Forum Discussion
CVE-2024-13176 Openssl Vulnerability in Azure CLI
Hello Microsoft,
I updated Azure CLI to latest version as per Microsoft Vulnerability Management Report recommendation. But Azure CLI is still appearing as vulnerable.
Is there any update on this?
Thanks
Mirella
1 Reply
I believe it ay related to the below:
- The Azure CLI installer may not yet include the patched versions of OpenSSL (e.g., 3.0.150 or later).
- Microsoft Defender for Cloud and other tools detect the version of these DLLs directly, regardless of CLI version.
- The vulnerability may also exist in Azure extensions or agents, such as the Network Watcher Agent, which use their own copies of OpenSSL.
Please further check:
- DLL Versions:
- Navigate to the Azure CLI install directory and inspect libssl-3.dll and libcrypto-3.dll.
- If they are older than 3.0.150, they may still be vulnerable.
- Monitor GitHub Issues:
- Microsoft is tracking this on Azure CLI GitHub.
- Report to Microsoft Defender Team:
- If you're using Defender for Endpoint or Defender for Cloud, submit a false positive or request clarification through the portal.
- Use Wordaround with External OpenSSL:
- Manually replace the DLLs with patched versions from OpenSSL.org but this is not officially supported and may break CLI functionality.
