In OpenSSL version 3.0.0 to 3.0.6, a critical vulnerability is found (link). A lot of vendors use these versions of OpenSSL in their products. VMware has the following statement:
To date, no VMware products have been found to be critically impacted by CVE-2022-3602 or CVE-2022-3786. Regardless, VMware products that consume OpenSSL 3.0.x will consume 3.0.7 fixes as a precautionary measure in upcoming releases.
VMware Tools version 12.0.0 and 12.1.0 both contain the OpenSSL 3.0.x version.
| VMware Tools | OpenSSL version |
| 12.0.0 | 3.0.0 |
| 12.1.0 | 3.0.3 |
To quickly identify what VMs have the OpenSSL 3 vulnerability present you can use PowerCLI. The following script identifies all VMware Tools 12 versions and higher:
$vcserver = 'the FQDN of the vCenter Server name'
Connect-VIServer $vcserver
Get-VM | Where-Object {$_.Guest.ToolsVersion -ge '12.0.0'} | Select -property Name,PowerState,@{Name='Toolsversion';Expression={$_.Guest.Toolsversion}} | Sort Toolsversion
Disconnect-VIServer * -Confirm:$false
The results can be exported to a CSV file by adding the following line after the Sort ToolsVersion
| export-csv c:\temp\vmwtools.csv -notypeinformation
OpenSSL v3.0.7 is released. This version will fix the critical vulnerability. The NCSC has a GitHub page (Link) with software that is affected. Now it is time for VMware to release an updated version of VMware Tools that included the new OpenSSL version
Update: November 29, 2022
VMware Tools 12.1.5 is released. This is a maintenance release of VMware Tools to provide fixes for critical product issues and security issues:
- Updated OpenSSL to 3.0.7
- Updated zlib to 1.2.12 with additional fixes
- Updated GLib to 2.56.3 with additional fixes
- Updated libxml2 to 2.10.2
- This release resolves CVE-2022-31693. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2022-0029.html.
The release notes can be found here and the download location can be found here.