![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 31%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
Hello is there any News on that?
OpenSSL Vulnerability Shown on Microsoft Defender for Cloud Dashboard - OneDrive affected app
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 75%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEW%3C/text%3E%3C/svg%3E)
Eric Wasike
75
Reputation points
An OpenSSL vulnerability has been flagged on one of our devices by Microsoft Defender for Cloud.
The vulnerability has listed two dll files as the main culprits (both installed via OneDrive):
- libcrypto-3-x64.dll
- libssl-3-x64.dll
The OneDrive version is the latest, as far as I know (24.196.0929.0005), and was updated on 26-Oct-2024.
However, it appears that the dll file versions have persisted at 3.3.0.0, which is considered vulnerable by Microsoft Defender's vulnerability scanner.
Therefore, how do we address this vulnerability if it cannot be addressed via a OneDrive update, as seems to be the case here?
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 9%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bill Shannon 35 Reputation points2024-11-12T16:55:16.8766667+00:00 This is a headache for me as well, especially when the older OneDrive versions are still hanging around. Even taking ownership and Full Control of the files (in the older directories) won't let me delete them. And security folks like me don't like this old vulnerable stuff hanging around. Yet, OneDrive's update mechanism for some reason won't remove older versions.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 65%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Champ 1 Reputation point2024-11-14T03:05:42.6633333+00:00 Hi everyone,
Did you managed to find a solution for this? It is flagging as a possible attack path by defender but not sure what to do with this.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 90%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Pauline Mbabu 1,320 Reputation points Microsoft Employee2024-11-25T10:32:05.7566667+00:00 Hello @Eric Wasike ,
The relevant Product Team is working to have this fixed.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 13%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMH%3C/text%3E%3C/svg%3E)
Mike-H 50 Reputation points2024-11-26T18:05:59.0966667+00:00 @Pauline Mbabu please can you confirm if the fix being worked on is to resolve this being flagged as a false positive or if we await a version update to One Drive which will resolve the issue?
-
Alcebíades Pardal Grandizoli 5 Reputation points2024-12-09T07:02:33.14+00:00 @Pauline Mbabu Any news?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 66%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZP%3C/text%3E%3C/svg%3E)
Zachery Paul Gardner 0 Reputation points2024-12-19T17:45:49.0266667+00:00 We are also having this issue. Is there a patched version of OneDrive available? This seems to have persisted through the last several updates and we are not getting any answers on timelines for correction.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 39%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOB%3C/text%3E%3C/svg%3E)
OZTEZCAN Batuhan 10 Reputation points2025-01-03T07:18:37.5933333+00:00 This issue still persists in the latest production build.: 24.226.1110.0004. I wonder when it will be patched.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 57.99999999999999%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
WesMadden 11 Reputation points2025-01-03T23:26:45.1933333+00:00 OpenSSL component vulnerabilities in Defender Vulnerability Management seem too heavily weighted against the exposure score. We are showing several Microsoft products with vulnerable OpenSSL components with the biggest being OneDrive. This seems like it will be a constant issue going forward so I would recommend that Microsoft take a look at how heavily weighted this is against the exposure score otherwise the exposure score doesn't seem to be an accurate construct.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 54%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
SM 20 Reputation points2025-01-08T15:44:32.1866667+00:00 Any news on the release date for an updated version please?
Thanks,
SM -
Pauline Mbabu 1,320 Reputation points Microsoft Employee
2025-01-23T04:05:01.6066667+00:00 Apologies for getting back to you late.
OpenSSL detections are actual risks, and most Microsoft products, including OneDrive, are in the process of being updated. I am not able to confirm the exact day that the update will be released but this is being investigated. Please be patient with us as we work on making the necessary updates. -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 53%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
Martin L. Mogensen 25 Reputation points2025-01-27T08:02:50.5+00:00 Dear Pauline Mbabu,
I think a lot of us already have been more than patience. This thread started almost 3 month ago... the file mentioned is version 3.3.0, but it was superseded by version 3.3.1 which was released 4th june 2024 (7.5 month ago), and later on by version 3.3.2 was released September 3rd 2024 (4.5 month ago).
I can't help thinking that Microsoft doesn't prioritize security, since updating applications is prioritized that low.
Is is naive to hope that you can get this escalated to someone, who can ensure this is being fixed, instead of postponed and excused?
I do know that you are not the one to blame, so please take this personal.
-
SM 20 Reputation points
2025-01-27T09:11:55.6966667+00:00 Thanks for coming back to us Pauline, it is appreciated.
If you have a route to make suggestions within Microsoft, could it be fed upward please to ask that any Microsoft product that includes open source libraries like OpenSSL, Log4J etc, always release the latest stable version of that library when they are updated?
The history shows that it's only a matter of time before CVEs are published for the older or current version of these libraries so it would at least hopefully improve the situation over time and re-assure customers like ourselves that we only need wait for the next release for the issue to be resolved.
Thanks again,
SM -
SM 20 Reputation points
2025-01-27T14:39:53.6733333+00:00 On our estate, we've seen that version 25.* is now being pushed out which contains openSSL 3.4. More importantly, that currently has no CVEs in Defender which is brill. Thanks 😊
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 78%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Adam Meyer 0 Reputation points2025-05-20T18:29:44.27+00:00 I don't have a solution here, but I'm chiming in to say my company has a similar concern.
Sensibility aside, my company is graded on the suggestions given by Microsoft Defender for Cloud, and the single biggest concern with its findings lately is a vulnerability associated with these two OpenSSL DLLs that are, ironically, installed only because of a different security posture suggestion made by Defender for the "Guest Attestation" Azure extension. Defender complains about the exact same two DLLs, albeit even newer than the ones cited here (ver 3.4.0.0), used by the Guest Attestation Azure extension.
I understand it takes time to fix issues like this, but it's kind of a funny or sad irony when a suggestion made by Microsoft to improve security posture and install the "Guest Attestation" extension reportedly makes it worse instead by then reporting even greater vulnerabilities with the OpenSSL files included with the Guest Attestation extension.
-
Bill Shannon 35 Reputation points
2025-05-21T16:21:25.83+00:00 Come on, Microsoft!!! @Pauline Mbabu
Microsoft Office May Update just dumped a load of vulnerable OpenSSL DLLs and completely hosed Secure and Exposure Scores in Defender. This is ridiculous.
-
Bill Shannon 35 Reputation points
2025-05-21T16:22:05.74+00:00 Come on, Microsoft!!! @Pauline Mbabu
Microsoft Office May Update just dumped a load of vulnerable OpenSSL DLLs and completely hosed Secure and Exposure Scores in Defender. This is ridiculous.
-
Pauline Mbabu 1,320 Reputation points Microsoft Employee
2025-06-10T17:19:48.21+00:00 Hello @Bill Shannon ,
This is an issue that has to be addressed by the Individual Product Teams. I have given this feedback, and it is being forwarded to the relevant Product Team. Unfortunately, I am not in a position to provide a timeline as to when this will be addressed. I don't have visibility on this.
I would also recommend raising a support ticket to create more Visibility on this.
To Raise a support Ticket:- Go to the Azure Portal.
- Click on the Help + support option in the left-hand menu.
- Select New support request.
- Follow the prompts to create a support ticket explaining your issue.
Sign in to comment
2 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 67%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
CyberSecTech 0 Reputation points2025-08-01T14:00:18.26+00:00 Read from October 2024 and today is August 1. Has there been any development in this?