Lucene search

K
ibmIBMFABB94D4F22FE933341A4AC48321DD3E7433EB12024376434818EBEED312A6EB
HistoryJul 20, 2020 - 8:12 p.m.

Security Bulletin: WML CE: TensorFlow: In SQLite before 3.32.3, select.c mishandles query-flattener optimization

2020-07-2020:12:55
www.ibm.com
26

EPSS

0.002

Percentile

52.4%

Summary

In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation. TensorFlow in WML CE uses SQLite as its embedded SQL database engine.

Vulnerability Details

CVEID:CVE-2020-15358
**DESCRIPTION:**SQLite is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the mishandling of query-flattener optimization in select.c. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184103 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Watson Machine Learning Community Edition 1.6.2
IBM Watson Machine Learning Community Edition 1.7.0

Remediation/Fixes

TensorFlow has been rebuild to include SQLite 3.32.3.

Workarounds and Mitigations

Tensorflow must be updated.

For the GPU enabled version:

conda update tensorflow-gpu

For the non GPU enabled version:

conda update tensorflow