IBM36A85BD1EDA47AAFB5F7C8DA3E8DA187756311E98754315DDE1DD6E86D2493B5Security Bulletin: A security vulnerability has been identified in TensorFlow shipped with PowerAI.
EPSS
Percentile
72.4%
Summary
Vulnerability CVE-2020-5215 found in TensorFlow package.
Vulnerability Details
CVEID:CVE-2020-5215
**DESCRIPTION:**Tensorflow is vulnerable to a denial of service, caused by a flaw when converting a string from Python to a tf.float16 value. By sending a specially-crafted string, a remote attacker could exploit this vulnerability to cause a segmentation fault.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175440 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Watson Machine Learning Community Edition | 1.6.2 |
| Watson Machine Learning Community Edition | 1.6.1 |
| IBM PowerAI | 1.6.0 |
Remediation/Fixes
For IBM PowerAI 1.6.0 and Watson Machine Learning Community Edition 1.6.1 :
Upgrade to WML CE 1.6.2, which includes the fixes. See https://www.ibm.com/support/knowledgecenter/SS5SF7 for upgrading instructions.
For Watson Machine Learning Community Edition 1.6.2 :
For installing WML CE from scratch
New installations of WML CE include all security fixes.
See https://www.ibm.com/support/knowledgecenter/SS5SF7 for installation instructions.
Updating an existing WML CE installation
It is recommended to keep packages up to date. To update all packages to the latest versions within 1.6.2 use:
echo “powerai-release=1.6.2” >> $CONDA_PREFIX/conda-meta/pinned
conda update --all
To update individual packages, use the package name:
conda update tensorflow
Alternatively, the WML CE installation can be upgraded to 1.7.0, which also contains the fix.
conda update --all
Workarounds and Mitigations
None
Related
EPSS
Percentile
72.4%