Preface: OpenAI revealed that the project cost $100 million, took 100 days, and used 25,000 NVIDIA A100 GPUs. Each server equipped with these GPUs uses approximately 6.5 kW, so an estimated 50 GWh of energy is consumed during training.

Background: Parallel processing is a method in computing of running two or more processors (CPUs) to handle separate parts of an overall task. Breaking up different parts of a task among multiple processors will help reduce the amount of time to run a program. GPUs render images more quickly than a CPU because of its parallel processing architecture, which allows it to perform multiple calculations across streams of data simultaneously. The CPU is the brain of the operation, responsible for giving instructions to the rest of the system, including the GPU(s).

NVIDIA CUDA provides a simple C/C++ based interface. The CUDA compiler leverages parallelism built into the CUDA programming model as it compiles your program into code.
CUDA is a parallel computing platform and programming interface model created by Nvidia for the development of software which is used by parallel processors. It serves as an alternative to running simulations on traditional CPUs.

Vulnerability details:

CVE-2024-0123 – NVIDIA CUDA toolkit for Windows and Linux contains a vulnerability in the nvdisasm command line tool where an attacker may cause an improper validation in input issue by tricking the user into running nvdisasm on a malicious ELF file. A successful exploit of this vulnerability may lead to denial of service. (CWE‑1285 – Improper Validation of Specified Index, Position, or Offset in Input)

CVE-2024-0124 – NVIDIA CUDA Toolkit for Windows and Linux contains a vulnerability in the nvdisam command line tool, where a user can cause nvdisasm to read freed memory by running it on a malformed ELF file. A successful exploit of this vulnerability might lead to a limited denial of service. (CWE-416 – Use After Free)

CVE-2024-0125 – NVIDIA CUDA Toolkit for Windows and Linux contains a vulnerability in the nvdisam command line tool, where a user can cause a NULL pointer dereference by running nvdisasm on a malformed ELF file. A successful exploit of this vulnerability might lead to a limited denial of service. (CWE-476 – NULL Pointer Dereference)

Official announcement: Please refer to the vendor announcement for details –

https://nvidia.custhelp.com/app/answers/detail/a_id/5577

Preface: Some systems which implement malloc() may not release memory back to the operating system right away causing a false memory leak.

Background: Triton Inference Server provides a cloud and edge inferencing solution optimized for both CPUs and GPUs. Triton supports an HTTP/REST and GRPC protocol that allows remote clients to request inferencing for any model being managed by the server.

Vulnerability details: NVIDIA Triton Inference Server contains a vulnerability where a user may cause an out-of-bounds read issue by releasing a shared memory region while it is in use. A successful exploit of this vulnerability may lead to denial of service.

Official announcement: Please refer to the vendor announcement for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5565

Preface: Apache Linkis is a computation middleware that acts as a layer between upper-level applications and underlying engines, such as Apache Spark, Apache Hive and Apache Flink. It started as an Apache Incubator project in 2021 and graduated to a Top Level Project in January 2023.

Background: Linkis provides standardized interfaces (REST, JDBC, WebSocket etc.) to easily connect to various underlying engines (Spark, Presto, Flink, etc.), and acts as a proxy between the upper applications layer and underlying engines layer.

Ref: Py4J is a popularly library integrated within PySpark that lets python interface dynamically with JVM objects (RDD’s). Apache Spark comes with an interactive shell for python as it does for Scala. The shell for python is known as “PySpark”. To use PySpark you will have to have python installed on your machine.

Vulnerability details: In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang’s RandomStringUtils.

Remedy: Users are recommended to upgrade to version 1.6.0, which fixes this issue.

Official announcement: Please refer to the vendor announcement for details – https://lists.apache.org/thread/g664n13nb17rsogcfrn8kjgd8m89p8nw

Preface: As companies and researchers leave Tensorflow and move to PyTorch, Google seems interested in moving its products to JAX to solve some of Tensorflow’s pain points, such as the complexity of the API and the complexity of training in custom chips such as TPUs.

PyTorch optimizes performance by taking advantage of Python’s native support for asynchronous execution. In TensorFlow, you have to manually code and fine-tune every operation to be performed on a specific device to allow for decentralized training.

Background: TensorFlow is open-source Python library designed by Google to develop Machine Learning models and deep learning neural networks.

Reverb is an efficient and easy-to-use data storage and transport system designed for machine learning research. Reverb is primarily used as an experience replay system for distributed reinforcement learning algorithms but the system also supports multiple data structure representations such as FIFO, LIFO, and priority queues.

Vulnerability details: This is a retroactive issue for the already-fixed security vulnerability. The Reverb Server stores Tensors represented by protos. These protos contain type information as well as a string field called “tensor_content”. When the Reverb client communicates with the server, it unpacks these protos by turning them back into tensors.

Reverb supports the VARIANT datatype, which is supposed to represent an arbitrary object in C++. When a tensor proto of type VARIANT is unpacked, memory is first allocated to store the entire tensor, and a ctor is called on each instance. Afterwards, Reverb copies the content in tensor_content to the previously mentioned pre-allocated memory, which results in the bytes in tensor_content overwriting the vtable pointers of all the objects which were previously allocated.

Reverb exposes 2 relevant gRPC endpoints: InsertStream and SampleStream. By default, neither is authenticated and there is no authorization. The attacker can insert this stream into the server’s database, then when the client next calls SampleStream they will unpack the tensor into RAM, and when any method on that object is called (including its destructor) the attacker gains control of the Program Counter.

Official announcement: Please refer to the vendor announcement for details – https://www.tenable.com/cve/CVE-2024-8375