This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 75%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEW%3C/text%3E%3C/svg%3E)
An OpenSSL vulnerability has been flagged on one of our devices by Microsoft Defender for Cloud.
The vulnerability has listed two dll files as the main culprits (both installed via OneDrive):
The OneDrive version is the latest, as far as I know (24.196.0929.0005), and was updated on 26-Oct-2024.
However, it appears that the dll file versions have persisted at 3.3.0.0, which is considered vulnerable by Microsoft Defender's vulnerability scanner.
Therefore, how do we address this vulnerability if it cannot be addressed via a OneDrive update, as seems to be the case here?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 9%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
This is a headache for me as well, especially when the older OneDrive versions are still hanging around. Even taking ownership and Full Control of the files (in the older directories) won't let me delete them. And security folks like me don't like this old vulnerable stuff hanging around. Yet, OneDrive's update mechanism for some reason won't remove older versions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 65%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Hi everyone,
Did you managed to find a solution for this? It is flagging as a possible attack path by defender but not sure what to do with this.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 90%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Hello @Eric Wasike ,
The relevant Product Team is working to have this fixed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 13%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMH%3C/text%3E%3C/svg%3E)
@Pauline Mbabu please can you confirm if the fix being worked on is to resolve this being flagged as a false positive or if we await a version update to One Drive which will resolve the issue?
@Pauline Mbabu Any news?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 66%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZP%3C/text%3E%3C/svg%3E)
We are also having this issue. Is there a patched version of OneDrive available? This seems to have persisted through the last several updates and we are not getting any answers on timelines for correction.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 39%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOB%3C/text%3E%3C/svg%3E)
This issue still persists in the latest production build.: 24.226.1110.0004. I wonder when it will be patched.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 57.99999999999999%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
OpenSSL component vulnerabilities in Defender Vulnerability Management seem too heavily weighted against the exposure score. We are showing several Microsoft products with vulnerable OpenSSL components with the biggest being OneDrive. This seems like it will be a constant issue going forward so I would recommend that Microsoft take a look at how heavily weighted this is against the exposure score otherwise the exposure score doesn't seem to be an accurate construct.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 54%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Any news on the release date for an updated version please?
Thanks,
SM
Apologies for getting back to you late.
OpenSSL detections are actual risks, and most Microsoft products, including OneDrive, are in the process of being updated. I am not able to confirm the exact day that the update will be released but this is being investigated. Please be patient with us as we work on making the necessary updates.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 53%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
Dear Pauline Mbabu,
I think a lot of us already have been more than patience. This thread started almost 3 month ago... the file mentioned is version 3.3.0, but it was superseded by version 3.3.1 which was released 4th june 2024 (7.5 month ago), and later on by version 3.3.2 was released September 3rd 2024 (4.5 month ago).
I can't help thinking that Microsoft doesn't prioritize security, since updating applications is prioritized that low.
Is is naive to hope that you can get this escalated to someone, who can ensure this is being fixed, instead of postponed and excused?
I do know that you are not the one to blame, so please take this personal.
Thanks for coming back to us Pauline, it is appreciated.
If you have a route to make suggestions within Microsoft, could it be fed upward please to ask that any Microsoft product that includes open source libraries like OpenSSL, Log4J etc, always release the latest stable version of that library when they are updated?
The history shows that it's only a matter of time before CVEs are published for the older or current version of these libraries so it would at least hopefully improve the situation over time and re-assure customers like ourselves that we only need wait for the next release for the issue to be resolved.
Thanks again,
SM
On our estate, we've seen that version 25.* is now being pushed out which contains openSSL 3.4. More importantly, that currently has no CVEs in Defender which is brill. Thanks 😊