CVE-2022-35989 in TensorFlow
Summary
by MITRE • 09/17/2022
TensorFlow is an open source platform for machine learning. When `MaxPool` receives a window size input array `ksize` with dimensions greater than its input tensor `input`, the GPU kernel gives a `CHECK` fail that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 32d7bd3defd134f21a4e344c8dfd40099aaf6b18. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/19/2022
The vulnerability identified as CVE-2022-35989 affects TensorFlow, a widely adopted open source machine learning platform that powers numerous artificial intelligence applications across various industries. This issue specifically targets the MaxPool operation within TensorFlow's GPU kernel implementation, where a critical flaw exists in input validation that can lead to system instability. The vulnerability manifests when the MaxPool function receives a window size input array ksize that contains dimensions exceeding those of the input tensor, creating a condition that triggers a CHECK failure within the GPU execution environment.
The technical flaw resides in TensorFlow's GPU kernel implementation for the MaxPool operation, where insufficient bounds checking occurs when processing window size parameters. This particular implementation does not properly validate that the kernel dimensions specified in the ksize array remain within acceptable limits relative to the input tensor dimensions. When this validation fails, the GPU kernel encounters a CHECK fail condition that results in an immediate termination of the processing operation. This behavior constitutes a denial of service vulnerability because an attacker can deliberately construct malicious input parameters that will cause the system to crash or become unresponsive during model execution.
The operational impact of this vulnerability extends beyond simple service disruption, as it can affect any application or system utilizing TensorFlow with GPU acceleration for machine learning workloads. The vulnerability affects multiple TensorFlow versions including 2.7.2, 2.8.1, 2.9.1, and the upcoming 2.10.0 release, indicating a broad attack surface across the platform's supported versions. Given that TensorFlow is extensively used in production environments for critical AI applications, the potential for denial of service attacks targeting these systems could result in significant operational disruptions. The vulnerability particularly impacts GPU-accelerated environments where MaxPool operations are frequently utilized in convolutional neural networks and other deep learning architectures.
The fix for this vulnerability was implemented through GitHub commit 32d7bd3defd134f21a4e344c8dfd40099aaf6b18, which introduces proper bounds checking and input validation for the MaxPool operation's ksize parameter. This patch addresses the core issue by ensuring that kernel dimensions are validated against input tensor dimensions before GPU kernel execution begins. The vulnerability has been classified under CWE-129, which represents Improper Validation of Array Index, and aligns with ATT&CK technique T1499.004 for Network Denial of Service, as it enables attackers to disrupt service availability through controlled input manipulation. Organizations utilizing TensorFlow in production environments must urgently apply the patched versions to mitigate this vulnerability, as no workarounds exist for this specific issue. The affected versions remain in support windows, making the cherrypick approach for 2.7.2, 2.8.1, and 2.9.1 versions a necessary measure to protect existing deployments.