{"id":3063,"date":"2021-09-06T12:50:58","date_gmt":"2021-09-06T07:20:58","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=3063"},"modified":"2021-09-06T18:02:53","modified_gmt":"2021-09-06T12:32:53","slug":"due-to-code-execution-bug-googles-tensorflow-drops-yaml-support","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/","title":{"rendered":"Due to Code Execution Bug, Google\u2019s TensorFlow drops YAML Support!"},"content":{"rendered":"\n
A well-known Python-based machine learning and artificial intelligence project known as TensorFlow, developed by Google has discontinued the support for YAML, to patch the sensitive code execution vulnerability.<\/p><\/p>\n\n\n\n
Yet Another Markup Language or YAML is a beneficial choice among developers seeking a human-readable information serialization language for managing configuration files and data in transit.<\/p><\/p>\n\n\n\n
What is the Unauthorized deserialization Vulnerability in TensorFlow?<\/strong><\/h2>\n\n\n\n
Handlers behind both the TensorFlow and Keras, a wrapper operation for TensorFlow, have patched an unauthorized deserialization vulnerability that derives from unsafe parsing of YAML. Tracked as CVE-2021-37678, the critical bug that allows the threat actor to run arbitrary code when an application deserializes a Keras model provided in the YAML format.<\/p><\/p>\n\n\n\n
These Deserialization vulnerabilities typically occur when an application reads malformed or malicious information originating from unauthentic sources. After an application goes through and deserializes the information, it may smash resulting in a Denial of Service (DoS) condition, or worse, run the threat actor\u2019s arbitrary code. <\/p><\/p>\n\n\n\n
This YAML deserialization vulnerability rated a 9.3 in severity, was responsibly reported to TensorFlow handlers by a security researcher. But what are the sources of the flaw? The well-known \u201cyaml.unsafe_load()\u201d function in TensorFlow code:<\/p><\/p>\n\n\n\n<\/figure>\n\n\n\n
The \u201cunsafe_load\u201d function is known to deserialize YAML data rather liberally\u2014it resolves all tags, \u201ceven those known to be unprotected on unauthenticated input.\u201d<\/p><\/p>\n\n\n\n
This means, admirably \u201cunsafe_load\u201d should only be called on input that comes from a trusted source and is known to be free of any malicious content. Should that not be the case, the threat actor can exploit the deserialization tools to run code of their choice by inserting malicious payload in the YAML data which is yet to be serialized.<\/p><\/p>\n\n\n\n
An example of Proof-of-Concept (PoC) exploit transmitted in the vulnerability advisory demonstrated as given below:<\/p><\/p>\n\n\n\n
\n
from tensorflow.keras import models<\/p><\/p>\n\n\n\n
TensorFlow drops YAML altogether in Assistance of JSON<\/strong><\/h2>\n\n\n\n
Right after the vulnerability was reported, TensorFlow was determined to drop YAML support altogether and utilize the JSON deserialization instead. \u201cProvided that the YAML format support requires a significant amount of work, we have removed it for now,\u201d stated the project handlers in the same advisory.<\/p><\/p>\n\n\n\n
\u201cThe ways \u2018Model.to_yaml()\u2019 and \u2018keras.models.model_from_yaml\u2019 have been replaced to raise a \u2018RuntimeError\u2019 as <\/p><\/p>\n\n\n\n
They can be harmed to cause arbitrary code execution,\u201d also explain the release notes associated with the fix. \u201cIt is suggested to use JSON serialization instead of YAML, or, a better alternative, serialize to H5.\u201d<\/p><\/p>\n\n\n\n
TensorFlow is not the first or only operation found to be utilizing YAML\u2019s unsafe_load. The process\u2019s use is rather avoided in Python projects. GitHub shows thousands of search results ascribing the function, with some of the developers come up with the improvements:<\/p><\/p>\n\n\n\n<\/figure>\n\n\n\n
Fix for CVE-2021-37678 is expected to come in TensorFlow version 2.6.0, and will also be backported into the previous versions 2.5.1, 2.3.4, state the handlers.<\/p><\/p>\n\n\n\n
A well-known Python-based machine learning and artificial intelligence project known as TensorFlow, developed by Google has discontinued the support for YAML, to patch the sensitive code execution vulnerability. Yet Another Markup Language or YAML is a beneficial choice among developers seeking a human-readable information serialization language for managing configuration files and data in transit. What […]<\/p>\n","protected":false},"author":2,"featured_media":3065,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"yoast_head":"\n
Due to Code Execution Bug, Google\u2019s TensorFlow drops YAML Support! - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Due to Code Execution Bug, Google\u2019s TensorFlow drops YAML Support! - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"A well-known Python-based machine learning and artificial intelligence project known as TensorFlow, developed by Google has discontinued the support for YAML, to patch the sensitive code execution vulnerability. Yet Another Markup Language or YAML is a beneficial choice among developers seeking a human-readable information serialization language for managing configuration files and data in transit. What […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-06T07:20:58+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-09-06T12:32:53+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/Here-are-the-New-Malware-Campaigns-\u2018Windows-11-Alpha-Attachment-featured-image.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"Due to Code Execution Bug, Google\u2019s TensorFlow drops YAML Support!\",\"datePublished\":\"2021-09-06T07:20:58+00:00\",\"dateModified\":\"2021-09-06T12:32:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/\"},\"wordCount\":521,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Vulnerabilities\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/\",\"url\":\"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/\",\"name\":\"Due to Code Execution Bug, Google\u2019s TensorFlow drops YAML Support! - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-09-06T07:20:58+00:00\",\"dateModified\":\"2021-09-06T12:32:53+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Due to Code Execution Bug, Google\u2019s TensorFlow drops YAML Support!\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Due to Code Execution Bug, Google\u2019s TensorFlow drops YAML Support! - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/","og_locale":"en_US","og_type":"article","og_title":"Due to Code Execution Bug, Google\u2019s TensorFlow drops YAML Support! - Xiarch Solutions Private Limited","og_description":"A well-known Python-based machine learning and artificial intelligence project known as TensorFlow, developed by Google has discontinued the support for YAML, to patch the sensitive code execution vulnerability. Yet Another Markup Language or YAML is a beneficial choice among developers seeking a human-readable information serialization language for managing configuration files and data in transit. What […]","og_url":"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-09-06T07:20:58+00:00","article_modified_time":"2021-09-06T12:32:53+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/Here-are-the-New-Malware-Campaigns-\u2018Windows-11-Alpha-Attachment-featured-image.png","type":"image\/png"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"Due to Code Execution Bug, Google\u2019s TensorFlow drops YAML Support!","datePublished":"2021-09-06T07:20:58+00:00","dateModified":"2021-09-06T12:32:53+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/"},"wordCount":521,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Vulnerabilities"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/","url":"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/","name":"Due to Code Execution Bug, Google\u2019s TensorFlow drops YAML Support! - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-09-06T07:20:58+00:00","dateModified":"2021-09-06T12:32:53+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/due-to-code-execution-bug-googles-tensorflow-drops-yaml-support\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Due to Code Execution Bug, Google\u2019s TensorFlow drops YAML Support!"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3063"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=3063"}],"version-history":[{"count":2,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3063\/revisions"}],"predecessor-version":[{"id":3073,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3063\/revisions\/3073"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/3065"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=3063"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=3063"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=3063"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/Due-to-Code-Execution-Bug-Googles-TensorFlow-drops-YAML-Support-image1-1024x604.jpg\")
<\/figure>\n\n\n\n![\"Due-to-Code-Execution-Bug-Google\u2019s-TensorFlow-drops-YAML-Support-image2\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/Due-to-Code-Execution-Bug-Googles-TensorFlow-drops-YAML-Support-image2-1024x726.jpg\")
<\/figure>\n\n\n\n