OpenWeave security bulletin
2019/08/19
This bulletin contains the details of the security fixes that have been deployed as a part of this patch. See Table 1 for the references and details of the vulnerabilities that have been been remediated as a part of this fix.
Table 1. Security fixes for Weave vulnerabilities reported by Talos Labs
| CVE identifier | Description |
|---|---|
| CVE-2019-5034 | Weave Legacy Pairing Information Disclosure Vulnerability |
| CVE-2019-5035 | Weave PASE pairing brute force vulnerability |
| CVE-2019-5036 | Weave KeyError denial-of-service vulnerability |
| CVE-2019-5037 | WeaveCASEEngine::DecodeCertificateInfo denial-of-service vulnerability |
| CVE-2019-5038 | OpenWeave Weave tool Print-TLV code execution vulnerability |
| CVE-2019-5039 | OpenWeave Weave ASN1Writer PutValue Code Execution Vulnerability |
| CVE-2019-5040 | OpenWeave Weave DecodeMessageWithLength Information Disclosure Vulnerability |
| CVE-2019-5043 | Nest Cam IQ Indoor Weave TCP connection denial-of-service vulnerability |
We would like to thank Lilith Wyatt and Yves Younan from Talos Labs for reporting these vulnerabilities.