Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RLLib] Critical Tensorflow CVE - CVE-2023-25664 #44686

Closed
sercanCyberVision opened this issue Apr 11, 2024 · 6 comments · Fixed by #45396
Closed

[RLLib] Critical Tensorflow CVE - CVE-2023-25664 #44686

sercanCyberVision opened this issue Apr 11, 2024 · 6 comments · Fixed by #45396
Assignees
@simonsays1980 @sven1977 @anyscalesam
Labels
bug Something that is supposed to be working; but isn't P0 Issues that should be fixed in short order rllib RLlib related issues security The issue or proposal related to security

Comments

@sercanCyberVision
Copy link

What happened + What you expected to happen

Please see below critical CVE found in ray-ml 2.10.0 image:

SEVERITY	IMPACTED PACKAGE	                                    FIXED                                           VERSIONS	    CVE	SCORE
Critical	pypi://tensorflow:2.11.0	                            [2.11.1]	                                    CVE-2023-25664	9.8

Versions / Dependencies

The physical location:

(base) ray@kuberay-head-5z5vd:/$ pip show tensorflow
Name: tensorflow
Version: 2.11.0
Summary: TensorFlow is an open source machine learning framework for everyone.
Home-page: https://www.tensorflow.org/
Author: Google Inc.
Author-email: packages@tensorflow.org
License: Apache 2.0
Location: /home/ray/anaconda3/lib/python3.8/site-packages
Requires: absl-py, astunparse, flatbuffers, gast, google-pasta, grpcio, h5py, keras, libclang, numpy, opt-einsum, packaging, protobuf, setuptools, six, tensorboard, tensorflow-estimator, tensorflow-io-gcs-filesystem, termcolor, typing-extensions, wrapt
Required-by: dopamine-rl, recsim
(base) ray@kuberay-head-5z5vd:/$

Reproduction script

NA

Issue Severity

High: It blocks me from completing my task.
@sercanCyberVision sercanCyberVision added bug Something that is supposed to be working; but isn't triage Needs triage (eg: priority, bug/not-bug, and owning component) labels Apr 11, 2024
@anyscalesam anyscalesam added the security The issue or proposal related to security label Apr 24, 2024
@anyscalesam
Copy link
Collaborator

min version should be 2.11 or higher now > finalize and review on Thu than close ticket cc @thomasdesr

@anyscalesam anyscalesam assigned anyscalesam and unassigned jjyao, c21 and jovany-wang Apr 30, 2024
@anyscalesam anyscalesam added the rllib RLlib related issues label May 3, 2024
@anyscalesam
Copy link
Collaborator

doing a quick search brings this as part of the rllib dir path @simonsays1980 @sven1977 can one of you cut a PR to upgrade to TF latest (or at least 2.11.1) as @sercanCyberVision reported so we can close this CVE vuln?

@anyscalesam anyscalesam added P0 Issues that should be fixed in short order tune Tune-related issues train Ray Train Related Issue labels May 3, 2024
@zhe-thoughts
Copy link
Collaborator

@sven1977 @simonsays1980 please follow up. Thanks

@simonsays1980
Copy link
Collaborator

@anyscalesam @zhe-thoughts Apologies for the delay - my Anyscale account got deleted, so I had to search actively on GitHub for triage issues.

Yes, this an issue mentioned already somewhere else. We take car of this.

@simonsays1980 simonsays1980 removed the triage Needs triage (eg: priority, bug/not-bug, and owning component) label May 6, 2024
@anyscalesam
Copy link
Collaborator

thanks - when do you think you can submit a PR so we can merge into the next Ray weekly release @simonsays1980 ?

@anyscalesam anyscalesam changed the title [Core] Critical Tensorflow CVE - CVE-2023-25664 [RLLib] Critical Tensorflow CVE - CVE-2023-25664 May 13, 2024
@anyscalesam anyscalesam removed tune Tune-related issues train Ray Train Related Issue labels May 13, 2024
@sven1977
Copy link
Contributor

Sorry for the delay, the actual RLlib is NOT requiring this 2.11.0 version anymore. RLlib shares the exact same requirements as all other ML libraries through here.

What it could be is one of the rllib_contrib algos, which we stopped maintaining (and froze dependencies for). Some of these algos are pinned to tf 2.11.0. ... I'll provide a PR to try upgrading all these to 2.11.1 ...

@sven1977 sven1977 mentioned this issue May 16, 2024
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simonsays1980 simonsays1980

@sven1977 sven1977

@anyscalesam anyscalesam

Labels
bug Something that is supposed to be working; but isn't P0 Issues that should be fixed in short order rllib RLlib related issues security The issue or proposal related to security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[RLlib] Issue 44686: Upgrade all rllib_contrib requirements to tf2.11.1. sven1977/ray
8 participants
@jjyao @simonsays1980 @c21 @sven1977 @zhe-thoughts @jovany-wang @sercanCyberVision @anyscalesam