Can you share if there is a new release planned to address the ShellTorch vulnerabilities and if so the timing? We are working to address these vulnerabilities but for the SSRF issue, v0.8.2 just does a warning. We don’t want to patch twice if at all possible.
ShellTorch page: ShellTorch: Critical Vulnerabilities in TorchServe (including CVE-2023-43654)
ShellTorchCheker: GitHub - OligoCyberSecurity/ShellTorchChecker: A tool that checks if a TorchServe instance is vulnerable to CVE-2023-43654
AWS advisory: Reported TorchServe Issue (CVE-2023-43654)
Hi torchserve developer here!
They blogged about issues only affect torchserve not PyTorch and all the major issues they’ve listed out have been patched in 0.8.2
Regarding the “just a warning part” the blog was referring to some documentation changes that were missing, we’ve since made them. Doc changes don’t require a release but we are indeed planning another release 0.9.0 before Oct 15
- Advise on how to secure torchserve when dealing with docker: updates to security guidelines and docker config by agunapal · Pull Request #2669 · pytorch/serve · GitHub
- In our docker examples we no longer use 0.0.0.0 Bind torchserve container ports to localhost ports by namannandan · Pull Request #2646 · pytorch/serve · GitHub
- In our documentation we no longer use 0.0.0.0 Update default address from 0.0.0.0 to 127.0.0.1 in documentation and examples by namannandan · Pull Request #2624 · pytorch/serve · GitHub
- We’re now recommending people use 0.8.2 for the latest security patches Update SECURITY.md by msaroufim · Pull Request #2643 · pytorch/serve · GitHub
Also we have since proactively fixed many more security issues which you can follow by checking for the
security tag on github Pull requests · pytorch/serve · GitHub
We take security very seriously on the team by including tools for code scanning and regular dependency upgrades and we list out our approach here https://github.com/pytorch/serve/blob/master/SECURITY.md
Thank you for closing the loop. I’ll pass this along to the team we have working this response effort internally.
PE/Lead Engineer High Profile Response Events
Intel Product Security Incident Response Team
PSIRT Email: firstname.lastname@example.org
Full Remote/East Coast Time Zone