cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

OpenSSL Vulnerability - Zoom Meetings uses old version 3.1.1

Go to solution
lcchelpdesk
Explorer
Explorer

‎2023-11-26 01:30 PM

I raised this on the dev forum hoping it would have reached the right set of eyes.

https://devforum.zoom.us/t/zoom-5-6-10-vulnerabilities-with-openssl-dll-need-version-3-1-5/98806/1

 

However, following a Search all prior reports of vulnerabilities have been placed within Zoom Community.

 

Using Zoom Meetings Client 5.16.10 (26186)
Microsoft Defender flags as vulnerable for
CVE-2023-4807 CVSS 6.2,
CVE-2023-5363 CVSS 5.9,
CVE-2023-3817 CVSS 3.7,
CVE-2023-5678 CVSS 3.7,

Install source: https://zoom.us/client/5.16.10.26186/ZoomInstallerFull.exe?archType=x64

Detected files
c:\program files\zoom\bin\libcrypto-3-zm.dll
c:\program files\zoom\bin\libssl-3-zm.dll
OpenSSL Version 3.1.1.0

Recommended course of action, upgrade to OpenSSL Version 3.1.5 or 3.2.0

Updating to 3.1.4 would still leave CVE-2023-5678


https://www.openssl.org/news/vulnerabilities.html

CVE-2023-4807, Fixed in OpenSSL 3.1.3 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5

CVE-2023-5363 , Fixed in OpenSSL 3.1.4 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee

CVE-2023-3817, Fixed in OpenSSL 3.1.2 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5

CVE-2023-5678 , Fixed in OpenSSL 3.1.5 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6

Topics:
1 ACCEPTED SOLUTION

Go to solution
Frank_TB
Community Champion | Customer
Community Champion | Customer
In response to Dash1977

‎2024-01-03 10:36 AM

Hello,

 

Release notes for December 27, 2023

 

New and enhanced features

  • General features
    • Update to OpenSSL 3.1.4 - Linux, Android, iOS
      Due to the recently disclosed vulnerabilities with lower versions of OpenSSL, the Zoom client is updated to use OpenSSL 3.1.4. Depending on your network security configuration, you may also need to update your network infrastructure devices’ firmware.

      https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0073685 

Regards,

 

If my reply helped, don't forget to click the accept as solution button!

View solution in original post

0 Likes
51 REPLIES 51

Go to solution
lcchelpdesk
Explorer
Explorer

‎2024-03-10 03:25 PM

Confirmed Zoom Version 5.17.11 (34827) (64-bit) (8th March 2024) utilises the OpenSSL 3.1.4.

Go to solution
user16
Explorer
Explorer

‎2024-03-12 06:06 AM

we're now on month 4 without any kind of clear and supported official communication about this. i get better service at the local mcdonalds than i do from this company we're paying multiple 100s of thousands of dollars to each year, but not for long after this debacle.

0 Likes

Go to solution
user16
Explorer
Explorer

‎2024-04-19 05:38 AM

We're now 5 months in, a whole new Zoom platform upgrade release up-versioned from 5.x to 6.0 and this still hasn't been fixed. Pathetic

0 Likes

Go to solution
Dash1977
Explorer
Explorer
In response to user16

‎2024-04-19 05:43 AM

And now their planned upgrade of 3.1.15 has a vulnerability. Zoom will need to be updated to OpenSSL 3.3 or stop using OpenSSL altogether. 

Go to solution
user16
Explorer
Explorer
In response to Dash1977

‎2024-04-19 05:46 AM

No matter what - their merge process for these libraries is clearly inadequate, you can't have a 6 month lead time every time you need to integrate a minor uprevision. The modern web runs on OpenSSL - they need to be in close lockstep in integrating their fixes at a much faster and continuous pace.

0 Likes

Go to solution
lcchelpdesk
Explorer
Explorer

‎2024-04-28 04:47 PM

Updated to Version 6.0.4 (38135) (64-bit) and it is still OpenSSL 3.1.4 after a new CVE had triggered earlier in the month.
CVE-2024-2511 Unbounded memory growth with session handling in TLSv1.3

It really is not hard for the relevant Zoom employee to bookmark the OpenSSL dependency URL that lists CVE's e.g. their /news/vulnerabilities.html page.

It has been 5 months, and we are still playing catch-up and Zoom clearly has no desire to get ahead and stay ahead.

0 Likes

Go to solution
user16
Explorer
Explorer

‎2024-05-01 07:38 AM

The way this is going at some point Zoom will be hiring software engineers who weren't in college yet when these CVEs were disclosed while the issue remains unresolved.

0 Likes

Go to solution
lcchelpdesk
Explorer
Explorer

‎2024-05-20 06:14 PM

Running Zoom 6.0.10.39647 and it's now OpenSSL 3.1.5
Check release notes for May 20, 2024 version 6.0.10 (39171)

Zoom has only got CVE-2024-4603 and CVE-2024-2511 against it now until they increase the dependency.

0 Likes

Go to solution
user16
Explorer
Explorer

‎2024-07-26 06:47 AM

6.1.5 (build 43316) - still vulnerable to CVE-2024-2511

0 Likes

Go to solution
glatange
Zoom Employee
Zoom Employee

‎2024-08-14 12:13 PM

Hi All,

Please upgrade to Zoom client version client version 6.1.0 or higher. We upgraded to openSSL library 3.1.5 in May so openSSL is no longer an issue.

Similarly client version 6.1.0 and up avoids CVE-2023-5678. On the other hand, I have confirmed with security engineering that CVE-2024-2511 and CVE-2024-4603 have no impact on the Zoom client, but am looking into a formal communications response to provide more clarity for client users.

0 Likes

Go to solution
user16
Explorer
Explorer
In response to glatange

‎2024-08-14 12:17 PM

You can put out a statement that says why those CVEs don't affect you, or you can patch the actual libraries so that you're not the #1 risky and vulnerable software in every security business scanning product and dashboard in use across the majority of the US. If your product is not vulnerable tell Microsoft to stop flagging it, until you do you will remain as the #1 vulnerable software in all the reporting as you have been for almost a year now.

 

Does Zoom not realize how bad of a look this is? You're literally giving people a reason to suggest moving to Teams.

Go to solution
lcchelpdesk
Explorer
Explorer

‎2024-09-26 06:49 PM

Just upgraded to Zoom 6.2.2.47417 and now finally libcrypto-3-zm.dll and libssl-3-zm.dll show as version 3.1.7.
Relief.

0 Likes
Top