CVE-2021-37690 : TensorFlow is an end-to-end open source platform for machine learning. In affected versions when running shape functions

TensorFlow is an end-to-end open source platform for machine learning. In affected versions when running shape functions, some functions (such as `MutableHashTableShape`) produce extra output information in the form of a `ShapeAndType` struct. The shapes embedded in this struct are owned by an inference context that is cleaned up almost immediately; if the upstream code attempts to access this shape information, it can trigger a segfault. `ShapeRefiner` is mitigating this for normal output shapes by cloning them (and thus putting the newly created shape under ownership of an inference context that will not die), but we were not doing the same for shapes and types. This commit fixes that by doing similar logic on output shapes and types. We have patched the issue in GitHub commit ee119d4a498979525046fba1c3dd3f13a039fbb1. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Published 2021-08-13 00:15:07

Updated 2021-08-19 14:53:55

Source GitHub, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-37690

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-37690

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.6	MEDIUM	AV:L/AC:L/Au:N/C:P/I:P/A:P	3.9	6.4	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
6.6	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H	1.8	4.7	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: High
6.6	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H	1.8	4.7	GitHub, Inc.
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: High

CWE ids for CVE-2021-37690

CWE-416 Use After Free

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2021-37690

https://github.com/tensorflow/tensorflow/commit/ee119d4a498979525046fba1c3dd3f13a039fbb1

Fix segmentation fault in shape inference logic. · tensorflow/tensorflow@ee119d4 · GitHub
Patch;Third Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-3hxh-8cp2-g4hg

Use after free and segfault in shape inference functions · Advisory · tensorflow/tensorflow · GitHub
Third Party Advisory

Products affected by CVE-2021-37690

Google » Tensorflow
Versions from including (>=) 2.3.0 and before (<) 2.3.4
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
Matching versions
Google » Tensorflow
Versions from including (>=) 2.4.0 and before (<) 2.4.3
cpe:2.3:a:google:tensorflow:*:*:*:*:*:*:*:*
Matching versions
Google » Tensorflow » Version: 2.5.0
cpe:2.3:a:google:tensorflow:2.5.0:*:*:*:*:*:*:*
Matching versions
Google » Tensorflow » Version: 2.6.0 Update RC0
cpe:2.3:a:google:tensorflow:2.6.0:rc0:*:*:*:*:*:*
Matching versions
Google » Tensorflow » Version: 2.6.0 Update RC1
cpe:2.3:a:google:tensorflow:2.6.0:rc1:*:*:*:*:*:*
Matching versions
Google » Tensorflow » Version: 2.6.0 Update RC2
cpe:2.3:a:google:tensorflow:2.6.0:rc2:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2021-37690

Exploit prediction scoring system (EPSS) score for CVE-2021-37690

CVSS scores for CVE-2021-37690

CWE ids for CVE-2021-37690

References for CVE-2021-37690

Products affected by CVE-2021-37690