Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in TensorFlow

Vulnerability Details

CVEID:   CVE-2022-29210
DESCRIPTION:   TensorFlow is vulnerable to a denial of service, caused by a heap-based buffer overflow in the TensorKey hash function. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227113 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29213
DESCRIPTION:   TensorFlow is vulnerable to a denial of service, caused by improper input validation in tf.compat.v1.signal.rfft2d and tf.compat.v1.signal.rfft3d. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227110 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29207
DESCRIPTION:   TensorFlow is vulnerable to a denial of service, caused by undefined behavior when users supply invalid resource handles. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227128 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29212
DESCRIPTION:   TensorFlow is vulnerable to a denial of service, caused by an assertion failure when loading TFLite models in the TFLite interpreter. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227111 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29193
DESCRIPTION:   Tensorflow is vulnerable to a denial of service, caused by improper validation of user-supplied input by the tf.raw_ops.TensorSummaryV2 component. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227075 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29203
DESCRIPTION:   TensorFlow is vulnerable to a denial of service, caused by an integer overflow in SpaceToBatchND. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227151 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29198
DESCRIPTION:   Tensorflow is vulnerable to a denial of service, caused by improper validation of user-supplied input by the tf.raw_ops.SparseTensorToCSRSparseMatrix component. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227070 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29216
DESCRIPTION:   TensorFlow could allow a local authenticated attacker to execute arbitrary code on the system, caused by a flaw in the saved_model_cli tool. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227167 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2022-29206
DESCRIPTION:   TensorFlow is vulnerable to a denial of service, caused by missing validation in the tf.raw_ops.SparseTensorDenseAdd implementation. A local authenticated attacker could exploit this vulnerability to cause undefined behavior.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227129 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29197
DESCRIPTION:   Tensorflow is vulnerable to a denial of service, caused by improper validation of user-supplied input by the tf.raw_ops.UnsortedSegmentJoin component. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227071 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29192
DESCRIPTION:   Tensorflow is vulnerable to a denial of service, caused by improper validation of user-supplied input by the tf.raw_ops.QuantizeAndDequantizeV4Grad component. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227076 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29209
DESCRIPTION:   TensorFlow is vulnerable to a denial of service, caused by incorrect logic when comparing size_t and int values in the macros for writing assertions. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227126 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29208
DESCRIPTION:   TensorFlow is vulnerable to a denial of service, caused by incomplete validation in the tf.raw_ops.EditDistance implementation. A remote authenticated attacker could exploit this vulnerability to cause a segmentation fault.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227127 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29202
DESCRIPTION:   TensorFlow is vulnerable to a denial of service, caused by lack of validation in the tf.ragged.constant implementation. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227152 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29194
DESCRIPTION:   Tensorflow is vulnerable to a denial of service, caused by improper validation of user-supplied input by the tf.raw_ops.DeleteSessionTensor component. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227074 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29201
DESCRIPTION:   TensorFlow is vulnerable to a denial of service, caused by missing validation in the tf.raw_ops.QuantizedConv2D implementation. A local authenticated attacker could exploit this vulnerability to cause undefined behavior.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227153 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29196
DESCRIPTION:   Tensorflow is vulnerable to a denial of service, caused by improper validation of user-supplied input by the tf.raw_ops.Conv3DBackpropFilterV2 component. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227072 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29200
DESCRIPTION:   Tensorflow is vulnerable to a denial of service, caused by improper validation of user-supplied input by the tf.raw_ops.LSTMBlockCell component. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227068 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29199
DESCRIPTION:   Tensorflow is vulnerable to a denial of service, caused by improper validation of user-supplied input by the tf.raw_ops.LoadAndRemapMatrix component. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227069 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29195
DESCRIPTION:   Tensorflow is vulnerable to a denial of service, caused by improper validation of user-supplied input by the tf.raw_ops.StagePeek component. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227073 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29204
DESCRIPTION:   TensorFlow is vulnerable to a denial of service, caused by missing validation in the tf.raw_ops.UnsortedSegmentJoin implementation. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227150 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29191
DESCRIPTION:   Tensorflow is vulnerable to a denial of service, caused by improper validation of user-supplied input by the tf.raw_ops.GetSessionTensor component. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227077 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29211
DESCRIPTION:   TensorFlow is vulnerable to a denial of service, caused by improper input validation in the tf.histogram_fixed_width implementaiton when the values array contains NaN elements. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227112 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-29205
DESCRIPTION:   TensorFlow is vulnerable to a denial of service, caused by a NULL pointer dereference in ParseDimensionValue in the py_value argument. By calling tf.compat.v1.* ops which do not support quantized types, a local authenticated attacker could exploit this vulnerability to cause a segmentation fault.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227130 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

IBM X-Force ID:   228293
DESCRIPTION:   TensorFlow is vulnerable to a denial of service, caused by an CHECK-failure (assertion failure) in the implementation of depthwise ops. By sending a specially-crafted request to overflow the number of elements in a tensor, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228293 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)