Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Denial of service in readExternal method
Vulnerability Description
The Security Team noticed that the termination condition of the for loop in the readExternal method is a controllable variable, which, if tampered with, may lead to CPU exhaustion. As a fix, we added an upper bound and termination condition in the read and write logic. We classify it as a "low-priority but useful improvement". SystemDS is a distributed system and needs to serialize/deserialize data but in many code paths (e.g., on Spark broadcast/shuffle or writing to sequence files) the byte stream is anyway protected by additional CRC fingerprints. In this particular case though, the number of decoders is upper-bounded by twice the number of columns, which means an attacker would need to modify two entries in the byte stream in a consistent manner. By adding these checks robustness was strictly improved with almost zero overhead. These code changes are available in versions higher than 2.2.1.
CVSS Information
N/A
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Vulnerability Title
Apache SystemDS 资源管理错误漏洞
Vulnerability Description
Apache SystemDS是美国阿帕奇(Apache)基金会的用于端到端数据科学生命周期的开源机器学习系统。 Apache SystemDS 2.2.1版本及之前版本存在安全漏洞,该漏洞源于readExternal方法中for循环的终止条件是一个可控变量,如果被篡改,会导致CPU耗尽。
CVSS Information
N/A
Vulnerability Type
N/A