Amazon SageMaker Python SDK Triton Inference Handler Missing Integrity Verification Vulnerability Allowing Code Execution

A vulnerability exists in the Triton inference handler of the Amazon SageMaker Python SDK, specifically in versions 2.199.0 prior to 2.257.2 and 3.0.0 prior to 3.8.0. The issue arises from a lack of integrity verification when deserializing model artifacts, which could allow a remote authenticated actor with S3 write access to the model artifact path to replace legitimate model files with a maliciously crafted pickle payload. This payload would be executed automatically during the next container lifecycle event, potentially leading to unauthorized code execution within the inference container, using the SageMaker execution role's IAM permissions.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in inference containers, executed with the permissions of the SageMaker execution role.

Remediation

Users are advised to upgrade to Amazon SageMaker Python SDK versions 2.257.2 or 3.8.0 and to rebuild any Triton models previously created with ModelBuilder using the updated SDK. If immediate upgrading is not possible, S3 write access to model artifact paths should be restricted to trusted principals, and users should monitor for unintended modifications to files in S3 model artifact locations.