cancel
Showing results for 
Search instead for 
Did you mean: 

OpenSSL Vulnerability

vulnerability
Listener

The latest Zoom Outlook Plugin (v5.14.6) is still being distributed with OpenSSL v1.1.1n

 

This version of OpenSSL is vulnerable to the following 10 CVEs:

CVE-2023-0465 Invalid certificate policies in leaf certificates are silently ignored [Low severity] 23 March 2023
CVE-2023-0466 Certificate policy check not enabled [Low severity] 21 March 2023
CVE-2023-0464 Excessive Resource Usage Verifying X.509 Policy Constraints [Low severity] 21 March 2023
CVE-2023-0286 X.400 address type confusion in X.509 GeneralName [High severity] 07 February 2023
CVE-2023-0215 Use-after-free following BIO_new_NDEF [Moderate severity] 07 February 2023
CVE-2022-4450 Double free after calling PEM_read_bio_ex [Moderate severity] 07 February 2023
CVE-2022-4304 Timing Oracle in RSA Decryption [Moderate severity] 07 February 2023
CVE-2022-2097 AES OCB fails to encrypt some bytes [Moderate severity] 05 July 2022
CVE-2022-2068 The c_rehash script allows command injection [Moderate severity] 21 June 2022
CVE-2022-1292 The c_rehash script allows command injection [Moderate severity] 03 May 2022

Source: https://www.openssl.org/news/vulnerabilities-1.1.1.html 

N.B. The latest available version of OpenSSL 1.1.1 is currently v1.1.1u (although the latest download is only v1.1.1t)

 

Considering OpenSSL v1.1.1 goes end of life in under 4 months on 11th September 2023 (see: https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

 

Will you be re-engineering any code that still utilises old / retired OpenSSL v1.1.1 code, and what timeframe do they have to fix the Outlook Plugin?

2 REPLIES 2

SummaLai
Listener

Is there any update on this? Security.microsoft.com keeps telling me the OpenSSL needs to be updated. 

Finally, I found this trboule is actually from Zoom.

dbrowna2bf
Listener

Anyone?? Does Zoom even care that their platform is insecure?? This has been an issue for a while now and Zoom has yet to fix it. This is why I'm considering moving our whole organization to Microsoft Teams.