Hi @MikeP75 ,

I understand that you are concerned about the OpenSSL 3.0.8 vulnerability in your Defender 365 environment for the ODBC drivers for Power BI Desktop. I will try to help you with some information and suggestions.

According to the web search results, the OpenSSL 3.0.8 vulnerability affects all OpenSSL versions between 3.0.0 and 3.0.6, and it can cause a denial of service or potentially remote code execution if an attacker sends a malicious certificate to a server that parses certificates as part of client authentication123. The recommended solution is to upgrade to OpenSSL 3.0.7, which includes patches for the vulnerability12.

However, the ODBC drivers for Power BI Desktop may not be directly affected by this vulnerability, as they use the ODBC connection string to connect to the data source, and they do not rely on the certificate verification process45. Therefore, you may not need to update the ODBC drivers for Power BI Desktop, unless they are using an older version of OpenSSL that is vulnerable.

New OpenSSL v3 vulnerability: prepare with Microsoft Defender for Cloud - Microsoft Community Hub

New OpenSSL 3.0 vulnerabilities: What you need to know to find and fix them | GitLab

OpenSSL 3.0.0 < 3.0.8 Multiple Vulnerabilities | Tenable®

Best regards.
Community Support Team_Caitlyn

Hi @v-xiaoyan-msft 

Thank-you for investigating this, updating to 3.0.7 isn't going to help as that version has other vulnerabilities. From what I can find the latest secure version is 3.1.2.

Regards

Mike

Hi  @MikeP75 ,

Based on the above information, if you are a Power BI Pro licensee, you can create a support ticket for free and a dedicated Microsoft engineer will come to solve the problem for you.
It would be great if you continue to share in this issue to help others with similar problems after you know the root cause or solution.

The link of Power BI Support: Support | Microsoft Power BI

For how to create a support ticket, please refer to How to create a support ticket in Power BI - Microsoft Power BI Community

Best Regards,
Community Support Team _ Caitlyn

four months later, with a later version 2.122.746.0 (23.10) (x64), this issue continues to exist.

@v-xiaoyan-msftwhat news can you provide?

We have the same problem, when will there be a PowerBI desktop with updated OpenSSL?

Five months later and still no update to this High CVE.

In the UK if this not patched in 14 days compaines fail compliancce for Cyber Essentials. Come on Microsoft, you can not run application on vunerable third-party library without updating.

Sometimes it's not about "does this vulnerability affect me?", but "how can I trust my security reporting?". Without updating Power BI to use the current version of openssl, I simply cannot install it any more on any of our devices. Also, Microsoft gets blamed for that, because they are deploying vulnerable code to our computers (it is completely unimportant whether the code is being used or not - it is there). Our security reporting is based on Defender Vulnerabiliy Management. So, in this case Microsoft tells us to NOT use this software until it gets an update - namely Power BI from Microsoft.

PLEASE: when there is a vulnerability in a library you use: do NOT try to find out whether it will affect you or not - simply update. There is no legetimation for a known vulneable library on a computer other than that there is currently no update available. But in this case, there is: simply update the f...ing library in your product.

same here, this is also flagged for us as a vulnerability.

Microsoft Defender reported this for us aswell, most of our Fabric infrastructure. Please provide updated components.