Showing results for 
Search instead for 
Did you mean: 

OpenSSL Vulnerability


The latest Zoom Outlook Plugin (v5.14.6) is still being distributed with OpenSSL v1.1.1n


This version of OpenSSL is vulnerable to the following 10 CVEs:

CVE-2023-0465 Invalid certificate policies in leaf certificates are silently ignored [Low severity] 23 March 2023
CVE-2023-0466 Certificate policy check not enabled [Low severity] 21 March 2023
CVE-2023-0464 Excessive Resource Usage Verifying X.509 Policy Constraints [Low severity] 21 March 2023
CVE-2023-0286 X.400 address type confusion in X.509 GeneralName [High severity] 07 February 2023
CVE-2023-0215 Use-after-free following BIO_new_NDEF [Moderate severity] 07 February 2023
CVE-2022-4450 Double free after calling PEM_read_bio_ex [Moderate severity] 07 February 2023
CVE-2022-4304 Timing Oracle in RSA Decryption [Moderate severity] 07 February 2023
CVE-2022-2097 AES OCB fails to encrypt some bytes [Moderate severity] 05 July 2022
CVE-2022-2068 The c_rehash script allows command injection [Moderate severity] 21 June 2022
CVE-2022-1292 The c_rehash script allows command injection [Moderate severity] 03 May 2022


N.B. The latest available version of OpenSSL 1.1.1 is currently v1.1.1u (although the latest download is only v1.1.1t)


Considering OpenSSL v1.1.1 goes end of life in under 4 months on 11th September 2023 (see:


Will you be re-engineering any code that still utilises old / retired OpenSSL v1.1.1 code, and what timeframe do they have to fix the Outlook Plugin?