Security Bulletin: WML CE Scikit-learn vulnerable to irresponsible usage

Summary

WML containers include scikit-learn. Scikit-learn includes joblib and pickle to cache and load models. Pickle (and joblib by extension), has some issues regarding maintainability and security. Because of this, usage of the joblib.load() function in scikit-learn must be done in a responsible manner.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Remediation/Fixes

CVE-2020-13092

<https://nvd.nist.gov/vuln/detail/CVE-2020-13092&gt;

Workarounds and Mitigations

• Never unpickle untrusted data as it could lead to malicious code being executed upon loading.
• While models saved using one version of scikit-learn might load in other versions, this is entirely unsupported and inadvisable. It should also be kept in mind that operations performed on such data could give different and unexpected results.
  In order to rebuild a similar model with future versions of scikit-learn, additional metadata should be saved along the pickled model:
• The training data, e.g. a reference to an immutable snapshot
• The python source code used to generate the model
• The versions of scikit-learn and its dependencies
• The cross validation score obtained on the training data

This should make it possible to check that the cross-validation score is in the same range as before.

Since a model internal representation may be different on two different architectures, dumping a model on one architecture and loading it on another architecture is not supported.