Important: open-vm-tools

2023-09-1323:44:00

alas.aws.amazon.com

vmware

saml token

signature bypass

vulnerability

amazon linux 2

update

security advisory

red hat

mitre

cve-2023-20900

7.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

44.7%

JSON

Issue Overview:

VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor with man-in-the-middle (MITM) network positioning between vCenter server and the virtual machine may be able to bypass SAML token signature verification, to perform VMware Tools Guest Operations. (CVE-2023-20900)

Affected Packages:

open-vm-tools

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update open-vm-tools to update your system.

New Packages:

aarch64:  
    open-vm-tools-12.3.0-1.amzn2.aarch64  
    open-vm-tools-desktop-12.3.0-1.amzn2.aarch64  
    open-vm-tools-sdmp-12.3.0-1.amzn2.aarch64  
    open-vm-tools-devel-12.3.0-1.amzn2.aarch64  
    open-vm-tools-test-12.3.0-1.amzn2.aarch64  
    open-vm-tools-debuginfo-12.3.0-1.amzn2.aarch64  
  
src:  
    open-vm-tools-12.3.0-1.amzn2.src  
  
x86_64:  
    open-vm-tools-12.3.0-1.amzn2.x86_64  
    open-vm-tools-desktop-12.3.0-1.amzn2.x86_64  
    open-vm-tools-sdmp-12.3.0-1.amzn2.x86_64  
    open-vm-tools-salt-minion-12.3.0-1.amzn2.x86_64  
    open-vm-tools-devel-12.3.0-1.amzn2.x86_64  
    open-vm-tools-test-12.3.0-1.amzn2.x86_64  
    open-vm-tools-debuginfo-12.3.0-1.amzn2.x86_64

Additional References

Red Hat: CVE-2023-20900

Mitre: CVE-2023-20900

OSVersionArchitecturePackageVersionFilename
Amazon Linux2aarch64open-vm-tools< 12.3.0-1.amzn2open-vm-tools-12.3.0-1.amzn2.aarch64.rpm
Amazon Linux2aarch64open-vm-tools-desktop< 12.3.0-1.amzn2open-vm-tools-desktop-12.3.0-1.amzn2.aarch64.rpm
Amazon Linux2aarch64open-vm-tools-sdmp< 12.3.0-1.amzn2open-vm-tools-sdmp-12.3.0-1.amzn2.aarch64.rpm
Amazon Linux2aarch64open-vm-tools-devel< 12.3.0-1.amzn2open-vm-tools-devel-12.3.0-1.amzn2.aarch64.rpm
Amazon Linux2aarch64open-vm-tools-test< 12.3.0-1.amzn2open-vm-tools-test-12.3.0-1.amzn2.aarch64.rpm
Amazon Linux2aarch64open-vm-tools-debuginfo< 12.3.0-1.amzn2open-vm-tools-debuginfo-12.3.0-1.amzn2.aarch64.rpm
Amazon Linux2x86_64open-vm-tools< 12.3.0-1.amzn2open-vm-tools-12.3.0-1.amzn2.x86_64.rpm
Amazon Linux2x86_64open-vm-tools-desktop< 12.3.0-1.amzn2open-vm-tools-desktop-12.3.0-1.amzn2.x86_64.rpm
Amazon Linux2x86_64open-vm-tools-sdmp< 12.3.0-1.amzn2open-vm-tools-sdmp-12.3.0-1.amzn2.x86_64.rpm
Amazon Linux2x86_64open-vm-tools-salt-minion< 12.3.0-1.amzn2open-vm-tools-salt-minion-12.3.0-1.amzn2.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	2	aarch64	open-vm-tools	< 12.3.0-1.amzn2	open-vm-tools-12.3.0-1.amzn2.aarch64.rpm
Amazon Linux	2	aarch64	open-vm-tools-desktop	< 12.3.0-1.amzn2	open-vm-tools-desktop-12.3.0-1.amzn2.aarch64.rpm
Amazon Linux	2	aarch64	open-vm-tools-sdmp	< 12.3.0-1.amzn2	open-vm-tools-sdmp-12.3.0-1.amzn2.aarch64.rpm
Amazon Linux	2	aarch64	open-vm-tools-devel	< 12.3.0-1.amzn2	open-vm-tools-devel-12.3.0-1.amzn2.aarch64.rpm
Amazon Linux	2	aarch64	open-vm-tools-test	< 12.3.0-1.amzn2	open-vm-tools-test-12.3.0-1.amzn2.aarch64.rpm
Amazon Linux	2	aarch64	open-vm-tools-debuginfo	< 12.3.0-1.amzn2	open-vm-tools-debuginfo-12.3.0-1.amzn2.aarch64.rpm
Amazon Linux	2	x86_64	open-vm-tools	< 12.3.0-1.amzn2	open-vm-tools-12.3.0-1.amzn2.x86_64.rpm
Amazon Linux	2	x86_64	open-vm-tools-desktop	< 12.3.0-1.amzn2	open-vm-tools-desktop-12.3.0-1.amzn2.x86_64.rpm
Amazon Linux	2	x86_64	open-vm-tools-sdmp	< 12.3.0-1.amzn2	open-vm-tools-sdmp-12.3.0-1.amzn2.x86_64.rpm
Amazon Linux	2	x86_64	open-vm-tools-salt-minion	< 12.3.0-1.amzn2	open-vm-tools-salt-minion-12.3.0-1.amzn2.x86_64.rpm