- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my application, I use the OpenVINO toolkit for the conversion of models from PyTorch / Tensorflow to Open Vino's IR format. This uses the Open Vino toolkit. But on products, I use only OpenVino's redistributable binaries, not the entire toolkit.
On the NVD site, some vulnerabilities are reported for the Open Vino tool kit. I am currently using OpenVino "2021.4.0." for development.
| Vulnerability ID | Summary | Version | Remarks | Supporting Link |
| CVE-2023-31203 | The Intel distribution of the Open VINO toolkit may allow an unauthenticated user to potentially enable denial of service via network access. | Before version 2022.3 | An issue occurs in Open VINO Model Server software. We are not using OpenVINO Model Server software, so this is not applicable. | https://nvd.nist.gov/vuln/detail/CVE-2023-3120 |
| CVE-2023-25080 | Allow an authenticated user to potentially enable information disclosure via local access. | Before version 2023.0.0 | No information is available if this vulnerability is applicable to redistributables also. | https://nvd.nist.gov/vuln/detail/CVE-2023-25080 |
| CVE-2023-28405 | Uncontrolled search path in the Intel (R ) Distribution of OpenVINO(TM) Toolkit before version 2022.3.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | Before version 2022.3.0 | No information is available if this vulnerability is applicable to redistributables also | https://nvd.nist.gov/vuln/detail/CVE-2023-28405 |
| CVE-2021-26251 | Improper input validation in the Intel(R) Distribution of OpenVINO(TM) Toolkit may allow an authenticated user to potentially enable denial of service via network access. | Before version 2021.4.2. | No information is available if this vulnerability is applicable to redistributables also | https://nvd.nist.gov/vuln/detail/CVE-2021-26251 |
So I would like to know whether these vulnerabilities are applicable to OpenVino's redistributable binaries.
I would truly appreciate it if anyone could provide valid information.
Thanks in advance.
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dibin_Arackal,
Thanks for reaching out. We are checking on this and will get back to you soon.
Regards,
Aznie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
All the vulnerabilities listed in that table were resolved by the release of OpenVINO 2023.1.
It's recommended to switch to OpenVINO 2023.1 or 2024.0 - the latest versions available.
Please note that we have stopped supporting API1.0 and currently we are using API 2.0 in OpenVINO 2024.0.
If it's inconvenient for you to switch to a newer version of OpenVINO, you'll face 4 known vulnerabilities where 2 of them are OVMS related - CVE-2023-31203, CVE-2021-26251.
The OVMS related vulnerabilities won't impact your use case since you mentioned you didn't use it, however, the other 2 are applicable as below:
- Missing spectre mitigation flags in compilation procedure: CVE-2023-25080
- DLL injection/RPath issue: CVE-2023-28405
Cordially,
Iffa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Intel will no longer monitor this thread since we have provided a solution. If you need any additional information from Intel, please submit a new question
Cordially,
Iffa
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page