Now LIVE! Check out the NEW Zoom Feature Request space to browse, vote, or create an idea to enhance your Zoom experience.
Explore NowEmpowering you to increase productivity, improve team effectiveness, and enhance skills.
Learn moreKeep your Zoom app up to date to access the latest features.
Download Center Download the Zoom appDownload hi-res images and animations to elevate your next Zoom meeting.
Browse Backgrounds Zoom Virtual BackgroundsEmpowering you to increase productivity, improve team effectiveness, and enhance skills.
Zoom AI Companion2023-11-26 01:30 PM
I raised this on the dev forum hoping it would have reached the right set of eyes.
https://devforum.zoom.us/t/zoom-5-6-10-vulnerabilities-with-openssl-dll-need-version-3-1-5/98806/1
However, following a Search all prior reports of vulnerabilities have been placed within Zoom Community.
Using Zoom Meetings Client 5.16.10 (26186)
Microsoft Defender flags as vulnerable for
CVE-2023-4807 CVSS 6.2,
CVE-2023-5363 CVSS 5.9,
CVE-2023-3817 CVSS 3.7,
CVE-2023-5678 CVSS 3.7,
Install source: https://zoom.us/client/5.16.10.26186/ZoomInstallerFull.exe?archType=x64
Detected files
c:\program files\zoom\bin\libcrypto-3-zm.dll
c:\program files\zoom\bin\libssl-3-zm.dll
OpenSSL Version 3.1.1.0
Recommended course of action, upgrade to OpenSSL Version 3.1.5 or 3.2.0
Updating to 3.1.4 would still leave CVE-2023-5678
https://www.openssl.org/news/vulnerabilities.html
CVE-2023-4807, Fixed in OpenSSL 3.1.3 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5
CVE-2023-5363 , Fixed in OpenSSL 3.1.4 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee
CVE-2023-3817, Fixed in OpenSSL 3.1.2 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5
CVE-2023-5678 , Fixed in OpenSSL 3.1.5 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6
Solved! Go to Solution.
2024-01-03 10:36 AM
Hello,
Regards,
If my reply helped, don't forget to click the accept as solution button!
2024-03-10 03:25 PM
Confirmed Zoom Version 5.17.11 (34827) (64-bit) (8th March 2024) utilises the OpenSSL 3.1.4.
2024-03-12 06:06 AM
we're now on month 4 without any kind of clear and supported official communication about this. i get better service at the local mcdonalds than i do from this company we're paying multiple 100s of thousands of dollars to each year, but not for long after this debacle.
2024-04-19 05:38 AM
We're now 5 months in, a whole new Zoom platform upgrade release up-versioned from 5.x to 6.0 and this still hasn't been fixed. Pathetic
2024-04-19 05:43 AM
And now their planned upgrade of 3.1.15 has a vulnerability. Zoom will need to be updated to OpenSSL 3.3 or stop using OpenSSL altogether.
2024-04-19 05:46 AM
No matter what - their merge process for these libraries is clearly inadequate, you can't have a 6 month lead time every time you need to integrate a minor uprevision. The modern web runs on OpenSSL - they need to be in close lockstep in integrating their fixes at a much faster and continuous pace.
2024-04-28 04:47 PM
Updated to Version 6.0.4 (38135) (64-bit) and it is still OpenSSL 3.1.4 after a new CVE had triggered earlier in the month.
CVE-2024-2511 Unbounded memory growth with session handling in TLSv1.3
It really is not hard for the relevant Zoom employee to bookmark the OpenSSL dependency URL that lists CVE's e.g. their /news/vulnerabilities.html page.
It has been 5 months, and we are still playing catch-up and Zoom clearly has no desire to get ahead and stay ahead.
2024-05-01 07:38 AM
The way this is going at some point Zoom will be hiring software engineers who weren't in college yet when these CVEs were disclosed while the issue remains unresolved.