Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBME8D2C56DC1DDDC5A23A0389982E5C5B947BCF94B678670A424E7EEB0F8B03BFF
HistoryFeb 04, 2021 - 10:54 p.m.

Security Bulletin: TensorFlow in Watson Machine Learning Community Edition 1.6.2 and 1.7.0 has been patched for various security issues.

2021-02-0422:54:56
www.ibm.com
21
tensorflow
watson machine learning
patched
denial of service
sensitive information
vulnerabilities

EPSS

0.001

Percentile

39.7%

JSON

Summary

TensorFlow in Watson Machine Learning Community Edition 1.6.2 and 1.7.0 has had various reported CVEID’s included below. These issues have been patched and users should update to the latest available versions.

Vulnerability Details

CVEID:CVE-2020-26270
**DESCRIPTION:**TensorFlow is vulnerable to a denial of service, caused by a query-of-death flaw when running an LSTM/GRU model. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to causes a CHECK failure when using the CUDA backend.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193281 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2020-26266
**DESCRIPTION:**TensorFlow could allow a local authenticated attacker to obtain sensitive information, caused by an uninitialized memory access flaw in Eigen types during code execution. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information from the memory, or cause the system to crash.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193277 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L)

CVEID:CVE-2020-26269
**DESCRIPTION:**TensorFlow is vulnerable to a denial of service, caused by an out-of-bounds read flaw in the general implementation for matching filesystem paths to globbing pattern. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to causes the system to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193280 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-26268
**DESCRIPTION:**TensorFlow is vulnerable to a denial of service, caused by a modification of assumed-immutable data issue. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to causes a segmentation fault.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193279 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L)

CVEID:CVE-2020-26271
**DESCRIPTION:**TensorFlow could allow a local authenticated attacker to obtain sensitive information, caused by an uninitialized memory access flaw while building the computation graph. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information from the memory, and use this information to launch further attacks against the affected system.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193282 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2020-26267
**DESCRIPTION:**TensorFlow could allow a local authenticated attacker to obtain sensitive information, caused by an out-of-bounds read flaw when validating the src_format and dst_format attributes by the tf.raw_ops.DataFormatVecPermute API. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information from the memory, or cause the system to crash.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193278 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Watson Machine Learning Community Edition 1.6.2
IBM Watson Machine Learning Community Edition 1.7.0

Remediation/Fixes

New versions of TensorFlow have been published to the Watson Machine Learning Community Edition channel.

<https://public.dhe.ibm.com/ibmdl/export/pub/software/server/ibm-ai/conda/#/&gt;

Users should update to the latest point releases for both Watson Machine Learning Community Edition 1.6.2 and 1.7.0 using the conda package manger tool.

For WML-CE 1.6.2, update using:

conda install tensorflow-gpu=1.15.5

or

conda install tensorflow=1.15.5

For WML-CE 1.7.0, update using:

conda install tensorflow-gpu=2.1.3

or

conda install tensorflow=2.1.3

Workarounds and Mitigations

None

Related

archlinux 1
ibm 2
osv 36
cvelist 6
prion 6
github 6
veracode 7
nvd 6
cve 6
suse 1
nessus 1
archlinux
archlinux
[ASA-202012-22] tensorflow: multiple issues
2020-12-16 00:00:00
ibm
ibm
Security Bulletin: Multiple TensorFlow Vulnerabilities Affect IBM Watson Machine Learning on CP4D
2021-07-30 05:03:02
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in TensorFlow
2021-02-27 03:40:09
osv
osv
CVE-2020-26267
2020-12-10 23:15:12
TensorFlow vulnerable to heap out of bounds read in filesystem glob matching
2022-10-07 07:22:33
PYSEC-2020-335
2020-12-10 23:15:00
cvelist
cvelist
CVE-2020-26269 Heap out of bounds read in filesystem glob matching in TensorFlow
2020-12-10 22:10:28
CVE-2020-26267 Lack of validation in data format attributes in TensorFlow
2020-12-10 22:10:40
CVE-2020-26268 Write to immutable memory region in TensorFlow
2020-12-10 22:10:35
prion
prion
Out-of-bounds
2020-12-10 23:15:00
Input validation
2020-12-10 23:15:00
Out-of-bounds
2020-12-10 22:15:00
github
github
TensorFlow vulnerable to heap out of bounds read in filesystem glob matching
2022-10-07 07:22:33
Heap out of bounds access in MakeEdge in TensorFlow
2020-12-10 19:07:34
Write to immutable memory region in TensorFlow
2020-12-10 19:07:28
veracode
veracode
Denial Of Service (DoS)
2020-12-11 03:20:12
Denial Of Service (DoS)
2020-12-14 04:08:38
Denial Of Service (DoS)
2020-12-11 03:29:33
nvd
nvd
CVE-2020-26268
2020-12-10 23:15:12
CVE-2020-26269
2020-12-10 23:15:12
CVE-2020-26271
2020-12-10 22:15:12
cve
cve
CVE-2020-26268
2020-12-10 23:15:12
CVE-2020-26270
2020-12-10 23:15:12
CVE-2020-26266
2020-12-10 23:15:12
suse
suse
Security update for tensorflow2 (moderate)
2022-06-18 00:00:00
nessus
nessus
openSUSE 15 Security Update : tensorflow2 (openSUSE-SU-2022:10014-1)
2022-06-19 00:00:00

EPSS

0.001

Percentile

39.7%

JSON
Related for E8D2C56DC1DDDC5A23A0389982E5C5B947BCF94B678670A424E7EEB0F8B03BFF
archlinux1ibm2osv36cvelist6prion6github6veracode7nvd6cve6suse1nessus1