OpenSSL vulnerabilities in Defender for latest version Microsoft Products

Zach Hyman 100 Reputation points
2024-10-15T20:07:36.4466667+00:00

My org has several OpenSSL vulnerabilities for OneDrive and Azure Disk Encryption. The CVEs are CVE-2024-4603, CVE-2024-4741, CVE-2024-5535, and Defender was said to fix inaccuracies with these last month (Sept. 2024). https://zcusa.951200.xyz/en-us/defender-vulnerability-management/fixed-reported-inaccuracies

See attached the file paths I am working with. I exported them into Excel as Application Name, Installed Version of OpenSSL, CVEs, and Path. Are these false positives?

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,449 questions
{count} votes

1 answer

Sort by: Most helpful
  1. SAMUEL RANKL 5 Reputation points
    2024-11-26T19:18:41.0833333+00:00

    Hello @Pauline Mbabu

    This has been an issue for the nearly the entire year.
    Microsoft should be publishing a timeline of when these will be updated.
    OR - if in the current use case they are not a vulnerability threat, pull them from the reporting.

    c:\program files\windowsapps\microsoft.windows.photos_2024.11100.16009.0_x64__8wekyb3d8bbwe\libcrypto-3-x64.dll
    version 3.3.1.0
    June 4th

    c:\program files\windowsapps\microsoft.paint_11.2408.30.0_x64__8wekyb3d8bbwe\paintapp\libcrypto-3-x64.dll
    version 3.2.2.0
    June 4th

    c:\program files\microsoft onedrive\24.216.1027.0003\libssl-3-x64.dll
    Version: 3.3.0.0
    **April 9th
    **
    80% of this is Microsoft applications. When our patching is in good shape, still hovering in the high 20s low 30s.
    User's image

    Did they provide a timeline?

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.