Buffer overflow in TensorFlow

#VU31090 Buffer overflow in TensorFlow

Published: 2019-04-24 | Updated: 2020-07-17

Vulnerability identifier: #VU31090

Vulnerability risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-10055

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
TensorFlow
Server applications / Other server solutions

Vendor: TensorFlow

Description

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file.

Mitigation
Install update from vendor's website.

Vulnerable software versions

TensorFlow: 1.7.0

External links
http://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-006.md

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Buffer overflow in TensorFlow TensorFlow