Zoom 5.6.10 Vulnerabilities with OpenSSL .dll need version 3.1.5

Still no updates? We’ll be uninstalling this company wide.

2 Likes

Any update to this? still seeing 3.1.4 not 3.1.5

2 Likes

@gianni.zoom @TimZoom

Hello? An update in this thread would be appreciated because Zoom obviously hasn’t updated anything OpenSSL related. This is kind of ridiculous.

2 Likes

for the love of god @donte.zoom why can’t a company of this size and resource capacity make a comment on this? this is embarassing for your brand and infuriating and incredibly dismissive and unempathetic for your customer needs and concerns

2 Likes

Uninstalling the Zoom client from our 650+ machines as of now… Until this is properly fixed won’t be allowing new installs.

4 Likes

Zoom is now being removed from our estate 1600 devices, we can no longer use software that is riddled with CVE’s especially when there is zero timeline for resolving them despite constant user feedback on the matter.

3 Likes

@gianni.zoom @donte.zoom come on guys do something for christ’s sake

1 Like

Hi All,

Thank you for your feedback. Please be patient with response times. Some of us (including me) have been shifted, and MSDK is not our assigned area of focus. I have submitted this to the appropriate channels (ZSEE-125131).

1 Like

While I can understand individual responsibilities shifting, Zoom seems to have their priorities wrong if we can’t get a response to a security issue for over 3 months. That’s worse than Microsoft support, which is a very low bar. Feel free to pass the feedback from this thread to the appropriate channels as well.

2 Likes

@zoomuser-16 , @ziPRR , @mark.twarog , @msakiani , @pbow , @JJS ,

Thank you for all the feedback. I understand your frustration on this. There is an upcoming major release for the Zoom client; it likely involves an updated version, but I have not confirmed this yet. I follow the ticket Gianni and will share your feedback with the team and share updates based on what’s learned.

Here is my current understanding. Please correct anything that does not align with what you have reported.

  • Zoom Client version 5.17.28914 has outdated OpenSSL binaries Version 3.1.1.0.

  • Problematic binaries :
    → C:\Program Files\Zoom\bin\libcrypto-3-zm.dll
    → C:\Program Files\Zoom\bin\libssl-3-zm.dll

  • Tools such as Nessus and MDE continue to report vulnerabilities in these binaries, creating complications during cybersecurity audits and other tasks.

  • The current patch for this is 3.1.4. However, the fix for the CVE issue is in the commit in 3.1.5, which was not included.

  • Microsoft Defender flags will now only flag Zoom Meetings vulnerable for
    → CVE-2023-5678 CVSS 3.7.
    → CVE-2023-5678 , Fixed in OpenSSL 3.1.5 (Affected since 3.1.0)
1 Like

@donte.zoom

Defender is flagging still for:

CVE-2023-5678
CVE-2023-6237
CVE-2024-0727

Screenshot here: Imgur: The magic of the Internet

This is with Windows 64 bit Version: 5.17.11 (34827) build

Also before I forget - the same files are deployed by the Outlook plugin install so that too has the same issues, I would assume, but at this point I probably shouldn’t, the plugin libss and libcrypto libraries will also be updated on the same timeline.

2 Likes

@zoomuser-16 , @ziPRR , @pbow , @j.vanderstraten , @mark.twarog,

Update:

This issue is slated to be addressed in an upcoming release of the Zoom Client. The specific release date has not been announced yet, but I can confirm that our engineers are fully aware of the problem and are actively working on its resolution. I appreciate your patience and understanding.

Please note that the Zoom Developer Forum is primarily for discussing developer-related topics. For any issues related to the Zoom Client, it is recommended to use Zoom’s public community forums or support channels.

2 Likes

new 6.0 release today and still no fix… is this a joke?

2 Likes

Still no fix with latest release - we will be moving to another solution. I just got approval so no more excuses from you guys. I have seen many bad operations over my 21 years but this takes the CAKE!

1 Like

did you guys really release another 6.0.x update today and still not update these? i would love for someone to try to explain to me what is so complicated about this.

this is absolutely embarassing for you as a brand and even more so for the people that were dumb enough to give you money for your shoddy product.

Following this topic as it is still a looming recommendation to remdiate this version of open SSL. I suppose you’re not alone as filerepository also is on and outdated version of openssl… Still… Would love an update when we do get there.

1 Like

absolutely pathetic behavior by the whole zoom team for paying customers in just ignoring this for months on end