CVE-2023-25662 – CVE-2023-25662 is an integer overflow vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-25662?

CVE-2023-25662 has a CVSS score of 7.5 (HIGH). CVE-2023-25662 is an integer overflow vulnerability in TensorFlow's EditDistance function that could allow attackers to cause denial of service or potentially execute arbitrary code. This affects all users running TensorFlow versions prior to 2.12.0 or 2.11.1. The vulnerability occurs when processing specially crafted input to the EditDistance operation.

📋 TL;DR

CVE-2023-25662 is an integer overflow vulnerability in TensorFlow's EditDistance function that could allow attackers to cause denial of service or potentially execute arbitrary code. This affects all users running TensorFlow versions prior to 2.12.0 or 2.11.1. The vulnerability occurs when processing specially crafted input to the EditDistance operation.

💻 Affected Systems

Products:

TensorFlow

Versions: All versions prior to 2.12.0 and 2.11.1

Operating Systems: All platforms running TensorFlow

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using TensorFlow's EditDistance operation is vulnerable. This includes applications using tf.edit_distance() or related functions.

📦 What is this software?

Tensorflow by Google

View all CVEs affecting Tensorflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if combined with other vulnerabilities, or denial of service causing application crashes.

🟠

Likely Case

Denial of service through application crashes or instability when processing malicious input.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially just degraded performance.

🌐 Internet-Facing: MEDIUM - TensorFlow applications exposed to untrusted input via APIs or user uploads could be vulnerable.

🏢 Internal Only: LOW - Internal ML pipelines with controlled input sources have lower exposure risk.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific input to trigger the integer overflow. No public exploits have been reported as of the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.12.0 or 2.11.1

Vendor Advisory: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7jvm-xxmr-v5cw

Restart Required: Yes

Instructions:

1. Upgrade TensorFlow to version 2.12.0 or 2.11.1 using pip: 'pip install --upgrade tensorflow==2.12.0' or 'pip install --upgrade tensorflow==2.11.1'. 2. Restart all services and applications using TensorFlow. 3. Test that EditDistance operations work correctly with your existing code.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation and sanitization for all inputs to EditDistance operations

Disable EditDistance

all

Temporarily disable or replace EditDistance functionality if not critical

🧯 If You Can't Patch

Implement strict input validation and sanitization for all inputs to TensorFlow operations
Isolate TensorFlow applications in containers or sandboxes with limited privileges

🔍 How to Verify

Check if Vulnerable:

Check TensorFlow version: 'python -c "import tensorflow as tf; print(tf.__version__)"' - if version is <2.12.0 and not 2.11.1, you are vulnerable.

Check Version:

python -c "import tensorflow as tf; print(tf.__version__)"

Verify Fix Applied:

After patching, verify version is 2.12.0 or 2.11.1: 'python -c "import tensorflow as tf; print(tf.__version__)"'. Test EditDistance operations with various inputs.

📡 Detection & Monitoring

Log Indicators:

TensorFlow crash logs
Application errors related to EditDistance
Memory allocation failures

Network Indicators:

Unusual input patterns to ML inference endpoints
Repeated failed requests to TensorFlow services

SIEM Query:

source="tensorflow" AND (error OR crash OR "EditDistance" OR "integer overflow")

📊 Metadata

CVE ID: CVE-2023-25662

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-190

Published: March 25, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/tensorflow/tensorflow/commit/08b8e18643d6dcde00890733b270ff8d9960c56c Patch
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7jvm-xxmr-v5cw Patch,Vendor Advisory
https://github.com/tensorflow/tensorflow/commit/08b8e18643d6dcde00890733b270ff8d9960c56c Patch
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7jvm-xxmr-v5cw Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25662, you might also want to check these: