CVE-2021-29544
published 2021-05-14CVE-2021-29544: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in…
medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.QuantizeAndDequantizeV4Grad`. This is because the implementation does not validate the rank of the `input_*` tensors. In turn, this results in the tensors being passes as they are to `QuantizeAndDequantizePerChannelGradientImpl`. However, the `vec` method, requires the rank to 1 and triggers a `CHECK` failure otherwise. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 as this is the only other affected version.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tensorflow | — | — |
| tensorflow | >= 2.4.0 < 2.4.2 | 2.4.2 | |
| intel | optimization_for_tensorflow | >= 0 < 20431e9044cf2ad3c0323c34888b192f3289af6b | 20431e9044cf2ad3c0323c34888b192f3289af6b |
| intel | optimization_for_tensorflow | >= 0 < 2.2.0rc0 | 2.2.0rc0 |
| intel | optimization_for_tensorflow | >= 2.2.0 < 2.3.0rc0 | 2.3.0rc0 |
| intel | optimization_for_tensorflow | >= 2.3.0 < 2.3.4 | 2.3.4 |
| intel | optimization_for_tensorflow | >= 2.4.0 < 2.4.2 | 2.4.2 |
| intel | optimization_for_tensorflow | >= 2.4.0 < 2.4.3 | 2.4.3 |
| tensorflow | tensorflow | — | — |