Issue with PyTorch TorchServe - CVE-2024-35198, CVE-2024-35199

Publication Date: 2024/07/18 2:50 PM PDT

AWS is aware of the issues described in CVE-2024-35198 and CVE-2024-35199 in PyTorch TorchServe versions 0.3.0 to 0.10.0. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker are not affected.

CVE-2024-35198 does not prevent a model from being downloaded into the model store if the URL contains characters such as ".." when TorchServe model registration API is called. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and Amazon Elastic Kubernetes Service (Amazon EKS) are not affected by this issue.

CVE-2024-35199 does not bind two gRPC ports 7070 and 7071 to localhost by default. These two interfaces are bound to all interfaces when TorchServe is natively launched without Docker container. Customers using PyTorch inference Deep Learning Containers (DLC) are not affected by this issue.

TorchServe version v0.11.0 resolves these two issues.

Customers can use the following new image tags to pull DLCs that ship with patched TorchServe version 0.11.0. Alternatively, customers can upgrade to the latest version of TorchServe.

PyTorch 2.2

PyTorch 2.1

PyTorch 1.13

The full DLC image URI details can be found at: https://github.com/aws/deep-learning-containers/blob/master/available_images.md#available-deep-learning-containers-images.

We would like to thank Kroll Cyber Risk for collaborating on this issue through the coordinated vulnerability disclosure process.

If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.