This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 84%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
We have multiple devices showing up with OpenSSL vulnerabilities. It is detecting two dll files that it is flagging. Which they are libssl-3-x64.dll and libcrypto-3-x64.dll. It is flagging this for multiple different applications through out multiple devices. Some devices it's not the same application. Is defender showing a false negative of these vulnerabilities. If this are not false negatives then what is the process to update the dll files inside the applications?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 99%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 9%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBA%3C/text%3E%3C/svg%3E)
Hi,
i have same issue on this with component of SSMS
c:\program files (x86)\microsoft sql server management studio 19\common7\ide\mashup\odbc drivers\simba spark odbc driver\libcurl32.dlla\openssl32.dlla\libcrypto-3.dll
c:\program files (x86)\microsoft sql server management studio 19\common7\ide\mashup\odbc drivers\simba spark odbc driver\libcurl32.dlla\openssl32.dlla\libssl-3.dll
c:\program files (x86)\microsoft sql server management studio 19\common7\ide\mashup\odbc drivers\simba spark odbc driver\openssl32.dlla\libcrypto-3.dll
c:\program files (x86)\microsoft sql server management studio 19\common7\ide\mashup\odbc drivers\simba spark odbc driver\openssl32.dlla\libssl-3.dll
software version detected is 3.0.8 by defender for cloud and defender endpoint in Azure.
i haven't found any way to update it for SSMS.
Please share if you have any advise.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Jeff Thorne Thank you for reaching out to us, As I understand you have queries on the OpenSSL vulnerabilities showing in Defender Dashboard.
Researched on your issue and found few changes happened from 3.0.9 to 3.0.10 and notes for the same can be found here - https://www.openssl.org/news/openssl-3.0-notes.html
Could you help me which defender dashboard has discovered these vulnerabilities on your devices, if any screenshot which you can share (if it contains sensitive information, feel free to send me an email to 'AzCommunity@microsoft.com' with Sub - Attn: Givary so that I can review it further).
However similar issue was discussed in the past - https://msrc.microsoft.com/blog/2022/11/microsoft-guidance-related-to-openssl-risk-cve-2022-3786-and-cve-2202-3602/ where the mitigation was to update the OS/respective software having this DLL.
Also would recommend to check if you have any security updates pending for these devices, if yes install them and check if defender still reports.
Reference:
Whether these alerts are false positive or not, I can tell after receiving the screenshot from the defender dashboard, so that I can discuss it with my team internally on the same.
Let me know if you have any further questions, feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 63%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
The solution you are suggesting is not very helpful. these applications are already up to date, and same defender isn't flagging them as vulnerable. That is counter intuitive, if an application has a vulnerable library, shouldn't you flag the application as vulnerable.
I think you should speak with users to understand our user experiences.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 54%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDA%3C/text%3E%3C/svg%3E)
@Givary-MSFT i have the same problem on our defender portal and can't be updated openssl in window apps please find below the screenshot
i think this is wrong recommendation
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 47%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
@Dinesh Admin did you ever figure out this issue?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 64%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
In some product groups, there seems to be a misunderstaning about such an issue: Sometimes it's not about "does this vulnerability affect me?", but "how can I trust my security reporting?". Without updating the product to use the current version of openssl, I simply cannot install it any more on any of our devices. Also, Microsoft gets blamed for that, because they are deploying vulnerable code to our computers (it is completely unimportant whether the code is being used or not - it is there). Our security reporting is based on Defender Vulnerabiliy Management. So, in this case Microsoft tells us to NOT use this software until it gets an update - in this case SSMS from Microsoft. PLEASE: when there is a vulnerability in a library you use: do NOT try to find out whether it will affect you or not - simply update. There is no legetimation for a known vulneable library on a computer other than that there is currently no updated library available. But in this case, there is: simply update the f...ing library in your product.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 20%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
I have the same problem, however with different applications. Like Zoom and even some drivers showing up in this report. Has MS released a fix or answer for this yet?
@Gawie Malan did you ever figure out this issue?