CVE-2021-29554

Summary

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in tf.raw_ops.DenseCountSparseOutput. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/efff014f3b2d8ef6141da30c806faf141297eca1/tensorflow/core/kernels/count_ops.cc#L123-L127) computes a divisor value from user data but does not check that the result is 0 before doing the division. Since data is given by the values argument, num_batch_elements is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, and TensorFlow 2.3.3, as these are also affected.

Affected Software

VendorProductVersion RangeStatus
tensorflowtensorflow< 2.3.3affected
tensorflowtensorflow>= 2.4.0, < 2.4.2affected

Weaknesses

  • CWE-369: CWE-369: Divide By Zero

ADP Enrichment

CVE Program Container

Additional References

References