===================================================================== CERT-Renater Note d'Information No. 2023/VULN369 _____________________________________________________________________ DATE : 04/10/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running torchserve versions prior to 0.8.2. ===================================================================== https://github.com/pytorch/serve/security/advisories/GHSA-4mqg-h5jf-j9m7 https://github.com/pytorch/serve/security/advisories/GHSA-8fxr-qfr9-p34w _____________________________________________________________________ TorchServe Pre-auth RCE Critical namannandan published GHSA-4mqg-h5jf-j9m7 Package torchserve Affected versions 0.3.0 >= 0.8.1 Patched versions 0.8.2 Description Impact Use of Open Source Library potentially exposed to RCE Issue: Use of a version of the SnakeYAML v1.31 open source library with multiple issues that potentially exposes the user to unsafe deserialization of Java objects. This could allow third parties to execute arbitrary code on the target system. This issue is present in versions 0.3.0 to 0.8.1. Mitigation: A pull request to address this issue has been merged - #2523. TorchServe release 0.8.2 includes this fix. Patches TorchServe release 0.8.2 includes fixes to address the previously listed issue: https://github.com/pytorch/serve/releases/tag/v0.8.2 Tags for upgraded DLC release User can use the following new image tags to pull DLCs that ship with patched TorchServe version 0.8.2: x86 GPU v1.9-pt-ec2-2.0.1-inf-gpu-py310 v1.8-pt-sagemaker-2.0.1-inf-gpu-py310 x86 CPU v1.8-pt-ec2-2.0.1-inf-cpu-py310 v1.7-pt-sagemaker-2.0.1-inf-cpu-py310 Graviton v1.7-pt-graviton-ec2-2.0.1-inf-cpu-py310 v1.5-pt-graviton-sagemaker-2.0.1-inf-cpu-py310 Neuron 1.13.1-neuron-py310-sdk2.13.2-ubuntu20.04 1.13.1-neuronx-py310-sdk2.13.2-ubuntu20.04 1.13.1-neuronx-py310-sdk2.13.2-ubuntu20.04 The full DLC image URI details can be found at: https://github.com/aws/deep-learning-containers/blob/master/available_images.md#available-deep-learning-containers-images References #2523 https://github.com/pytorch/serve/releases/tag/v0.8.2 https://github.com/aws/deep-learning-containers/blob/master/available_images.md#available-deep-learning-containers-images Credit We would like to thank Oligo Security for responsibly disclosing this issue and working with us on its resolution. If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting)) or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue. Severity Critical 9.9/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE ID CVE-2022-1471 Weaknesses CWE-913 _____________________________________________________________________ TorchServe SSRF High namannandan published GHSA-8fxr-qfr9-p34w Package torchserve Affected versions 0.1.0 >= 0.8.1 Patched versions 0.8.2 Description Impact Remote Server-Side Request Forgery (SSRF) Issue: TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage of to compromise the integrity of the system and sensitive data. This issue is present in versions 0.1.0 to 0.8.1. Mitigation: The user is able to load the model of their choice from any URL that they would like to use. The user of TorchServe is responsible for configuring both the allowed_urls and specifying the model URL to be used. A pull request to warn the user when the default value for allowed_urls is used has been merged - #2534. TorchServe release 0.8.2 includes this change. Patches TorchServe release 0.8.2 includes fixes to address the previously listed issue: https://github.com/pytorch/serve/releases/tag/v0.8.2 Tags for upgraded DLC release User can use the following new image tags to pull DLCs that ship with patched TorchServe version 0.8.2: x86 GPU v1.9-pt-ec2-2.0.1-inf-gpu-py310 v1.8-pt-sagemaker-2.0.1-inf-gpu-py310 x86 CPU v1.8-pt-ec2-2.0.1-inf-cpu-py310 v1.7-pt-sagemaker-2.0.1-inf-cpu-py310 Graviton v1.7-pt-graviton-ec2-2.0.1-inf-cpu-py310 v1.5-pt-graviton-sagemaker-2.0.1-inf-cpu-py310 Neuron 1.13.1-neuron-py310-sdk2.13.2-ubuntu20.04 1.13.1-neuronx-py310-sdk2.13.2-ubuntu20.04 1.13.1-neuronx-py310-sdk2.13.2-ubuntu20.04 The full DLC image URI details can be found at: https://github.com/aws/deep-learning-containers/blob/master/available_images.md#available-deep-learning-containers-images References serve/docs/configuration.md Line 296 in b3eced5 * `allowed_urls` : Comma separated regex of allowed source URL(s) from where models can be registered. Default: `file://.*|http(s)?://.*` (all URLs and local file system) #2534 https://github.com/pytorch/serve/releases/tag/v0.8.2 https://github.com/aws/deep-learning-containers/blob/master/available_images.md#available-deep-learning-containers-images Credit We would like to thank Oligo Security for responsibly disclosing this issue and working with us on its resolution. If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page] (https://aws.amazon.com/security/vulnerability-reporting)) or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue. Severity High 7.2/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Changed Confidentiality Low Integrity Low Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVE ID CVE-2023-43654 Weaknesses CWE-918 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================