Security Bulletin
Summary
IBM Maximo Application Suite - Monitor Component uses tensorflow-2.7.3-cp37 vulnerable to CVE-2022-41911, CVE-2022-41907, CVE-2022-41908, CVE-2022-41896, CVE-2022-41891, CVE-2022-41894, CVE-2022-41884, CVE-2022-41898, CVE-2022-41888, CVE-2022-41897, CVE-2022-41880, CVE-2022-41889, CVE-2022-41895, CVE-2022-41899, CVE-2022-41909, CVE-2022-41886, CVE-2022-41900, CVE-2022-41893, CVE-2022-41901, CVE-2022-41885, CVE-2022-41890, CVE-2022-41887
Vulnerability Details
CVEID: CVE-2022-41911
DESCRIPTION: TensorFlowx is vulnerable to a denial of service, caused by invalid char to bool conversion when printing a tensor. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240401 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41907
DESCRIPTION: TensorFlowx is vulnerable to a denial of service, caused by a buffer overflow in the tf.raw_ops.ResizeNearestNeighborGrad function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240396 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41908
DESCRIPTION: TensorFlowx is vulnerable to a denial of service, caused by a 'CHECK' fail in tf.raw_ops.PyFunc. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240398 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41896
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by improper input validation by the tf.raw_ops.Mfcc function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240392 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41891
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a segment fault in the tf.raw_ops.TensorListConcat function due to improper input validation. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240388 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41894
DESCRIPTION: TensorFlow is vulnerable to a buffer overflow, caused by improper bounds checking by the CONV_3D_TRANSPOSE function on TFLite. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240390 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2022-41884
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a segment fault in the ndarray_tensor_bridge function due to improper input validation. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240381 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41898
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a CHECK fail via inputs in the SparseFillEmptyRowsGrad function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240394 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41888
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a FPE in the tf.image.generate_bounding_box_proposals function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240385 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41897
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a heap out-of-bounds read flaw in the FractionalMaxPoolGrad function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240393 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41880
DESCRIPTION: TensorFlow could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds read flaw when receiving a value in true_classes larger than range_max in the BaseCandidateSamplerOp function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240379 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H)
CVEID: CVE-2022-41889
DESCRIPTION: TensorFlowis vulnerable to a denial of service, caused by a segfault in the pywrap_tfe_src.cc function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240386 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41895
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a heap out-of-bounds read flaw in the MirrorPadGrad function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240391 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41899
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a CHECK fail via inputs in the SdcaOptimizer function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240395 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41909
DESCRIPTION: TensorFlowx is vulnerable to a denial of service, caused by segmentation fault in tf.raw_ops.CompositeTensorVariantToComponents function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240399 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41886
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a buffer overflow in the ImageProjectiveTransformV2 function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240383 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41900
DESCRIPTION: TensorFlow could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a heap out-of-bounds write flaw in the FractionalMaxPool and FractionalAvgPool functions. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240397 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2022-41893
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a CHECK_EQ fail in the tf.raw_ops.TensorListResize function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240389 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41901
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a CHECK_EQ fail via inputs in the SparseMatrixNNZ function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240400 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41885
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a buffer overflow in the FusedResizeAndPadConv2D function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240382 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41890
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a CHECK` fail in BCast overflow. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240387 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41887
DESCRIPTION: TensorFlow is vulnerable to a denial of service, caused by a buffer overflow in the tf.keras.losses.poisson function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240384 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
| IBM Maximo Application Suite | 8.9 |
| IBM Maximo Application Suite | 8.10 |
Remediation/Fixes
| Affected Product(s) | fix pack Version(s) |
| IBM Maximo Application Suite | 8.9.6 or latest (available from the Catalog under Update Available) |
| IBM Maximo Application Suite | 8.10.3 or latest (available from the Catalog under Update Available) |
Workarounds and Mitigations
Workarounds/Mitigation guidance:
None
Get Notified about Future Security Bulletins
References
Change History
06 Jun 2023: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
06 June 2023
Initial Publish date:
06 June 2023
UID
ibm17001747