AWS-2023-009

Scope: AWS Content Type: Important (requires attention) Publication Date: 2023/10/02 02:00 PM EDT AWS is aware of CVE-2023-43654 and CVE-2022-1471 in PyTorch TorchServe versions 0.3.0 to 0.8.1, which use a version of the SnakeYAML v1.31 open source library. TorchServe version 0.8.2 resolves these issues. AWS recommends customers using PyTorch inference Deep Learning Containers (DLC) 1.13.1, 2.0.0, or 2.0.1 in EC2, EKS, or ECS released prior to September 11, 2023, update to TorchServe version 0.8.2 . Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker are not affected. Customers can use the following new image tags to pull DLCs that ship with patched TorchServe version 0.8.2: x86 GPU v1.9-pt-ec2-2.0.1-inf-gpu-py310 x86 CPU v1.8-pt-ec2-2.0.1-inf-cpu-py310 Graviton v1.7-pt-graviton-ec2-2.0.1-inf-cpu-py310 Neuron 1.13.1-neuron-py310-sdk2.13.2-ubuntu20.04 1.13.1-neuronx-py310-sdk2.13.2-ubuntu20.04 1.13.1-neuronx-py310-sdk2.13.2-ubuntu20.04 The full DLC image URI details can be found at: https://github.com/aws/deep-learning-containers/blob/master/available_images.md#available-deep-learning-containers-images . We would like to thank Oligo Security for…