Описание
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
A unsafe deserialization flaw has been discovered in the Keras framework. An arbitrary code execution vulnerability exists in the TorchModuleWrapper class due to its usage of torch.load() within the from_config method. The method deserializes model data with the weights_only parameter set to False, which causes Torch to fall back on Python’s pickle module for deserialization. Since pickle is known to be unsafe and capable of executing arbitrary code during the deserialization process, a maliciously crafted model file could allow an attacker to execute arbitrary commands.
Отчет
Red Hat products in their default configuration do not allow remote upload of model files.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-modelmesh-runtime-adapter-rhel8 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-pipeline-runtime-datascience-cpu-py311-rhel9 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-pipeline-runtime-minimal-cpu-py311-rhel9 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-pipeline-runtime-pytorch-cuda-py311-rhel9 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-pipeline-runtime-pytorch-rocm-py311-rhel9 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-pipeline-runtime-tensorflow-cuda-py311-rhel9 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-pipeline-runtime-tensorflow-rocm-py311-rhel9 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-workbench-codeserver-datascience-cpu-py311-rhel9 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-workbench-jupyter-datascience-cpu-py311-rhel9 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-workbench-jupyter-minimal-cpu-py311-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.4 High
CVSS3
Связанные уязвимости
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
Deserialization of untrusted data can occur in versions of the Keras f ...
Keras framework vulnerable to deserialization of untrusted data
EPSS
8.4 High
CVSS3