ray icon indicating copy to clipboard operation
ray copied to clipboard

Published 20 hours ago verified publisher icon ray-project

[RLLib] Critical Tensorflow CVE - CVE-2023-25664

Open sercanCyberVision opened this issue 10 months ago • 6 comments

What happened + What you expected to happen

Please see below critical CVE found in ray-ml 2.10.0 image:

SEVERITY	IMPACTED PACKAGE	                                    FIXED                                           VERSIONS	    CVE	SCORE
Critical	pypi://tensorflow:2.11.0	                            [2.11.1]	                                    CVE-2023-25664	9.8

Versions / Dependencies

The physical location:

(base) ray@kuberay-head-5z5vd:/$ pip show tensorflow
Name: tensorflow
Version: 2.11.0
Summary: TensorFlow is an open source machine learning framework for everyone.
Home-page: https://www.tensorflow.org/
Author: Google Inc.
Author-email: [email protected]
License: Apache 2.0
Location: /home/ray/anaconda3/lib/python3.8/site-packages
Requires: absl-py, astunparse, flatbuffers, gast, google-pasta, grpcio, h5py, keras, libclang, numpy, opt-einsum, packaging, protobuf, setuptools, six, tensorboard, tensorflow-estimator, tensorflow-io-gcs-filesystem, termcolor, typing-extensions, wrapt
Required-by: dopamine-rl, recsim
(base) ray@kuberay-head-5z5vd:/$

Reproduction script

NA

Issue Severity

High: It blocks me from completing my task.

sercanCyberVision avatar Apr 11 '24 18:04 sercanCyberVision

min version should be 2.11 or higher now > finalize and review on Thu than close ticket cc @thomasdesr

anyscalesam avatar Apr 30 '24 23:04 anyscalesam

doing a quick search brings this as part of the rllib dir path @simonsays1980 @sven1977 can one of you cut a PR to upgrade to TF latest (or at least 2.11.1) as @sercanCyberVision reported so we can close this CVE vuln?

anyscalesam avatar May 03 '24 17:05 anyscalesam

@sven1977 @simonsays1980 please follow up. Thanks

zhe-thoughts avatar May 03 '24 19:05 zhe-thoughts

@anyscalesam @zhe-thoughts Apologies for the delay - my Anyscale account got deleted, so I had to search actively on GitHub for triage issues.

Yes, this an issue mentioned already somewhere else. We take car of this.

simonsays1980 avatar May 06 '24 08:05 simonsays1980

thanks - when do you think you can submit a PR so we can merge into the next Ray weekly release @simonsays1980 ?

anyscalesam avatar May 06 '24 22:05 anyscalesam

Sorry for the delay, the actual RLlib is NOT requiring this 2.11.0 version anymore. RLlib shares the exact same requirements as all other ML libraries through here.

What it could be is one of the rllib_contrib algos, which we stopped maintaining (and froze dependencies for). Some of these algos are pinned to tf 2.11.0. ... I'll provide a PR to try upgrading all these to 2.11.1 ...

sven1977 avatar May 16 '24 21:05 sven1977