CVE-2021-29561: 
Python vulnerability analysis and mitigation

TensorFlow, an end-to-end open source platform for machine learning, was found to contain a vulnerability (CVE-2021-29561) that allows attackers to cause a denial of service through a CHECK-failure in tf.raw_ops.LoadAndRemapMatrix. The vulnerability was discovered by Yakun Zhang and Ying Wang of Baidu X-Team and was disclosed on May 14, 2021. The issue affects TensorFlow versions prior to 2.5.0 (GitHub Advisory).

The vulnerability stems from an implementation assumption that the 'ckpt_path' parameter is always a valid scalar. The implementation in the LoadAndRemapMatrix operation does not properly validate the input tensor before calling the scalar()() function. An attacker can exploit this by sending any non-scalar tensor as the first argument of LoadAndRemapMatrix, which triggers a rank CHECK failure in the scalar()() function and terminates the process (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 MEDIUM (NVD).

The primary impact of this vulnerability is denial of service. When successfully exploited, the vulnerability causes the TensorFlow process to terminate, disrupting any machine learning operations or services running on the affected system (GitHub Advisory).

The vulnerability has been patched in multiple TensorFlow versions. The fix was included in TensorFlow 2.5.0 and was backported to versions 2.4.2, 2.3.3, 2.2.3, and 2.1.4. Users are advised to upgrade to these patched versions. The fix implements proper validation of the ckpt_path tensor to ensure it contains exactly one element (GitHub Commit).