CVE-2022-29208 – This CVE allows attackers to cause a segmentati... (How to Fix)

Q: What is the severity of CVE-2022-29208?

CVE-2022-29208 has a CVSS score of 7.1 (HIGH). This CVE allows attackers to cause a segmentation fault and denial of service in TensorFlow by passing negative values to the tf.raw_ops.EditDistance function. The vulnerability affects users running TensorFlow versions before 2.6.4, 2.7.2, 2.8.1, or 2.9.0 who process untrusted input through this function.

📋 TL;DR

This CVE allows attackers to cause a segmentation fault and denial of service in TensorFlow by passing negative values to the tf.raw_ops.EditDistance function. The vulnerability affects users running TensorFlow versions before 2.6.4, 2.7.2, 2.8.1, or 2.9.0 who process untrusted input through this function.

💻 Affected Systems

Products:

TensorFlow

Versions: All versions before 2.6.4, 2.7.2, 2.8.1, and 2.9.0

Operating Systems: All platforms running TensorFlow

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using tf.raw_ops.EditDistance function with untrusted input.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through segmentation fault crashes, potentially leading to availability issues in machine learning inference services.

🟠

Likely Case

Denial of service through application crashes when processing malicious input, disrupting ML workflows.

🟢

If Mitigated

No impact if patched versions are used or if untrusted input is properly validated before processing.

🌐 Internet-Facing: MEDIUM - Services accepting user input for ML processing could be targeted for DoS attacks.

🏢 Internal Only: LOW - Internal ML pipelines with controlled input sources have lower exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires passing specially crafted input to the vulnerable function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.4, 2.7.2, 2.8.1, or 2.9.0

Vendor Advisory: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c78-pq5v-5wq2

Restart Required: Yes

Instructions:

1. Identify current TensorFlow version. 2. Upgrade to 2.6.4, 2.7.2, 2.8.1, or 2.9.0 using pip: 'pip install --upgrade tensorflow==2.9.0'. 3. Restart all TensorFlow services and applications.

🔧 Temporary Workarounds

Input Validation

all

Validate all input to tf.raw_ops.EditDistance to ensure no negative values are passed.

Function Restriction

all

Disable or restrict usage of tf.raw_ops.EditDistance in production environments.

🧯 If You Can't Patch

Implement strict input validation for all parameters passed to tf.raw_ops.EditDistance
Isolate TensorFlow services in containers with resource limits to contain crash impacts

🔍 How to Verify

Check if Vulnerable:

Check TensorFlow version: python -c 'import tensorflow as tf; print(tf.__version__)' and compare to affected versions.

Check Version:

python -c 'import tensorflow as tf; print(tf.__version__)'

Verify Fix Applied:

After patching, verify version is 2.6.4, 2.7.2, 2.8.1, or 2.9.0+ and test EditDistance with edge cases.

📡 Detection & Monitoring

Log Indicators:

Segmentation fault errors
TensorFlow crash logs
Application termination with memory access violations

Network Indicators:

Unusual input patterns to ML endpoints
Repeated requests with negative parameter values

SIEM Query:

source="tensorflow" AND ("segmentation fault" OR "SIGSEGV" OR "memory access violation")

📊 Metadata

CVE ID: CVE-2022-29208

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-787

Published: May 20, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/tensorflow/tensorflow/commit/30721cf564cb029d34535446d6a5a6357bebc8e7 Patch,Third Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4 Release Notes,Third Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2 Release Notes,Third Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1 Release Notes,Third Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0 Release Notes,Third Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2r2f-g8mw-9gvr Exploit,Patch,Third Party Advisory
https://github.com/tensorflow/tensorflow/commit/30721cf564cb029d34535446d6a5a6357bebc8e7 Patch,Third Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4 Release Notes,Third Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2 Release Notes,Third Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1 Release Notes,Third Party Advisory
https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0 Release Notes,Third Party Advisory
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2r2f-g8mw-9gvr Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29208, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Tensorflow by Google

Tensorflow by Google

Tensorflow by Google

Tensorflow by Google

Tensorflow by Google

Tensorflow by Google

Tensorflow by Google

Tensorflow by Google

Tensorflow by Google

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input Validation

Function Restriction

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities