TensorFlow in Watson Machine Learning Community Edition 1.6.2 and 1.7.0 has had various CVE reported against it and have been patched. Users should update to the latest available TensorFlow package.
CVEID:CVE-2020-15265
**DESCRIPTION:**Tensorflow is vulnerable to a denial of service, caused by a segfault in tf.quantization.quantize_and_dequantize. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190507 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID:CVE-2020-15266
**DESCRIPTION:**Tensorflow is vulnerable to a denial of service, caused by a segfault in tf.image.crop_and_resize. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190506 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Affected Product(s) | Version(s) |
---|---|
IBM Watson Machine Learning Community Edition | 1.6.2 |
IBM Watson Machine Learning Community Edition | 1.7.0 |
Users should update TensorFlow from the Watson Machine Learning Community Edition conda channel:
<https://public.dhe.ibm.com/ibmdl/export/pub/software/server/ibm-ai/conda/>
For WML-CE 1.6.2, update using
conda install tensorflow-gpu=1.15.5
or
conda install tensorflow=1.15.5
For WML-CE 1.7.0, update using
conda install tensorflow-gpu=2.1.3
or
None