CVE-2022-21728
📋 TL;DR
This vulnerability in TensorFlow's ReverseSequence operation allows heap out-of-bounds reads when processing negative batch_dim values. Attackers could potentially read sensitive memory contents or cause crashes. Users of affected TensorFlow versions are vulnerable when processing untrusted input data.
💻 Affected Systems
- TensorFlow
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Information disclosure through memory leakage, potential remote code execution via memory corruption, or denial of service through application crashes.
Likely Case
Application crashes or instability when processing maliciously crafted input tensors with negative batch_dim values.
If Mitigated
Minimal impact if input validation is performed externally or if the vulnerable function isn't used with untrusted data.
🎯 Exploit Status
Exploitation requires crafting specific tensor inputs with negative batch_dim values that trigger the OOB read.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: TensorFlow 2.8.0, 2.7.1, 2.6.3, 2.5.3
Vendor Advisory: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6gmv-pjp9-p8w8
Restart Required: No
Instructions:
1. Update TensorFlow to patched version using pip: pip install --upgrade tensorflow==2.8.0 2. For specific versions: pip install tensorflow==2.7.1, tensorflow==2.6.3, or tensorflow==2.5.3 3. Verify installation with: python -c 'import tensorflow as tf; print(tf.__version__)'
🔧 Temporary Workarounds
Input Validation Wrapper
allWrap ReverseSequence calls with validation to ensure batch_dim is non-negative and within valid range
# Python code to validate batch_dim before ReverseSequence
import tensorflow as tf
def safe_reverse_sequence(input, seq_lengths, batch_dim):
if batch_dim < 0:
batch_dim = input.shape.ndims + batch_dim
if batch_dim < 0 or batch_dim >= input.shape.ndims:
raise ValueError('Invalid batch_dim value')
return tf.reverse_sequence(input, seq_lengths, batch_dim)
🧯 If You Can't Patch
- Disable or restrict use of ReverseSequence operation in production models
- Implement strict input validation for all tensor operations, especially for user-supplied data
🔍 How to Verify
Check if Vulnerable:
Check TensorFlow version: python -c 'import tensorflow as tf; print(tf.__version__)' - if version is between 2.5.0 and 2.7.0 (excluding patched versions), you are vulnerable.Check Version:
python -c 'import tensorflow as tf; print(tf.__version__)'Verify Fix Applied:
After updating, verify version is 2.8.0, 2.7.1, 2.6.3, or 2.5.3 using same command.📡 Detection & Monitoring
Log Indicators:
- Segmentation faults in TensorFlow processes
- Memory access violation errors
- Unexpected application crashes during tensor operations
Network Indicators:
- Unusual patterns in ML model API requests with tensor data
SIEM Query:
source="tensorflow" AND ("segmentation fault" OR "memory violation" OR "out of bounds")🔗 References
- https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/framework/shape_inference.h#L415-L428
- https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/ops/array_ops.cc#L1636-L1671
- https://github.com/tensorflow/tensorflow/commit/37c01fb5e25c3d80213060460196406c43d31995
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6gmv-pjp9-p8w8
- https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/framework/shape_inference.h#L415-L428
- https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/ops/array_ops.cc#L1636-L1671
- https://github.com/tensorflow/tensorflow/commit/37c01fb5e25c3d80213060460196406c43d31995
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6gmv-pjp9-p8w8
