Take a look at VMware's security advisory on the vulnerability that the 12.3.0 open-vm-tools release fixes:
https://www.vmware.com/security/advisories/VMSA-2023-0019.html
In particular the advisory states in the notes for open-vm-tools:
[2] A version of open-vm-tools that addresses CVE-2023-20900 will be distributed by Linux vendors.
[3] Fixed versions may differ based on the Linux distribution version and the distribution vendor.
You need to contact Ubuntu to see what their plans are for incorporating newer open-vm-tools versions. It's the responsibility of the distributions to update the version of tools that they package.
(EDITED)
Ubuntu does seem to know about this: https://ubuntu.com/security/CVE-2023-20900
And has opened a bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050970
The bug report seems to indicate that they're waiting for the upstream Debian distribution to incorporate the updated version. From that point it's anyone's guess on how long it will take Canonical to release this for the impacted Ubuntu operating systems.
- Paul (Technogeezer)
Editor of the Unofficial Fusion Companion Guides
