e38bb2ea118196369c45c51378. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
How to fix CVE-2021-37664
To remediate CVE-2021-37664, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.4 or later
- —upgrade to 2.3.4 or later
- —upgrade to e84c975313e8e8e38bb2ea118196369c45c51378 or later
- —upgrade to e84c975313e8e8e38bb2ea118196369c45c51378 or later
- —upgrade to 2.3.4 or later
- —upgrade to e84c975313e8e8e38bb2ea118196369c45c51378 or later
- —upgrade to 2.3.4 or later
Is CVE-2021-37664 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (7)
- >= 2.3.0, < 2.3.4, >= 2.4.0, < 2.4.3, >= 2.5.0, < 2.5.1
- from 0, < 2.3.4
- from 0, < e84c975313e8e8e38bb2ea118196369c45c51378 | >= 2.3.0, < 2.3.4, >= 2.4.0, < 2.4.3
- from 0, < e84c975313e8e8e38bb2ea118196369c45c51378 | >= 2.3.0, < 2.3.4, >= 2.4.0, < 2.4.3
- from 0, < 2.3.4
- from 0, < e84c975313e8e8e38bb2ea118196369c45c51378 | >= 2.3.0, < 2.3.4, >= 2.4.0, < 2.4.3
- from 0, < 2.3.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H |