This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 75%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEW%3C/text%3E%3C/svg%3E)
An OpenSSL vulnerability has been flagged on one of our devices by Microsoft Defender for Cloud.
The vulnerability has listed two dll files as the main culprits (both installed via OneDrive):
The OneDrive version is the latest, as far as I know (24.196.0929.0005), and was updated on 26-Oct-2024.
However, it appears that the dll file versions have persisted at 3.3.0.0, which is considered vulnerable by Microsoft Defender's vulnerability scanner.
Therefore, how do we address this vulnerability if it cannot be addressed via a OneDrive update, as seems to be the case here?
A cloud-native solution that protects workloads across hybrid and multi-cloud environments with threat detection and security recommendations
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 9%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
This is a headache for me as well, especially when the older OneDrive versions are still hanging around. Even taking ownership and Full Control of the files (in the older directories) won't let me delete them. And security folks like me don't like this old vulnerable stuff hanging around. Yet, OneDrive's update mechanism for some reason won't remove older versions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 65%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Hi everyone,
Did you managed to find a solution for this? It is flagging as a possible attack path by defender but not sure what to do with this.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 90%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Hello @Eric Wasike ,
The relevant Product Team is working to have this fixed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 13%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMH%3C/text%3E%3C/svg%3E)
@Pauline Mbabu please can you confirm if the fix being worked on is to resolve this being flagged as a false positive or if we await a version update to One Drive which will resolve the issue?
@Pauline Mbabu Any news?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 66%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZP%3C/text%3E%3C/svg%3E)
We are also having this issue. Is there a patched version of OneDrive available? This seems to have persisted through the last several updates and we are not getting any answers on timelines for correction.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 39%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOB%3C/text%3E%3C/svg%3E)
This issue still persists in the latest production build.: 24.226.1110.0004. I wonder when it will be patched.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 57.99999999999999%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
OpenSSL component vulnerabilities in Defender Vulnerability Management seem too heavily weighted against the exposure score. We are showing several Microsoft products with vulnerable OpenSSL components with the biggest being OneDrive. This seems like it will be a constant issue going forward so I would recommend that Microsoft take a look at how heavily weighted this is against the exposure score otherwise the exposure score doesn't seem to be an accurate construct.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 54%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Any news on the release date for an updated version please?
Thanks,
SM
Apologies for getting back to you late.
OpenSSL detections are actual risks, and most Microsoft products, including OneDrive, are in the process of being updated. I am not able to confirm the exact day that the update will be released but this is being investigated. Please be patient with us as we work on making the necessary updates.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 53%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
Dear Pauline Mbabu,
I think a lot of us already have been more than patience. This thread started almost 3 month ago... the file mentioned is version 3.3.0, but it was superseded by version 3.3.1 which was released 4th june 2024 (7.5 month ago), and later on by version 3.3.2 was released September 3rd 2024 (4.5 month ago).
I can't help thinking that Microsoft doesn't prioritize security, since updating applications is prioritized that low.
Is is naive to hope that you can get this escalated to someone, who can ensure this is being fixed, instead of postponed and excused?
I do know that you are not the one to blame, so please take this personal.
Thanks for coming back to us Pauline, it is appreciated.
If you have a route to make suggestions within Microsoft, could it be fed upward please to ask that any Microsoft product that includes open source libraries like OpenSSL, Log4J etc, always release the latest stable version of that library when they are updated?
The history shows that it's only a matter of time before CVEs are published for the older or current version of these libraries so it would at least hopefully improve the situation over time and re-assure customers like ourselves that we only need wait for the next release for the issue to be resolved.
Thanks again,
SM
On our estate, we've seen that version 25.* is now being pushed out which contains openSSL 3.4. More importantly, that currently has no CVEs in Defender which is brill. Thanks 😊
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 78%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
I don't have a solution here, but I'm chiming in to say my company has a similar concern.
Sensibility aside, my company is graded on the suggestions given by Microsoft Defender for Cloud, and the single biggest concern with its findings lately is a vulnerability associated with these two OpenSSL DLLs that are, ironically, installed only because of a different security posture suggestion made by Defender for the "Guest Attestation" Azure extension. Defender complains about the exact same two DLLs, albeit even newer than the ones cited here (ver 3.4.0.0), used by the Guest Attestation Azure extension.
I understand it takes time to fix issues like this, but it's kind of a funny or sad irony when a suggestion made by Microsoft to improve security posture and install the "Guest Attestation" extension reportedly makes it worse instead by then reporting even greater vulnerabilities with the OpenSSL files included with the Guest Attestation extension.
Come on, Microsoft!!! @Pauline Mbabu
Microsoft Office May Update just dumped a load of vulnerable OpenSSL DLLs and completely hosed Secure and Exposure Scores in Defender. This is ridiculous.
Come on, Microsoft!!! @Pauline Mbabu
Microsoft Office May Update just dumped a load of vulnerable OpenSSL DLLs and completely hosed Secure and Exposure Scores in Defender. This is ridiculous.
Hello @Bill Shannon ,
This is an issue that has to be addressed by the Individual Product Teams. I have given this feedback, and it is being forwarded to the relevant Product Team. Unfortunately, I am not in a position to provide a timeline as to when this will be addressed. I don't have visibility on this.
I would also recommend raising a support ticket to create more Visibility on this.
To Raise a support Ticket:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 31%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
Hello is there any News on that?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 11%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Any news? for this isssue
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 67%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Read from October 2024 and today is August 1. Has there been any development in this?