protobuf-java 3.19.4 contains 3 high vulnerabilities

[hamoid]

trafficstars

The latest available tensorflow-java package (0.5.0) depends on protobuf-java 3.19.4, which has 3 vulnerabilities. 

• [CVE-2022-3171] CWE-noinfo
• [CVE-2022-3509] CWE-20: Improper Input Validation
• [CVE-2022-3510] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Here the line listing the dependency:

https://github.com/tensorflow/java/blob/560e8770a37f6d9e4c53cdd3c0d5fc6d2df5f011/tensorflow-core/pom.xml#L46

Here a list of alternative versions and the number of known vulnerabilities in each:

https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java

(I'm not posting this on the google bugs platform because I don't have an account there)

[karllessard]

Thanks for reporting @hamoid , I think it should be safe to upgrade to 3.19.6 (we need to be careful not upgrading too much as TensorFlow runtime still uses very old versions). I'll check if that can be part of the next planned release to support TF 2.12 or if that should be done later.

[karllessard]

Oh, apparently they did quite a jump between 2.10 and 2.12 (protobuf 3.9.2 -> 3.21.9), so we'll follow that as well if we wait for the next release.

[Craigacp]

Latest release uses protobuf 3.21.9.