Security Bulletin: Triton Inference Server – December 2023

NVIDIA has released a software update for NVIDIA Triton Inference Server to address the issue disclosed in this bulletin. This issue affects only nondefault deployments that enable dynamic model loading through the model control APIs by using the command line option –model-control explicit. Deployments that use default settings are not affected. To protect your system, install the latest release from the Triton Inference Server Releases page on GitHub, and view the Secure Deployment Considerations Guide. Go to NVIDIA Product Security. Security Updates The following tables list the NVIDIA systems affected, firmware versions affected, and the updated version that includes this security update. CVE IDs Addressed | Affected Product(s) | Platform/OS | Affected Version(s) | Updated Version —|—|—|—|— CVE-2023-31036 | Triton Inference Server | Windows, Linux | All versions prior to 2.40 | 2.40 Notes This vulnerability affects only nondefault deployments that enable dynamic model loading through the model control APIs by using the command line option –model-control explicit. Deployments that use default settings are not affected. The following items were made available in the development branch on November 10,2023 and are available in the release branch on December 4, 2023.**** Updated software that behaves as follows:**** Provides the ability to restrict the HTTP endpoint of the model load API**** Prevents the model load API from accessing directories outside…Read More