Still no updates? We’ll be uninstalling this company wide.

Any update to this? still seeing 3.1.4 not 3.1.5

@gianni.zoom @TimZoom

Hello? An update in this thread would be appreciated because Zoom obviously hasn’t updated anything OpenSSL related. This is kind of ridiculous.

for the love of god @donte.zoom why can’t a company of this size and resource capacity make a comment on this? this is embarassing for your brand and infuriating and incredibly dismissive and unempathetic for your customer needs and concerns

Uninstalling the Zoom client from our 650+ machines as of now… Until this is properly fixed won’t be allowing new installs.

Zoom is now being removed from our estate 1600 devices, we can no longer use software that is riddled with CVE’s especially when there is zero timeline for resolving them despite constant user feedback on the matter.

@gianni.zoom @donte.zoom come on guys do something for christ’s sake

Hi All,

Thank you for your feedback. Please be patient with response times. Some of us (including me) have been shifted, and MSDK is not our assigned area of focus. I have submitted this to the appropriate channels (ZSEE-125131).

While I can understand individual responsibilities shifting, Zoom seems to have their priorities wrong if we can’t get a response to a security issue for over 3 months. That’s worse than Microsoft support, which is a very low bar. Feel free to pass the feedback from this thread to the appropriate channels as well.

@zoomuser-16 , @ziPRR , @mark.twarog , @msakiani , @pbow , @JJS ,

Thank you for all the feedback. I understand your frustration on this. There is an upcoming major release for the Zoom client; it likely involves an updated version, but I have not confirmed this yet. I follow the ticket Gianni and will share your feedback with the team and share updates based on what’s learned.

Here is my current understanding. Please correct anything that does not align with what you have reported.

• Zoom Client version 5.17.28914 has outdated OpenSSL binaries Version 3.1.1.0.

• Problematic binaries :
  → C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
  → C:\Program Files\Zoom\bin\libssl-3-zm.dll

• Tools such as Nessus and MDE continue to report vulnerabilities in these binaries, creating complications during cybersecurity audits and other tasks.

• The current patch for this is 3.1.4. However, the fix for the CVE issue is in the commit in 3.1.5, which was not included.

• Microsoft Defender flags will now only flag Zoom Meetings vulnerable for
  → CVE-2023-5678 CVSS 3.7.
  → CVE-2023-5678 , Fixed in OpenSSL 3.1.5 (Affected since 3.1.0)

@donte.zoom

Defender is flagging still for:

CVE-2023-5678
CVE-2023-6237
CVE-2024-0727

Screenshot here: Imgur: The magic of the Internet

This is with Windows 64 bit Version: 5.17.11 (34827) build

Also before I forget - the same files are deployed by the Outlook plugin install so that too has the same issues, I would assume, but at this point I probably shouldn’t, the plugin libss and libcrypto libraries will also be updated on the same timeline.

@zoomuser-16 , @ziPRR , @pbow , @j.vanderstraten , @mark.twarog,

Update:

This issue is slated to be addressed in an upcoming release of the Zoom Client. The specific release date has not been announced yet, but I can confirm that our engineers are fully aware of the problem and are actively working on its resolution. I appreciate your patience and understanding.

Please note that the Zoom Developer Forum is primarily for discussing developer-related topics. For any issues related to the Zoom Client, it is recommended to use Zoom’s public community forums or support channels.

new 6.0 release today and still no fix… is this a joke?

Still no fix with latest release - we will be moving to another solution. I just got approval so no more excuses from you guys. I have seen many bad operations over my 21 years but this takes the CAKE!

did you guys really release another 6.0.x update today and still not update these? i would love for someone to try to explain to me what is so complicated about this.

this is absolutely embarassing for you as a brand and even more so for the people that were dumb enough to give you money for your shoddy product.

Following this topic as it is still a looming recommendation to remdiate this version of open SSL. I suppose you’re not alone as filerepository also is on and outdated version of openssl… Still… Would love an update when we do get there.

absolutely pathetic behavior by the whole zoom team for paying customers in just ignoring this for months on end

Updated to Version 6.0.4 (38135) (64-bit) and it is still OpenSSL 3.1.4 after a new CVE had triggered earlier in the month.
CVE-2024-2511 Unbounded memory growth with session handling in TLSv1.3

It really is not hard for the relevant Zoom employee to bookmark the OpenSSL dependency URL that lists CVE’s e.g. their /news/vulnerabilities.html page.

It has been 5 months, and we are still playing catch-up and Zoom clearly has no desire to get ahead and stay ahead.

You guys realise that in any Microsoft shop, your OpenSSL vulnerability issue is sitting there at the top of the list of Recommendations to fix right? And nobody can fix it other than to perpetually wait for a release for the last 6 months. And the release never comes.
And this is from your competitor in this space. You have a cast of hundreds, maybe thousands, in your marketing department and nobody seems to have connected how this makes your company look? Branding and perception is everything. Having Zoom sitting at the top of a security dashboard with a big red mark for months on end just sours any IT Department from sponsoring it’s existence.
Sort it out.

@HelpdeskLCC @ziPRR @stopwritingshit @zoomuser-16 @rrivera120

The fix for the OpenSSL vulnerability and outlook plugin is slated 6.1.0 release.