ShellTorch Patch Availability

bmonroe · October 5, 2023, 3:17pm

Can you share if there is a new release planned to address the ShellTorch vulnerabilities and if so the timing? We are working to address these vulnerabilities but for the SSRF issue, v0.8.2 just does a warning. We don’t want to patch twice if at all possible.

References:

ShellTorch page: ShellTorch: Critical Vulnerabilities in TorchServe (including CVE-2023-43654)

ShellTorchCheker: GitHub - OligoCyberSecurity/ShellTorchChecker: A tool that checks if a TorchServe instance is vulnerable to CVE-2023-43654

AWS advisory: Reported TorchServe Issue (CVE-2023-43654)

B/R
Bruce

msaroufim · October 5, 2023, 6:37pm

Hi torchserve developer here!

They blogged about issues only affect torchserve not PyTorch and all the major issues they’ve listed out have been patched in 0.8.2

Regarding the “just a warning part” the blog was referring to some documentation changes that were missing, we’ve since made them. Doc changes don’t require a release but we are indeed planning another release 0.9.0 before Oct 15

Advise on how to secure torchserve when dealing with docker: updates to security guidelines and docker config by agunapal · Pull Request #2669 · pytorch/serve · GitHub
In our docker examples we no longer use 0.0.0.0 Bind torchserve container ports to localhost ports by namannandan · Pull Request #2646 · pytorch/serve · GitHub
In our documentation we no longer use 0.0.0.0 Update default address from 0.0.0.0 to 127.0.0.1 in documentation and examples by namannandan · Pull Request #2624 · pytorch/serve · GitHub
We’re now recommending people use 0.8.2 for the latest security patches Update SECURITY.md by msaroufim · Pull Request #2643 · pytorch/serve · GitHub

Also we have since proactively fixed many more security issues which you can follow by checking for the security tag on github Pull requests · pytorch/serve · GitHub

We take security very seriously on the team by including tools for code scanning and regular dependency upgrades and we list out our approach here https://github.com/pytorch/serve/blob/master/SECURITY.md

bmonroe · October 5, 2023, 6:55pm

Hi Mark,

Thank you for closing the loop. I’ll pass this along to the team we have working this response effort internally.

Best Regards,

Bruce

Bruce Monroe

PE/Lead Engineer High Profile Response Events

Intel Product Security Incident Response Team

Web: www.intel.com/security

PSIRT Email: secure@intel.com

Full Remote/East Coast Time Zone

Topic		Replies	Views
PyTorch release 2.1.1 planning Release Announcements	4	1233	October 26, 2023
PyTorch Release 2.3.1 Planning Release Announcements	2	958	May 6, 2024
PyTorch Release 1.13.1 Planning release/packaging	0	568	November 16, 2022
Pytorch release 2.0 - Execution Update Release Announcements	4	2759	March 10, 2023
1 High-Security vulnerability found in Black Duck scan testing	4	147	October 3, 2024

ShellTorch Patch Availability

Related topics