Hi, Trying to improve my MDC secure score. OpenSSL seems to be a big part of the vulnerability findings. When diggning I found out that in any cases the culprit where related to ADE 2.4.0.23 (version 2.3.0 didn't seem to use openssl): openssl used is 3.2.1 (latest is 3.2.3) Azure Monitor Windows Agent 1.29.0.0: openssl used is 3.3.0 (latest is 3.3.2) AzurePolicyforWindows 1.29.80.0: openssl used is 3.3.1 (latest is 3.3.2) All openssl versions detected are related to CVEs from May 2024, 4 months ago. Those extensions seem to be in the latest versions, sometimes it's hard to find any information about their versions history (typically for ADE I found nothing). Exempting impacted resources is not a solution. What should I do ? Best regards, François

Hi Dufour, Francois , Welcome to the Microsoft Q&A Platform! Thank you for asking your question here. Here are the few inputs to help you for the Issue: Monitor for Updates: Stay vigilant for new Azure extension releases that could resolve the OpenSSL vulnerabilities. While these extensions are typically updated automatically, actively monitoring ensures you're informed when fixes become available. Regularly review the version history of the relevant extensions (Azure Disk Encryption, Azure Monitor Windows Agent, and Azure Policy for Windows) to track when patches are issued. Custom Security Policies: Create tailored policies within Microsoft Defender for Cloud that either track the versions of these extensions or enforce stricter rules to reduce the risk posed by outdated OpenSSL versions. This proactive approach ensures your environment is consistently monitored and better protected against vulnerabilities. For detailed information about how to create and manage custom security policies in Azure Defender for Cloud, you can refer to: https://learn.microsoft.com/en-us/azure/defender-for-cloud/create-custom-recommendations If you have any further queries, please do let us know. If the answer is helpful, please click "Accept Answer" and "Upvote it."

MDC reports vunerabilities about OpenSSL used by lastest Azure VM extensions

Dufour, Francois 46

Hi,

Trying to improve my MDC secure score. OpenSSL seems to be a big part of the vulnerability findings. When diggning I found out that in any cases the culprit where related to

ADE 2.4.0.23 (version 2.3.0 didn't seem to use openssl): openssl used is 3.2.1 (latest is 3.2.3)
Azure Monitor Windows Agent 1.29.0.0: openssl used is 3.3.0 (latest is 3.3.2)
AzurePolicyforWindows 1.29.80.0: openssl used is 3.3.1 (latest is 3.3.2)

All openssl versions detected are related to CVEs from May 2024, 4 months ago.

Those extensions seem to be in the latest versions, sometimes it's hard to find any information about their versions history (typically for ADE I found nothing). Exempting impacted resources is not a solution. What should I do ?

Best regards,

François

anashetty 740 Reputation points Microsoft Vendor

2024-09-16T15:07:16.3333333+00:00

Hi Dufour, Francois,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

We are looking into it and will get back to you soon.
Mitchell M 0 Reputation points

2024-10-07T19:02:50.9866667+00:00

I don't see any updates to SSL in the change notes as of now. https://learn.microsoft.com/en-us/azure/azure-arc/servers/agent-release-notes
anashetty 740 Reputation points Microsoft Vendor

2024-10-08T01:27:32.5766667+00:00

Hi Mitchell M,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

I suggest filing a support case to investigate this matter further. The support team will be able to examine and assist with resolving the issue. Support team can check internally and share details on the latest version availability.

Thank you.
Zach Hyman 30 Reputation points

2024-10-17T19:15:30.6733333+00:00

Anything from Microsoft?? This is still an issue for my org.
anashetty 740 Reputation points Microsoft Vendor

2024-10-18T01:12:25.0133333+00:00

Hi Zach Hyman,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

I suggest filing a support case to investigate this matter further. The support team will be able to examine and assist with resolving the issue. Support team can check internally and share details on the latest version availability.

Thank you.

1 answer

anashetty 740 Reputation points Microsoft Vendor

2024-09-17T16:47:14.7133333+00:00

Hi Dufour, Francois,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Here are the few inputs to help you for the Issue:

Monitor for Updates:

Stay vigilant for new Azure extension releases that could resolve the OpenSSL vulnerabilities. While these extensions are typically updated automatically, actively monitoring ensures you're informed when fixes become available.

Regularly review the version history of the relevant extensions (Azure Disk Encryption, Azure Monitor Windows Agent, and Azure Policy for Windows) to track when patches are issued.

Custom Security Policies:

Create tailored policies within Microsoft Defender for Cloud that either track the versions of these extensions or enforce stricter rules to reduce the risk posed by outdated OpenSSL versions. This proactive approach ensures your environment is consistently monitored and better protected against vulnerabilities.

For detailed information about how to create and manage custom security policies in Azure Defender for Cloud, you can refer to: https://learn.microsoft.com/en-us/azure/defender-for-cloud/create-custom-recommendations

If you have any further queries, please do let us know.

If the answer is helpful, please click "Accept Answer" and "Upvote it."
Please sign in to rate this answer.
Dufour, Francois 46 Reputation points

2024-09-18T09:35:37.99+00:00

Thanks for your answer. I was looking for versions history and only found for AMA and then while looking at extensions on a VM in the portal I saw that portal has evolved since last week. I can now see the exact version installed and the available upgrade versions. Helps more

anashetty 740 Reputation points Microsoft Vendor

2024-09-18T11:02:40.5566667+00:00

Hi Dufour, Francois,

For the response I provided to your question, please tell us if it was helpful and feel free to reach out to us if you have any queries.

If you feel that your queries have been resolved, please accept the answer by clicking the "Upvote" and "Accept Answer" on the post.

Thank you.

David Brown 41 Reputation points

2024-10-01T07:25:54.4233333+00:00

I also get the same OpenSSL MIVPAG vulnerabilities in Defender for Cloud, nearly all of which relate to Microsoft products. We keep the Microsoft software as up to date as is possible but you are not updating OpenSSL within it.

Visual Studio 2022 3.2.1.0
Microsoft Integration Runtime 3.3.1.0

AzureMonitorWindowsAgent 3.3.0.0 & 1.1.1.0

microsoft.guestconfiguration.configurationforwindows 3.3.1.0

Can you please start updating the software with later non vulnerable versions?

Stephen 0 Reputation points

2024-10-02T18:05:23.23+00:00

This is exactly the issue I've found as well. I wonder if it is worth opening a support case with Microsoft?

anashetty 740 Reputation points Microsoft Vendor

2024-10-03T14:56:44.76+00:00

Hi David Brown and Stephen

Thank you for providing information. I suggest filing a support case to investigate this matter further. The support team will be able to examine and assist with resolving the issue.

Dufour, Francois 46 Reputation points

2024-10-03T15:13:02.0466667+00:00

Except keeping an eye on new versions release of the impacted extensions and praying that the latest version of openssl is used, I don't know what else we can do and I don't know how support can help here.

anashetty 740 Reputation points Microsoft Vendor

2024-10-04T06:33:55.6866667+00:00

Hi Dufour, Francois,

I suggest filing a support case to investigate this matter further. The support team will be able to examine and assist with resolving the issue. Support team can check internally and share details on the latest version availability.

Thank you.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

MDC reports vunerabilities about OpenSSL used by lastest Azure VM extensions

1 answer

Your answer