VMware Communities
schoonja
Contributor
Contributor
‎09-11-2023 01:23 PM

FUSION: Ubuntu guests not updating to current versions of open-vm-tools

hello:

i am having an issue with vmware tools (installed are open-vm-tools & open-vm-tools-desktop) not updating in ubuntu 22.04.3 lts. v12.3.0 for these tools was identified as resolving vulnerabilites, but guest tools are not upgrading from 12.1.5.3 along with other guest system packages during apt updates.

any help would be much appreciated.

thanks, js

Labels (1)
Reply
0 Kudos
5 Replies
Technogeezer
Immortal
Immortal
‎09-11-2023 02:01 PM

Take a look at VMware's security advisory on the vulnerability that the 12.3.0 open-vm-tools release fixes:

https://www.vmware.com/security/advisories/VMSA-2023-0019.html

In particular the advisory states in the notes for open-vm-tools:

[2] A version of open-vm-tools that addresses CVE-2023-20900 will be distributed by Linux vendors. 
[3] Fixed versions may differ based on the Linux distribution version and the distribution vendor.

You need to contact Ubuntu to see what their plans are for incorporating newer open-vm-tools versions. It's the responsibility of the distributions to update the version of tools that they package.

(EDITED)

Ubuntu does seem to know about this: https://ubuntu.com/security/CVE-2023-20900

And has opened a bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050970

The bug report seems to indicate that they're waiting for the upstream Debian distribution to incorporate the updated version. From that point it's anyone's guess on how long it will take Canonical to release this for the impacted Ubuntu operating systems.

 

 

 

- Paul (Technogeezer)
Editor of the Unofficial Fusion Companion Guides
Reply
0 Kudos
schoonja
Contributor
Contributor
‎09-11-2023 02:07 PM

paul:

thanks very much for your time- i appreciate the help.

js

Reply
0 Kudos
Technogeezer
Immortal
Immortal
‎09-11-2023 02:14 PM

FYI Debian seems to now have this version in their repos for Debian 12 "bookworm". They've released the fixes for Debian 12 "bookworm" as 2:12.2.0-1+deb12u1, and for Debian 11 "bullseye" as 2:11.2.5-2+deb11u2 (note that in both of these cases it looks like Debian decided to back-port the fixes from source into the base versions they distribute for the given OS releases).  

It's up to Canonical now to determine when to bring this to Ubuntu. They do seem to take their time on things from what I've seen, especially for LTS releases where they prioritize stability.

- Paul (Technogeezer)
Editor of the Unofficial Fusion Companion Guides
Reply
0 Kudos
Technogeezer
Immortal
Immortal
‎09-14-2023 09:14 PM

FYI - Ubuntu has released the patch for open-vm-tools on 22.04 LTS. Their updated package carries a version of 2:12.1.5-3~ubuntu0.22.04.3

- Paul (Technogeezer)
Editor of the Unofficial Fusion Companion Guides
Reply
0 Kudos
schoonja
Contributor
Contributor
‎09-14-2023 09:23 PM

i saw that earlier and updated. i appreciate your help on  this issue. :grinning_face:

Reply
0 Kudos