OpenWeave security bulletin


This bulletin contains the details of the security fixes that have been deployed as a part of this patch. See Table 1 for the references and details of the vulnerabilities that have been been remediated as a part of this fix.

Table 1. Security fixes for Weave vulnerabilities reported by Talos Labs

CVE identifier Description
CVE-2019-5034 Weave Legacy Pairing Information Disclosure Vulnerability
CVE-2019-5035 Weave PASE pairing brute force vulnerability
CVE-2019-5036 Weave KeyError denial-of-service vulnerability
CVE-2019-5037 WeaveCASEEngine::DecodeCertificateInfo denial-of-service vulnerability
CVE-2019-5038 OpenWeave Weave tool Print-TLV code execution vulnerability
CVE-2019-5039 OpenWeave Weave ASN1Writer PutValue Code Execution Vulnerability
CVE-2019-5040 OpenWeave Weave DecodeMessageWithLength Information Disclosure Vulnerability
CVE-2019-5043 Nest Cam IQ Indoor Weave TCP connection denial-of-service vulnerability

We would like to thank Lilith Wyatt and Yves Younan from Talos Labs for reporting these vulnerabilities.