OpenSSL Vulnerability - Zoom Meetings uses old version 3.1.1 | Community
Skip to main content
L
Newcomer
lcchelpdesk
Newcomer
November 26, 2023
Solved

OpenSSL Vulnerability - Zoom Meetings uses old version 3.1.1

  • November 26, 2023
  • 32 replies
  • 0 views

I raised this on the dev forum hoping it would have reached the right set of eyes.

https://devforum.zoom.us/t/zoom-5-6-10-vulnerabilities-with-openssl-dll-need-version-3-1-5/98806/1

 

However, following a Search all prior reports of vulnerabilities have been placed within Zoom Community.

 

Using Zoom Meetings Client 5.16.10 (26186)
Microsoft Defender flags as vulnerable for
CVE-2023-4807 CVSS 6.2,
CVE-2023-5363 CVSS 5.9,
CVE-2023-3817 CVSS 3.7,
CVE-2023-5678 CVSS 3.7,

Install source: https://zoom.us/client/5.16.10.26186/ZoomInstallerFull.exe?archType=x64

Detected files
c:\program files\zoom\bin\libcrypto-3-zm.dll
c:\program files\zoom\bin\libssl-3-zm.dll
OpenSSL Version 3.1.1.0

Recommended course of action, upgrade to OpenSSL Version 3.1.5 or 3.2.0

Updating to 3.1.4 would still leave CVE-2023-5678


https://www.openssl.org/news/vulnerabilities.html

CVE-2023-4807, Fixed in OpenSSL 3.1.3 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5

CVE-2023-5363 , Fixed in OpenSSL 3.1.4 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee

CVE-2023-3817, Fixed in OpenSSL 3.1.2 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5

CVE-2023-5678 , Fixed in OpenSSL 3.1.5 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6

    Best answer by Frank_TB

    Hello,

     

    Release notes for December 27, 2023

     

    New and enhanced features

    • General features
      • Update to OpenSSL 3.1.4 - Linux, Android, iOS
        Due to the recently disclosed vulnerabilities with lower versions of OpenSSL, the Zoom client is updated to use OpenSSL 3.1.4. Depending on your network security configuration, you may also need to update your network infrastructure devices’ firmware.

        https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0073685 

    Regards,

     

    If my reply helped, don't forget to click the accept as solution button!

    32 replies

    Show previous replies
    D
    Newcomer
    DalongChen
    Newcomer
    January 4, 2024

    We plan to upgrade to OpenSSL 3.1.4 in zoom client 5.17.5. Thanks.

    D
    Newcomer
    Dash1977
    Newcomer
    January 4, 2024

    OpenSSL 3.1.4 contains the vulnerability as well. A newer version than 3.1.4 will need to be implemented instead. 

      L
      Newcomer
      lcchelpdeskAuthor
      Newcomer
      January 7, 2024

      Hi all,

      Release notes for the Zoom Client show that version 5.17.2 should be released in the next 24 hours.
      https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0073791

      https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0068823
      January 8, 2024 version 5.17.2

      New and enhanced features
      General features
      Update to OpenSSL 3.1.4 - Windows, macOS
      Due to the recently disclosed vulnerabilities with lower versions of OpenSSL, the Zoom client is updated to use OpenSSL 3.1.4. Depending on your network security configuration, you may also need to update your network infrastructure devices’ firmware.
      Resolved Issues
      Minor bug fixes

      As they are only patching to 3.1.4 (but the commit in 3.15 could have been included).
      Microsoft Defender flags will now only flag Zoom Meetings vulnerable for
      CVE-2023-5678 CVSS 3.7.
      CVE-2023-5678 , Fixed in OpenSSL 3.1.5 (Affected since 3.1.0)
      gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6

      We can now all await Zoom to update to OpenSSL Version 3.2.0

        D
        Newcomer
        dbrowna2bf
        Newcomer
        January 24, 2024

        I don't know if the update to address this works properly. Now we are on Zoom version 5.17.5 and our users continue to experience major issues with Zoom just closing without any error code or commonality. Just randomly closes. As usual, Zoom Support is of no real help.

        L
        Newcomer
        lcchelpdeskAuthor
        Newcomer
        January 25, 2024

        Tried the latest version and Using Zoom Meetings Client 5.17.5 (31030) (64-bit)
        DisplayVersion 5.17.31030
        Install source: https://cdn.zoom.us/prod/5.17.5.31030/x64/ZoomInstallerFull.msi

         

        I can confirm that this version still utilises OpenSSL Version 3.1.4.0
        C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
        C:\Program Files\Zoom\bin\libssl-3-zm.dll

         

        Release notes
        https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0068823

        L
        Newcomer
        lcchelpdeskAuthor
        Newcomer
        January 29, 2024

        I know someone marked this as Solved, but it was not I (the original ticket creator).

         

        Zoom Meetings Client 5.17.5 (31030)
        OpenSSL 3.1.4 flags as vulnerable for
        CVE-2024-0727
        CVE-2023-6237
        CVE-2023-6129 CVSS 6.5
        CVE-2023-5678 CVSS 5.3
        https://www.openssl.org/news/vulnerabilities.html

         

        All have commits for 3.1.5 and 3.2.1

          D
          Newcomer
          dbrowna2bf
          Newcomer
          January 30, 2024

          Zoom support has been pulling shady stuff lately. They likely closed this because they are getting too much negative attention. You can't trust Zoom to do the right thing.

          L
          Newcomer
          lcchelpdeskAuthor
          Newcomer
          January 31, 2024

          No surprises here...

          Tried the latest version and Using Zoom Meetings Client 5.17.7 (31859) (64-bit)
          DisplayVersion 5.17.31859
          https://cdn.zoom.us/prod/5.17.7.31859/x64/ZoomInstallerFull.msi

           

          I can confirm that this version still utilises OpenSSL Version 3.1.4.0
          C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
          C:\Program Files\Zoom\bin\libssl-3-zm.dll

           

          Release notes
          https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0068823

          L
          Newcomer
          lcchelpdeskAuthor
          Newcomer
          February 1, 2024

          OpenSSL 3.1.5 now has a fully final rollup for all the outstanding CVE’s
          See openssl.org/source/

          There should now be absolutely no reason not to issue an urgent roll-up from 3.1.4 to OpenSSL 3.1.5 or to OpenSSL 3.2.1

            F
            Community Champion | Customer
            Frank_TB
            Community Champion | Customer
            February 2, 2024

            Hello,

             

            I opened a Zoom support ticket regarding OpenSSL 3.15 / 3.21

             

             

            Zoom Support ticket TS0514340

             

            Regards

            If my reply helped, don't forget to click the accept as solution button!

              P
              Newcomer
              PaulB10000
              Newcomer
              February 14, 2024

              Hi,

               

              Is there an update to when 3.1.5 or above will be implemented into the new Zoom installer?

               

              This thread is marked as "solved" for 3.1.4 - but that version is still vulnerable.

                L
                Newcomer
                lcchelpdeskAuthor
                Newcomer
                February 20, 2024

                This needs a Bump to not Auto-close its been unfixed since November 2023.

                  L
                  Newcomer
                  lcchelpdeskAuthor
                  Newcomer
                  February 22, 2024

                  What is going on in the land of Zoom's Cyber Security?


                  Version 5.17.10 is now announced for upcoming release on the 26th of Feb yet the release notes state nothing regarding increasing OpenSSL dependencies.

                   

                  When can the product expect a security fix?

                    ZoomVA
                    Community Manager
                    ZoomVA
                    Community Manager
                    February 23, 2024

                    @lcchelpdesk The latest Zoom client utilizes security fixes addressed in OpenSSL 3.1.5 and is packaged with version 3.1.4. Since Microsoft Defender only detects OpenSSL 3.1.4 and not our custom fix, it outputs a warning. Once OpenSSL 3.1.5 is available as a stable release, Zoom plans to adopt this version into the Zoom apps and that change will be called out in our official release notes. Thank you to @Bort for researching this internally!

                      L
                      Newcomer
                      lcchelpdeskAuthor
                      Newcomer
                      February 26, 2024

                      Thank you so much, VA for confirming the git commits were backported into the Zoom compile of 3.1.4.
                      From my post on the 1st of Feb, 3.1.5 was released in full on the 30th of January, hence PaulB10000 chase up with the same on the 14th of Feb and my last chase on the 22nd.
                      Now that it is confirmed, we can finally file an exemption against 3.1.4 for the current CVE's.

                       

                      Thank you to all involved and still hope to see 3.1.5 in an upcoming release shortly.

                      Show more replies
                      Terms & ConditionsAccessibility statement
                      Copyright © Zoom Communications, Inc. All rights reserved.