OpenSSL Vulnerability

Jurell Topper 50 Reputation points
2024-06-05T14:02:07.13+00:00

Hello,

We received a critical alert from Microsoft Defender (CVE-2023-49210) which tells us that 90 of our devices have vulnerabilities due to the version Openssl which is not supported anymore. We don't have any software on these PCs that include OpenSSL, so this must be something to do with Windows 11. I even see this vulnerability with a fresh image of Windows 11.

The Defender alert calls out the following vulnerable files:
User's image

There are MANY vulnerabilities related to OpenSSL in my Defender portal (seen below) and I would like to resolve them all. Is there a way to resolve all vulnerabilities by somehow updating OpenSSL (which I dont even see as installed on any of these PCs)?

User's image

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,236 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Michael Taylor 50,106 Reputation points
    2024-06-07T18:19:49.68+00:00

    The warnings are being triggered because there are multiple software packages that ship with the OpenSSL libraries that are considered vulnerable. Since each package ships its own copy of the libraries you'd need to update each of the packages yourself. They don't share/use a common version. Unfortunately you cannot just "upgrade" the library as there is potentially breaking changes that could break the app. You would need to go to each package's vendor and look for an update.

    In the case of the driver filestore, this is where Windows stores a copy of the driver files that Windows may or may not be using. It looks like you might have older versions of the Intel iCLS Client driver. These can be safely ignored I believe. You should go to the Microsoft Update Catalog and ensure you have the latest Intel iCLS Client driver installed, if you're using it.

    The other 2 references are local to your user and are the OneDrive provider. I find it interesting that you're running 24.103 while the latest I have is 24.101. And my version was supposedly updated today. OpenSSL 3.3.1 was released a couple of days ago and my version is 3.3.0. This may just be a false positive but until OneDrive updates there is not much you can do about it either way.

    0 comments No comments