Thank you so much for pointing this out.  I am seeing this same issue.

Disappointingly, Nessus vulnerability scanners are not picking up on this vulnerability 😞

We have this vulnerability on almost every machine in our environment because Zoom seemingly doesn't care that their platform is vulnerable. I'm pretty disgusted, to say the least. I'll be using this example, and many others, to convince our CEO to let me migrate to Microsoft Teams instead.

Fact Check True ✅
They need to have this updated ASAP

This is not just Zoom.

The Microsoft PowerBI Desktop client also has an out of date OpenSSL version as well as several other vendors.
I tried to replace the out of date libssl-3-x64.dll and libcrypto-3-x64.dll across the machines in our domain, but Zoom signed their version of the dll files, and refuses to start with the updated dll files. Good for them for signing them, not something many other vendors do. On the flip side, they should have this patched and up to date already. 
Microsoft's Cloud Defender agent for Linux (mdatp) is running a curl version that is showing as critical. Microsoft chooses to hide this on their vulnerability scans, Tenable found it.
This is not just a Zoom problem, but an industry problem with these critical open source dependencies. 
 

Zoom 5.17 just released, but still has the 3.1.1 OpenSSL. I think we're just going to have to discontinue Zoom use and uninstall the app agency wide until it's resolved. 

I really wish we could just drop Zoom, but my boss hates Teams so we are pretty much stuck with a vulnerability on every one of our workstations. At least it isn't on any of our servers, but the workstations connect to our servers... This bad.

Tried the latest version and Using Zoom Meetings Client 5.17.0 (28375)
DisplayVersion 5.17.28375
Install source: https://zoom.us/client/5.17.0.28375/ZoomInstallerFull.msi?archType=x64

I can confirm that this version still utilises OpenSSL Version 3.1.1.0
C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
C:\Program Files\Zoom\bin\libssl-3-zm.dll

Tried the latest version and Using Zoom Meetings Client 5.17.1 (28914) (64-bit)
DisplayVersion 5.17.28914
Install source: https://cdn.zoom.us/prod/5.17.1.28914/x64/ZoomInstallerFull.msi

I can confirm that this version still utilises OpenSSL Version 3.1.1.0
C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
C:\Program Files\Zoom\bin\libssl-3-zm.dll

Still an issue. Zoom, please get this updated with a current version of OpenSSL. If you are doing a custom patch to the version you are running and consider this OK, please don't. We have no way of verifying compliance and this throws off our necessary reporting and patch management. 

We plan to upgrade to OpenSSL 3.1.4 in zoom client 5.17.5. Thanks.

Hi all,

Release notes for the Zoom Client show that version 5.17.2 should be released in the next 24 hours.
https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0073791

https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0068823
January 8, 2024 version 5.17.2

New and enhanced features
General features
Update to OpenSSL 3.1.4 - Windows, macOS
Due to the recently disclosed vulnerabilities with lower versions of OpenSSL, the Zoom client is updated to use OpenSSL 3.1.4. Depending on your network security configuration, you may also need to update your network infrastructure devices’ firmware.
Resolved Issues
Minor bug fixes

As they are only patching to 3.1.4 (but the commit in 3.15 could have been included).
Microsoft Defender flags will now only flag Zoom Meetings vulnerable for
CVE-2023-5678 CVSS 3.7.
CVE-2023-5678 , Fixed in OpenSSL 3.1.5 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6

We can now all await Zoom to update to OpenSSL Version 3.2.0

I don't know if the update to address this works properly. Now we are on Zoom version 5.17.5 and our users continue to experience major issues with Zoom just closing without any error code or commonality. Just randomly closes. As usual, Zoom Support is of no real help.

Tried the latest version and Using Zoom Meetings Client 5.17.5 (31030) (64-bit)
DisplayVersion 5.17.31030
Install source: https://cdn.zoom.us/prod/5.17.5.31030/x64/ZoomInstallerFull.msi

I can confirm that this version still utilises OpenSSL Version 3.1.4.0
C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
C:\Program Files\Zoom\bin\libssl-3-zm.dll

Release notes
https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0068823

I know someone marked this as Solved, but it was not I (the original ticket creator).

Zoom Meetings Client 5.17.5 (31030)
OpenSSL 3.1.4 flags as vulnerable for
CVE-2024-0727
CVE-2023-6237
CVE-2023-6129 CVSS 6.5
CVE-2023-5678 CVSS 5.3
https://www.openssl.org/news/vulnerabilities.html

All have commits for 3.1.5 and 3.2.1

Zoom support has been pulling shady stuff lately. They likely closed this because they are getting too much negative attention. You can't trust Zoom to do the right thing.

No surprises here...

Tried the latest version and Using Zoom Meetings Client 5.17.7 (31859) (64-bit)
DisplayVersion 5.17.31859
https://cdn.zoom.us/prod/5.17.7.31859/x64/ZoomInstallerFull.msi

I can confirm that this version still utilises OpenSSL Version 3.1.4.0
C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
C:\Program Files\Zoom\bin\libssl-3-zm.dll

Release notes
https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0068823

OpenSSL 3.1.5 now has a fully final rollup for all the outstanding CVE’s
See openssl.org/source/

There should now be absolutely no reason not to issue an urgent roll-up from 3.1.4 to OpenSSL 3.1.5 or to OpenSSL 3.2.1

Hi,

Is there an update to when 3.1.5 or above will be implemented into the new Zoom installer?

This thread is marked as "solved" for 3.1.4 - but that version is still vulnerable.

What is going on in the land of Zoom's Cyber Security?

Version 5.17.10 is now announced for upcoming release on the 26th of Feb yet the release notes state nothing regarding increasing OpenSSL dependencies.

When can the product expect a security fix?

This isn't "solved", you just have a temporary workaround. Why does it keep getting marked solved?

I just have to post again, as this is NOT solved, and I know Virginia @VA advised the 3.1.5 CVE fixes were backported with @Borts 's internal comms.

When this was originally raised, Zooms implementation of OpenSSL was version 3.1.1 and there were 4x CVE's with 3x of those fixed by upgrading the dependency to the released 3.1.4.
One of those CVE's required a backport CVE-2023-5678 , Fixed in OpenSSL 3.1.5 (Affected since 3.1.0).

The OpenSSL 3.1.4 was pulled from 5.17.1 (28914), and in turn was released on January 8, 2024 with version 5.17.2 (29988).

As such with @VA's confirmation, this states that CVE-2023-5678 can be marked as backported in Zoom's OpenSSL 3.1.4 compilation.

The very next day later from Zoom's 5.17.2, On the 9th of January, OpenSSL declared CVE-2023-6129, Fixed in OpenSSL 3.1.5 (Affected since 3.1.0).
On the 15th of January CVE-2023-6237 is posted on OpenSSL's site along with a git commit Fixed in OpenSSL 3.1.5 (Affected since 3.1.0).

Later on the 25th of January, OpenSSL posted CVE-2024-0727, Fixed in OpenSSL 3.1.5 (Affected since 3.1.0).

As all of these 3x additional CVE's impacting 3.1.4 was declared AFTER the Zoom fix in the Zoom Changelogs, and the fact that no further details were declared by Zoom in the changelogs, I feel the community's concerns about Zoom and their handling of this situation are entirely valid.

Based on the above, Zoom needs to make a statement of which CVE's were backported, and the simplest method would be to patch the OpenSSL version to 3.1.5 which was formally released on the 30th of January.

March 2024 now looms and with the amount of Zoom attention on both the Community Post and Development Post, a fix should be issued promptly.

The line in Zoom's February 26th Release Notes for Version 5.17.10 (33775) does not include the 3x CVE git commits backported to 3.1.4, and why would you, 3.1.5 was released the month prior.

Still no mention of OpenSSL 3.1.5 or greater in the release notes, nor a simple confirmation of which CVE code fixes have been backported to zooms 3.1.4 codebase.

March 8, 2024 version 5.17.11
New and enhanced features
Simplified AI Companion consent notifications for hosts
When the meeting host initiates the meeting summary or meeting questions features, they will no longer see the consent prompt, and instead will see a simple toast notification along the top of the meeting window, which will disappear after a few seconds. Other meeting participants will see the consent notification as a prompt along the top of the meeting window, but must acknowledge the prompt before it will disappear.
Resolved Issues
Minor bug fixes
Resolved an issue regarding the first session of a recurring meeting not syncing properly from Outlook