Take a look at VMware's security advisory on the vulnerability that the 12.3.0 open-vm-tools release fixes:

https://www.vmware.com/security/advisories/VMSA-2023-0019.html

In particular the advisory states in the notes for open-vm-tools:

[2] A version of open-vm-tools that addresses CVE-2023-20900 will be distributed by Linux vendors. 
[3] Fixed versions may differ based on the Linux distribution version and the distribution vendor.

You need to contact Ubuntu to see what their plans are for incorporating newer open-vm-tools versions. It's the responsibility of the distributions to update the version of tools that they package.

(EDITED)

Ubuntu does seem to know about this: https://ubuntu.com/security/CVE-2023-20900

And has opened a bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050970

The bug report seems to indicate that they're waiting for the upstream Debian distribution to incorporate the updated version. From that point it's anyone's guess on how long it will take Canonical to release this for the impacted Ubuntu operating systems.

paul:

thanks very much for your time- i appreciate the help.

js

FYI Debian seems to now have this version in their repos for Debian 12 "bookworm". They've released the fixes for Debian 12 "bookworm" as 2:12.2.0-1+deb12u1, and for Debian 11 "bullseye" as 2:11.2.5-2+deb11u2 (note that in both of these cases it looks like Debian decided to back-port the fixes from source into the base versions they distribute for the given OS releases).  

It's up to Canonical now to determine when to bring this to Ubuntu. They do seem to take their time on things from what I've seen, especially for LTS releases where they prioritize stability.

FYI - Ubuntu has released the patch for open-vm-tools on 22.04 LTS. Their updated package carries a version of 2:12.1.5-3~ubuntu0.22.04.3

i saw that earlier and updated. i appreciate your help on  this issue.