This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 48%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZH%3C/text%3E%3C/svg%3E)
My org has several OpenSSL vulnerabilities for OneDrive and Azure Disk Encryption. The CVEs are CVE-2024-4603, CVE-2024-4741, CVE-2024-5535, and Defender was said to fix inaccuracies with these last month (Sept. 2024). https://learn.microsoft.com/en-us/defender-vulnerability-management/fixed-reported-inaccuracies
See attached the file paths I am working with. I exported them into Excel as Application Name, Installed Version of OpenSSL, CVEs, and Path. Are these false positives?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 1%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
I have the same issue in my org.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 70%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELS%3C/text%3E%3C/svg%3E)
Same here looking for a fix on the OneDrive issues. If this is reported as false positive can we get a statement please?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 87%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDC%3C/text%3E%3C/svg%3E)
We are getting the same issue, we are showing this CVE-2024-4741 as a "High" issue in Defender on several devices. Please advise.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 56.00000000000001%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPD%3C/text%3E%3C/svg%3E)
The latest version of the OneDrive client 24.211.1020.0001 hasn't resolved the vulnerabilities. The two files in question are libssl-3-x64.dll and libcrypto-3-x64.dll.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 63%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETH%3C/text%3E%3C/svg%3E)
Looking for answers on this issue as well.
This has continued to be an issue for us as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 90%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Hello @Zach Hyman ,
The relevant Product team is working to have this fixed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 10%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETH%3C/text%3E%3C/svg%3E)
Is there any way to fix this? We still get the warning.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 4%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
fix scheduled to be rolled out by the end of January. refer to my Answer.
Apologies for getting back to you late.
OpenSSL detections are actual risks, and most Microsoft products, including OneDrive and Azure Disk Encryption, are in the process of being updated. Please be patient with us as we work on making the necessary updates.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 60%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Hello @Pauline Mbabu
This has been an issue for the nearly the entire year.
Microsoft should be publishing a timeline of when these will be updated.
OR - if in the current use case they are not a vulnerability threat, pull them from the reporting.
c:\program files\windowsapps\microsoft.windows.photos_2024.11100.16009.0_x64__8wekyb3d8bbwe\libcrypto-3-x64.dll
version 3.3.1.0
June 4th
c:\program files\windowsapps\microsoft.paint_11.2408.30.0_x64__8wekyb3d8bbwe\paintapp\libcrypto-3-x64.dll
version 3.2.2.0
June 4th
c:\program files\microsoft onedrive\24.216.1027.0003\libssl-3-x64.dll
Version: 3.3.0.0
**April 9th
**
80% of this is Microsoft applications. When our patching is in good shape, still hovering in the high 20s low 30s.
Did they provide a timeline?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 2%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERD%3C/text%3E%3C/svg%3E)
@SAMUEL RANKL How do i exclude this from the reporting? I can't seem to get rid of these vulnerabilities that are basically unfixable for me, so i want to remove them from the view so i can focus on items that i can have fixed.
It's really ridiculous....not a single update. This is a security product for crying out loud. Maybe we should seek publicity.
We have had confirmation today from Microsoft Support that a fix is scheduled for deployment which will remove these vulnerabilities.
"we have been investigating and found that this the outgoing issue worldwide and has been reported to the Team and they are working actively on it.
As per the last update the fix for the identified vulnerabilities has been checked in and is scheduled for deployment by the end of January.
Please wait for couple of days and these vulnerabilities will be removed. I appreciate your patience."
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 97%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
Can you possibly cite where you are getting this from? I have been looking for documentation stating this so I can update my team accordingly but can't seem to find any articles. Or did you get it from Microsoft Support directly via a ticket? TIA
We have Microsoft Unified agreement, and the response is from their Engineer to our ticket. Yes, is very difficult to find publicly available information about this issue. Our ticket had been open for over 2 weeks without any feedback. We escalated within Microsoft to which this was their response. I'm expecting the next update of OneDrive sync is going to fix this issue
Update from Microsoft on our Unified Ticket today
"Now we check this with OneDrive Product Group, they were using an older version of OpenSSL that had a flagged vulnerability in it. We've since updated to the latest version that will not have that vulnerability. OpenSSL is just used for a specific websocket notification feature that doesn't send any customer content or EUII so there's no concern on data breeches. They confirm the fix is checked in and will be out by the end of January. "
OneDrive Sync App 25.004.0109.0002 is now being rolled out with Openssl 3.4.0.0 having no weaknesses.
@Zach Hyman please review the information I've provide and kindly accept my answer