Identify VMs that have VMware Tools with the OpenSSL v3 vulnerability

In OpenSSL version 3.0.0 to 3.0.6, a critical vulnerability is found (link). A lot of vendors use these versions of OpenSSL in their products. VMware has the following statement:

To date, no VMware products have been found to be critically impacted by CVE-2022-3602 or CVE-2022-3786. Regardless, VMware products that consume OpenSSL 3.0.x will consume 3.0.7 fixes as a precautionary measure in upcoming releases.

VMware Tools version 12.0.0 and 12.1.0 both contain the OpenSSL 3.0.x version.

VMware Tools OpenSSL version
12.0.0 3.0.0
12.1.0 3.0.3

To quickly identify what VMs have the OpenSSL 3 vulnerability present you can use PowerCLI. The following script identifies all VMware Tools 12 versions and higher:

$vcserver = 'the FQDN of the vCenter Serbver name'
Connect-VIServer $vcserver
Get-VM | Where-Object {$_.Guest.ToolsVersion -ge '12.0.0'} | Select -property Name,PowerState,@{Name='Toolsversion';Expression={$_.Guest.Toolsversion}} | Sort Toolsversion
Disconnect-VIServer * -Confirm:$false

The results can be exported to a CSV file by adding the following line after the Sort ToolsVersion

| export-csv c:\temp\vmwtools.csv -notypeinformation

OpenSSL v3.0.7 is released. This version will fix the critical vulnerability. The NCSC has a GitHub page (Link) with software that is affected. Now it is time for VMware to release an updated version of VMware Tools that included the new OpenSSL version

Update: November 29, 2022

VMware Tools 12.1.5 is released. This is a maintenance release of VMware Tools to provide fixes for critical product issues and security issues:

  • Updated OpenSSL to 3.0.7
  • Updated zlib to 1.2.12 with additional fixes
  • Updated GLib to 2.56.3 with additional fixes
  • Updated libxml2 to 2.10.2
  • This release resolves CVE-2022-31693. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2022-0029.html.

The release notes can be found here and the download location can be found here.

 

Leave a Comment