CVE-2021-41228 – TensorFlow's saved_model_cli tool is vulnerable... (How to Fix)

Q: What is the severity of CVE-2021-41228?

CVE-2021-41228 has a CVSS score of 7.5 (HIGH). TensorFlow's saved_model_cli tool is vulnerable to code injection via unsafe eval() calls on user-supplied strings, allowing attackers to execute arbitrary code on systems where the CLI tool runs. This affects TensorFlow versions before the patched releases. The impact is limited because the tool requires manual execution by users.

📋 TL;DR

TensorFlow's saved_model_cli tool is vulnerable to code injection via unsafe eval() calls on user-supplied strings, allowing attackers to execute arbitrary code on systems where the CLI tool runs. This affects TensorFlow versions before the patched releases. The impact is limited because the tool requires manual execution by users.

💻 Affected Systems

Products:

TensorFlow

Versions: TensorFlow versions before 2.4.4, 2.5.2, 2.6.1, and 2.7.0

Operating Systems: All operating systems running TensorFlow

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the saved_model_cli command-line tool, not the TensorFlow library itself during normal operation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution with the privileges of the user running saved_model_cli, potentially leading to complete system compromise.

🟠

Likely Case

Limited code execution in controlled environments where users manually run the CLI with untrusted input, typically resulting in local privilege escalation or data exfiltration.

🟢

If Mitigated

No impact when using patched versions with safe flag enabled or when avoiding untrusted input to the CLI tool.

🌐 Internet-Facing: LOW - The saved_model_cli tool is not a network service and requires manual user interaction.

🏢 Internal Only: MEDIUM - Internal users with access to the CLI tool could exploit it if they can supply malicious input, but requires manual execution.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction to run saved_model_cli with malicious input. Public proof-of-concept exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: TensorFlow 2.4.4, 2.5.2, 2.6.1, or 2.7.0

Vendor Advisory: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-3rcw-9p9x-582v

Restart Required: No

Instructions:

1. Update TensorFlow to version 2.4.4, 2.5.2, 2.6.1, or 2.7.0. 2. Use pip install --upgrade tensorflow or conda update tensorflow. 3. Verify the safe flag defaults to True in saved_model_cli.

🔧 Temporary Workarounds

Avoid untrusted input to saved_model_cli

all

Do not use saved_model_cli with untrusted or user-supplied strings in eval operations.

Use safe flag explicitly

all

If using a vulnerable version, explicitly set the safe flag to True when running saved_model_cli.

saved_model_cli ... --safe=True

🧯 If You Can't Patch

Restrict access to saved_model_cli tool to trusted users only.
Implement input validation and sanitization for any scripts that call saved_model_cli.

🔍 How to Verify

Check if Vulnerable:

Check TensorFlow version with 'python -c "import tensorflow as tf; print(tf.__version__)"' and compare to affected versions.

Check Version:

python -c "import tensorflow as tf; print(tf.__version__)"

Verify Fix Applied:

After updating, verify version is 2.4.4, 2.5.2, 2.6.1, or 2.7.0+ and test saved_model_cli with safe flag enabled.

📡 Detection & Monitoring

Log Indicators:

Unusual process execution from saved_model_cli with suspicious arguments
Error logs containing eval-related failures in TensorFlow

Network Indicators:

Not applicable - this is a local CLI tool vulnerability

SIEM Query:

Process execution where command_line contains 'saved_model_cli' and arguments contain suspicious strings like 'eval', 'exec', or 'import'

📊 Metadata

CVE ID: CVE-2021-41228

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-78

Published: November 5, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/tensorflow/tensorflow/commit/8b202f08d52e8206af2bdb2112a62fafbc546ec7 Patch,Third Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-3rcw-9p9x-582v Exploit,Third Party Advisory
https://github.com/tensorflow/tensorflow/commit/8b202f08d52e8206af2bdb2112a62fafbc546ec7 Patch,Third Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-3rcw-9p9x-582v Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41228, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Tensorflow by Google

Tensorflow by Google

Tensorflow by Google

Tensorflow by Google

Tensorflow by Google

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Avoid untrusted input to saved_model_cli

Use safe flag explicitly

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities