CVE-2022-23581: `CHECK`-failures during Grappler's `IsSimplifiableReshape` in Tensorflow
(updated )
The Grappler optimizer in TensorFlow can be used to cause a denial of service by altering a SavedModel
such that IsSimplifiableReshape
would trigger CHECK
failures.
References
- github.com/advisories/GHSA-fq86-3f29-px2c
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-90.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-145.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/grappler/optimizers/constant_folding.cc
- github.com/tensorflow/tensorflow/commit/1fb27733f943295d874417630edd3b38b34ce082
- github.com/tensorflow/tensorflow/commit/240655511cd3e701155f944a972db71b6c0b1bb6
- github.com/tensorflow/tensorflow/commit/ebc1a2ffe5a7573d905e99bd0ee3568ee07c12c1
- github.com/tensorflow/tensorflow/security/advisories/GHSA-fq86-3f29-px2c
- nvd.nist.gov/vuln/detail/CVE-2022-23581
Detect and mitigate CVE-2022-23581 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →