CVE-2022-35935: 
Python vulnerability analysis and mitigation

TensorFlow, an open source platform for machine learning, disclosed a vulnerability (CVE-2022-35935) in the implementation of SobolSampleOp. The vulnerability was discovered in July 2022 and affects versions prior to 2.10.0. The issue stems from a denial of service vulnerability via CHECK-failure (assertion failure) caused by assuming input(0), input(1), and input(2) to be scalar (GitHub Advisory, CVE Mitre).

The vulnerability exists in the SobolSampleOp implementation where the code fails to properly validate input tensors. The issue can be triggered by passing non-scalar tensors to the operation, for example: tf.raw_ops.SobolSample(dim=tf.constant([1,0]), num_results=tf.constant([1]), skip=tf.constant([1])). The vulnerability was assigned a Low severity rating (GitHub Advisory).

When exploited, this vulnerability can lead to a denial of service condition through assertion failure in the TensorFlow system (GitHub Advisory).

The issue has been patched in GitHub commit c65c67f88ad770662e8f191269a907bf2b94b1bf and included in TensorFlow 2.10.0. The fix was also backported to TensorFlow 2.9.1, 2.8.1, and 2.7.2. Users are advised to upgrade to these patched versions. No workarounds were available for this vulnerability (GitHub Advisory).

The vulnerability was responsibly disclosed and identified by researchers from multiple institutions including Kang Hong Jin from Singapore Management University, Neophytos Christou from Secure Systems Labs, Brown University, and 刘力源 from Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology (GitHub Advisory).