IBM2DCED70CE7B68C564810ECD3B20A55A17E273E22E18EE2BBD528B51BC4BCB627Security Bulletin: TensorFlow in Watson Machine Learning Community Edition 1.6.2 and 1.7.0 has been patched for various security issues.
EPSS
Percentile
56.9%
Summary
TensorFlow in Watson Machine Learning Community Edition 1.6.2 and 1.7.0 has had various CVE reported against it and have been patched. Users should update to the latest available TensorFlow package.
Vulnerability Details
CVEID:CVE-2020-15265
**DESCRIPTION:**Tensorflow is vulnerable to a denial of service, caused by a segfault in tf.quantization.quantize_and_dequantize. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190507 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID:CVE-2020-15266
**DESCRIPTION:**Tensorflow is vulnerable to a denial of service, caused by a segfault in tf.image.crop_and_resize. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190506 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Watson Machine Learning Community Edition | 1.6.2 |
| IBM Watson Machine Learning Community Edition | 1.7.0 |
Remediation/Fixes
Users should update TensorFlow from the Watson Machine Learning Community Edition conda channel:
<https://public.dhe.ibm.com/ibmdl/export/pub/software/server/ibm-ai/conda/>
For WML-CE 1.6.2, update using
conda install tensorflow-gpu=1.15.5
or
conda install tensorflow=1.15.5
For WML-CE 1.7.0, update using
conda install tensorflow-gpu=2.1.3
or
Workarounds and Mitigations
None
Related
EPSS
Percentile
56.9%