CVE-2021-37670
Heap OOB in `UpperBound` and `LowerBound` in TensorFlow
Description
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to `tf.raw_ops.UpperBound`. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/core/kernels/searchsorted_op.cc#L85-L104) does not validate the rank of `sorted_input` argument. A similar issue occurs in `tf.raw_ops.LowerBound`. We have patched the issue in GitHub commit 42459e4273c2e47a3232cc16c4f4fff3b3a35c38. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
How to fix CVE-2021-37670
To remediate CVE-2021-37670, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.4 or later
- —upgrade to 2.3.4 or later
- —upgrade to 42459e4273c2e47a3232cc16c4f4fff3b3a35c38 or later
- —upgrade to 42459e4273c2e47a3232cc16c4f4fff3b3a35c38 or later
- —upgrade to 2.3.4 or later
- —upgrade to 42459e4273c2e47a3232cc16c4f4fff3b3a35c38 or later
- —upgrade to 2.3.4 or later
Is CVE-2021-37670 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (7)
- >= 2.3.0, < 2.3.4, >= 2.4.0, < 2.4.3, >= 2.5.0, < 2.5.1
- from 0, < 2.3.4
- from 0, < 42459e4273c2e47a3232cc16c4f4fff3b3a35c38 | >= 2.3.0, < 2.3.4, >= 2.4.0, < 2.4.3
- from 0, < 42459e4273c2e47a3232cc16c4f4fff3b3a35c38 | >= 2.3.0, < 2.3.4, >= 2.4.0, < 2.4.3
- from 0, < 2.3.4
- from 0, < 42459e4273c2e47a3232cc16c4f4fff3b3a35c38 | >= 2.3.0, < 2.3.4, >= 2.4.0, < 2.4.3
- from 0, < 2.3.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |