Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-D82BCD2B-5CD6-421C-8179-B3FF0231029F (CVE-2021-37689): py-tflite -- denial of service vulnerability

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

FreeBSD: VID-D82BCD2B-5CD6-421C-8179-B3FF0231029F (CVE-2021-37689): py-tflite -- denial of service vulnerability

Severity
2
CVSS
(AV:L/AC:L/Au:N/C:N/I:N/A:P)
Published
08/12/2021
Created
05/05/2023
Added
04/14/2023
Modified
04/14/2023

Description

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service. This is caused by the MLIR optimization of `L2NormalizeReduceAxis` operator. The [implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/compiler/mlir/lite/transforms/optimize.cc#L67-L70) unconditionally dereferences a pointer to an iterator to a vector without checking that the vector has elements. We have patched the issue in GitHub commit d6b57f461b39fd1aa8c1b870f1b974aac3554955. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

Solution(s)

  • freebsd-upgrade-package-py310-tflite
  • freebsd-upgrade-package-py311-tflite
  • freebsd-upgrade-package-py37-tflite
  • freebsd-upgrade-package-py38-tflite
  • freebsd-upgrade-package-py39-tflite

insightVM

Advanced vulnerability management analytics and reporting.
Key Features
  • Lightweight Endpoint Agent
  • Live Dashboards
  • Real Risk Prioritization
  • IT-Integrated Remediation Projects
  • Cloud, Virtual, and Container Assessment
  • Integrated Threat Feeds
  • Easy-to-Use RESTful API
  • Automation-Assisted Patching
  • Automated Containment
Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;