CVE-2023-4807, Fixed in OpenSSL 3.1.3 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5
CVE-2023-5363 , Fixed in OpenSSL 3.1.4 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee
CVE-2023-3817, Fixed in OpenSSL 3.1.2 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5
CVE-2023-5678 , Fixed in OpenSSL 3.1.5 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6
With fresh installs today (on test devices that never had Zoom, or on newly reimaged devices) as well as update attempts and uninstall/reboot/reinstall I am seeing the same - the 5.16.10 installer is still dropping a libcrypto-3-zm.dll version 3.1.1x and is NOT updated.
I can confirm that this version still utilises OpenSSL Version 3.1.1.0
C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
C:\Program Files\Zoom\bin\libssl-3-zm.dll
The version 5.17.28914 now is including 3.1.4 DLL versions (I haven’t yet been able to test)
but why would you not go to the version 3.1.5 that resolves a CVE issue in 3.1.4?
Edit to add: Apparently I cannot reply more than three times per thread.
After testing the update both on a computer that had a previously working version of Zoom, and a computer that was reimaged at some point since the last release, I am not seeing updated versions of the respective DLLs put in place by this install.
Both, while dated 12/24/23, are showing version 3.1.1.0.
I can confirm that this version still utilises OpenSSL Version 3.1.1.0
C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
C:\Program Files\Zoom\bin\libssl-3-zm.dll
Agreed. Zoom, please update your OpenSSL dependency. Major thumbs up for signing the DLL files. Major thumbs down for not actively getting this implemented.
Version 5.17.1 (28914) - https://zoom.us/client/5.17.1.28914/ZoomInstallerFull.exe?archType=x64
Still shows out of data libcrypto and libssl of 3.1.1
Thank you for documenting this. I believe your topic should be 5.16 though, right? In any case, this issue persists in 3.17.1 (28914) as multiple of us have confirmed. Customer Support advised that I create a new forum post to refernce the current version, especially since there has not been any developer response here. You can find the latest post here if you want to follow it: Zoom 5.17.1 Vulnerabilities with OpenSSL .dll
I appreciate you taking the time to report this issue to us. Your feedback is vital to improving our services. I’m going to reach out to our internal engineering team to get more insight into the issue. Once I have received their input, I’ll make sure to share the update here. Your patience and understanding in this matter are greatly appreciated.
As follow up, our internal engineering team is aware of this issue and is working to address it. I will keep you updated on when the OpenSSL dependency will be updated for the Windows SDK.
New and enhanced features
General features
Update to OpenSSL 3.1.4 - Windows, macOS
Due to the recently disclosed vulnerabilities with lower versions of OpenSSL, the Zoom client is updated to use OpenSSL 3.1.4. Depending on your network security configuration, you may also need to update your network infrastructure devices’ firmware.
Resolved Issues
Minor bug fixes
As they are only patching to 3.1.4 (but the commit in 3.15 could have been included).
Microsoft Defender flags will now only flag Zoom Meetings vulnerable for
CVE-2023-5678 CVSS 3.7.
CVE-2023-5678 , Fixed in OpenSSL 3.1.5 (Affected since 3.1.0)
gitcommit see git openssl org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6
We can now all await Zoom to update to OpenSSL Version 3.2.0