Zoom 5.6.10 Vulnerabilities with OpenSSL .dll need version 3.1.5

Using Zoom Meetings Client 5.16.10 (26186)
Microsoft Defender flags as vulnerable for
CVE-2023-4807 CVSS 6.2,
CVE-2023-5363 CVSS 5.9,
CVE-2023-3817 CVSS 3.7,
CVE-2023-5678 CVSS 3.7,

Install source: https://zoom.us/client/5.16.10.26186/ZoomInstallerFull.exe?archType=x64

Detected files
c:\program files\zoom\bin\libcrypto-3-zm.dll
c:\program files\zoom\bin\libssl-3-zm.dll
OpenSSL Version 3.1.1.0

Recommended course of action, upgrade to OpenSSL Version 3.1.5.0
https://www.openssl.org/news/vulnerabilities.html

CVE-2023-4807, Fixed in OpenSSL 3.1.3 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5

CVE-2023-5363 , Fixed in OpenSSL 3.1.4 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee

CVE-2023-3817, Fixed in OpenSSL 3.1.2 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5

CVE-2023-5678 , Fixed in OpenSSL 3.1.5 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6

6 Likes

Microsoft Defender 365 Vulnerability scans are showing every machine with 5.16.10 as vulnerable due to OpenSSL 3.1.1.1 use…

Need to be updated to 3.1.5 or newer ASAP

2 Likes

With fresh installs today (on test devices that never had Zoom, or on newly reimaged devices) as well as update attempts and uninstall/reboot/reinstall I am seeing the same - the 5.16.10 installer is still dropping a libcrypto-3-zm.dll version 3.1.1x and is NOT updated.

Agree, this is still and issue and is not fixed

We have exactly this same issue. Please prioritize this

Any update on this? This vulnerable OpenSSL version is from 5/30/23 and there have been several releases since then, as OP indicated

This issue still exist.

Tried the latest version and Using Zoom Meetings Client 5.17.0 (28375)
DisplayVersion 5.17.28375
Install source: https://zoom.us/client/5.17.0.28375/ZoomInstallerFull.msi?archType=x64

I can confirm that this version still utilises OpenSSL Version 3.1.1.0
C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
C:\Program Files\Zoom\bin\libssl-3-zm.dll

Per release notes:

https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0068823

The version 5.17.28914 now is including 3.1.4 DLL versions (I haven’t yet been able to test)

but why would you not go to the version 3.1.5 that resolves a CVE issue in 3.1.4?

Edit to add: Apparently I cannot reply more than three times per thread.

After testing the update both on a computer that had a previously working version of Zoom, and a computer that was reimaged at some point since the last release, I am not seeing updated versions of the respective DLLs put in place by this install.

Both, while dated 12/24/23, are showing version 3.1.1.0.

Tried the latest version as MC_IT above, and Using Zoom Meetings Client 5.17.1 (28914) (64-bit)
DisplayVersion 5.17.28914
Install source: https://cdn.zoom.us/prod/5.17.1.28914/x64/ZoomInstallerFull.msi

I can confirm that this version still utilises OpenSSL Version 3.1.1.0
C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
C:\Program Files\Zoom\bin\libssl-3-zm.dll

I see the same behavior with a clean install of 5.17.1 (28914), this still contains the outdated OpenSSL binaries 3.1.1.0.

Its 2024. How has this still not been addressed? This is simply unacceptable remediation time for an enterprise application of this scale.

Agreed. Zoom, please update your OpenSSL dependency. Major thumbs up for signing the DLL files. Major thumbs down for not actively getting this implemented.
Version 5.17.1 (28914) - https://zoom.us/client/5.17.1.28914/ZoomInstallerFull.exe?archType=x64
Still shows out of data libcrypto and libssl of 3.1.1

Thank you for documenting this. I believe your topic should be 5.16 though, right? In any case, this issue persists in 3.17.1 (28914) as multiple of us have confirmed. Customer Support advised that I create a new forum post to refernce the current version, especially since there has not been any developer response here. You can find the latest post here if you want to follow it: Zoom 5.17.1 Vulnerabilities with OpenSSL .dll

@J_Zoom_Help , @crvdspc , @JJS , @jpaschke , @HelpdeskLCC , @bradleyhampson ,

I appreciate you taking the time to report this issue to us. Your feedback is vital to improving our services. I’m going to reach out to our internal engineering team to get more insight into the issue. Once I have received their input, I’ll make sure to share the update here. Your patience and understanding in this matter are greatly appreciated.

2 Likes

As follow up, our internal engineering team is aware of this issue and is working to address it. I will keep you updated on when the OpenSSL dependency will be updated for the Windows SDK.

@jpaschke , @HelpdeskLCC , @JJS , @J_Zoom_Help , @crvdspc , @bradleyhampson ,

I can confirm that all SDK platforms will upgrade OpenSSL to version 3.1.4. The release is scheduled for next Monday.

Please follow our changelog for the latest updates and fixes:

1 Like

Hi all,

Release notes for the Zoom Client show that version 5.17.2 should be released in the next 24 hours.
https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0073791

https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0068823
January 8, 2024 version 5.17.2

New and enhanced features
General features
Update to OpenSSL 3.1.4 - Windows, macOS
Due to the recently disclosed vulnerabilities with lower versions of OpenSSL, the Zoom client is updated to use OpenSSL 3.1.4. Depending on your network security configuration, you may also need to update your network infrastructure devices’ firmware.
Resolved Issues
Minor bug fixes

As they are only patching to 3.1.4 (but the commit in 3.15 could have been included).
Microsoft Defender flags will now only flag Zoom Meetings vulnerable for
CVE-2023-5678 CVSS 3.7.
CVE-2023-5678 , Fixed in OpenSSL 3.1.5 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6

We can now all await Zoom to update to OpenSSL Version 3.2.0

1 Like

As of 8:30 am Eastern I can confirm that I’ve received version 5.17.29988 which includes the OpenSSL DLLs version 3.1.4.

I too am confused as to why they didn’t include 3.1.5 but hopefully it doesn’t take them too long to get up to 3.2.0.

1 Like

Openssl version 3.1.4 is still not good enough since it has its own known CVEs.
Does anyone know when zoom will release a version with openssl v3.1.5?