MDC reports vunerabilities about OpenSSL used by lastest Azure VM extensions

Dufour, Francois 56 Reputation points
2024-09-13T13:38:00.23+00:00

Hi,

Trying to improve my MDC secure score. OpenSSL seems to be a big part of the vulnerability findings. When diggning I found out that in any cases the culprit where related to

  • ADE 2.4.0.23 (version 2.3.0 didn't seem to use openssl): openssl used is 3.2.1 (latest is 3.2.3)
  • Azure Monitor Windows Agent 1.29.0.0: openssl used is 3.3.0 (latest is 3.3.2)
  • AzurePolicyforWindows 1.29.80.0: openssl used is 3.3.1 (latest is 3.3.2)

All openssl versions detected are related to CVEs from May 2024, 4 months ago.

Those extensions seem to be in the latest versions, sometimes it's hard to find any information about their versions history (typically for ADE I found nothing). Exempting impacted resources is not a solution. What should I do ?

Best regards,

François

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,286 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,473 questions
{count} votes

1 answer

Sort by: Most helpful
  1. anashetty 1,955 Reputation points Microsoft Vendor
    2024-09-17T16:47:14.7133333+00:00

    Hi Dufour, Francois,

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    Here are the few inputs to help you for the Issue:

    Monitor for Updates:

    Stay vigilant for new Azure extension releases that could resolve the OpenSSL vulnerabilities. While these extensions are typically updated automatically, actively monitoring ensures you're informed when fixes become available.

    Regularly review the version history of the relevant extensions (Azure Disk Encryption, Azure Monitor Windows Agent, and Azure Policy for Windows) to track when patches are issued.

    Custom Security Policies:

    Create tailored policies within Microsoft Defender for Cloud that either track the versions of these extensions or enforce stricter rules to reduce the risk posed by outdated OpenSSL versions. This proactive approach ensures your environment is consistently monitored and better protected against vulnerabilities.

    For detailed information about how to create and manage custom security policies in Azure Defender for Cloud, you can refer to: https://learn.microsoft.com/en-us/azure/defender-for-cloud/create-custom-recommendations

    If you have any further queries, please do let us know.

    If the answer is helpful, please click "Accept Answer" and "Upvote it."


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.