CVE-2022-35972 in TensorFlow
Summary
by MITRE • 09/17/2022
TensorFlow is an open source platform for machine learning. If `QuantizedBiasAdd` is given `min_input`, `max_input`, `min_bias`, `max_bias` tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 785d67a78a1d533759fcd2f5e8d6ef778de849e0. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/19/2022
The vulnerability identified as CVE-2022-35972 affects TensorFlow, a widely-used open source machine learning platform that serves as the foundation for numerous artificial intelligence applications across industries. This issue specifically targets the QuantizedBiasAdd operation within TensorFlow's quantization framework, which is designed to reduce model size and computational requirements while maintaining acceptable accuracy levels. The flaw manifests when the QuantizedBiasAdd function receives input tensors with non-zero rank for the minimum and maximum values of both input and bias parameters, creating a critical stability issue that can be exploited by malicious actors.
The technical implementation of this vulnerability stems from inadequate validation within the QuantizedBiasAdd function's tensor handling logic. When the function processes tensors with non-zero rank for the min_input, max_input, min_bias, and max_bias parameters, it fails to properly validate the tensor dimensions before proceeding with calculations. This leads to a segmentation fault or segfault, which occurs when the program attempts to access memory locations that it shouldn't have access to. The underlying cause aligns with CWE-125, which describes out-of-bounds read vulnerabilities, and CWE-248, which covers unspecified launch of an exception. The flaw represents a classic case of improper input validation where the system assumes certain tensor properties without verification, leading to memory corruption during execution.
The operational impact of this vulnerability extends beyond simple system instability, creating significant security implications for organizations relying on TensorFlow implementations. An attacker who can control the inputs to QuantizedBiasAdd could trigger a denial of service attack that crashes the application or system processing machine learning workloads. This affects not only individual users but also enterprise environments where TensorFlow serves as a core component of AI infrastructure, potentially disrupting critical machine learning pipelines, model training processes, and inference systems. The vulnerability's exploitation requires knowledge of the specific TensorFlow API and tensor parameter structures, making it more sophisticated than typical buffer overflow attacks but still potentially exploitable in environments where untrusted inputs are processed through machine learning workflows.
The remediation approach implemented by the TensorFlow team involved a targeted fix in GitHub commit 785d67a78a1d533759fcd2f5e8d6ef778de849e0, which addresses the root cause by adding proper tensor rank validation before the problematic calculations occur. This fix has been incorporated into the upcoming TensorFlow 2.10.0 release and has been backported to older supported versions including TensorFlow 2.9.1, 2.8.1, and 2.7.2, demonstrating the severity of the issue across multiple release lines. The absence of known workarounds means that organizations cannot mitigate this vulnerability through configuration changes or alternative implementation approaches, making the software update the only reliable solution. From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1499.004, which covers network denial of service attacks, and represents a critical concern for attackers seeking to disrupt machine learning infrastructure. Organizations should prioritize patching this vulnerability as it represents a potential vector for system availability compromise in AI-dependent environments, particularly in sectors where continuous operation of machine learning services is critical for business continuity.