Currently have our Tenable appliance reporting two of our Ubuntu servers reporting a vulnerability in open-vm-tools, with regards to the embedded versions contained with in the applications lib32 and 64 folders.
The versions of openSSL embedded in open-vm-tools are 1.0.1p. Tenable advices to update to 1.0.1u, at minimum, to remediate this vulnerability. When trying to update open-vm-tools, our servers report we are running the latest version, and the OS has been patched with all available .
-----------------------------Output From Server---------------------------------------------
xxxxxxxx@XXXXXXXXXXX:/usr/lib/vmware-tools/lib64# apt update && sudo apt -y install open-vm-tools
Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:2 http://us.archive.ubuntu.com/ubuntu focal InRelease
Get:3 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Hit:4 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease
Fetched 114 kB in 2s (54.5 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
Reading package lists... Done
Building dependency tree
Reading state information... Done
open-vm-tools is already the newest version (2:11.3.0-2ubuntu0~ubuntu20.04.7).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
-----------------------------Output From Server---------------------------------------------
-----------------------------OSVersions-----------------------------------------------------------
xxxxxxxx@XXXXXXXXXXX:/usr/lib/vmware-tools/lib64/libcrypto.so.1.0.1# hostnamectl
Static hostname: XXXXXXXXXXX
Icon name: computer-vm
Chassis: vm
Machine ID: XXXXXXXXXXX
Boot ID: XXXXXXXXXXX
Virtualization: vmware
Operating System: Ubuntu 20.04.6 LTS
Kernel: Linux 6.3.4-060304-generic
Architecture: x86-64
-----------------------------OS Versions-----------------------------------------------------------
------------------------------OS Patching----------------------------------------------------------
xxxxxxxx@XXXXXXXXXXX:/usr/lib/vmware-tools/lib64/libcrypto.so.1.0.1# apt update
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
ubuntu-pro-client
The following packages will be upgraded:
base-files dns-root-data klibc-utils libgpgme11 libklibc libnss-systemd libpam-systemd libpython2.7-minimal libpython2.7-stdlib libsystemd0 libudev1 ltrace motd-news-config python2.7 python2.7-minimal python3-update-manager snapd
systemd systemd-sysv tcpdump ubuntu-advantage-tools ubuntu-pro-client-l10n udev unzip update-manager-core update-notifier-common
26 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
2 standard LTS security updates
Need to get 35.2 MB/35.4 MB of archives.
After this operation, 70.1 MB disk space will be freed.
Do you want to continue? [Y/n] y
Get:1 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 motd-news-config all 11ubuntu5.8 [4,284 B]
Get:2 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 base-files amd64 11ubuntu5.8 [60.3 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 libnss-systemd amd64 245.4-4ubuntu3.23 [96.2 kB]
Get:4 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 udev amd64 245.4-4ubuntu3.23 [1,366 kB]
Get:5 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 libudev1 amd64 245.4-4ubuntu3.23 [75.6 kB]
Get:6 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 systemd-sysv amd64 245.4-4ubuntu3.23 [10.3 kB]
Get:7 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 libpam-systemd amd64 245.4-4ubuntu3.23 [186 kB]
Get:8 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 systemd amd64 245.4-4ubuntu3.23 [3,811 kB]
Get:9 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 libsystemd0 amd64 245.4-4ubuntu3.23 [268 kB]
Get:10 http://us.archive.ubuntu.com/ubuntu focal-updates/universe amd64 python2.7 amd64 2.7.18-1~20.04.4 [248 kB]
Get:11 http://us.archive.ubuntu.com/ubuntu focal-updates/universe amd64 libpython2.7-stdlib amd64 2.7.18-1~20.04.4 [1,887 kB]
Get:12 http://us.archive.ubuntu.com/ubuntu focal-updates/universe amd64 python2.7-minimal amd64 2.7.18-1~20.04.4 [1,280 kB]
Get:13 http://us.archive.ubuntu.com/ubuntu focal-updates/universe amd64 libpython2.7-minimal amd64 2.7.18-1~20.04.4 [335 kB]
Get:14 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 update-manager-core all 1:20.04.10.20 [11.6 kB]
Get:15 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 python3-update-manager all 1:20.04.10.20 [38.4 kB]
Get:16 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 ubuntu-advantage-tools all 31.2.2~20.04 [10.9 kB]
Get:17 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 ubuntu-pro-client amd64 31.2.2~20.04 [196 kB]
Get:18 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 update-notifier-common all 3.192.30.19 [173 kB]
Get:19 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 ubuntu-pro-client-l10n amd64 31.2.2~20.04 [18.4 kB]
Get:20 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 ltrace amd64 0.7.3-6.1ubuntu1.1 [123 kB]
Get:21 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 tcpdump amd64 4.9.3-4ubuntu0.3 [370 kB]
Get:22 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 dns-root-data all 2023112702~ubuntu0.20.04.1 [5,308 B]
Get:23 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 libgpgme11 amd64 1.13.1-7ubuntu2.2 [120 kB]
Get:24 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 snapd amd64 2.61.3+20.04 [24.4 MB]
Get:25 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 unzip amd64 6.0-25ubuntu1.2 [169 kB]
Fetched 35.2 MB in 22s (1,597 kB/s)
-------------------------After Patching----------------------------------
xxxxxxxx@XXXXXXXXXXX:/usr/lib/vmware-tools/lib64/libcrypto.so.1.0.1# apt update
Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:2 http://us.archive.ubuntu.com/ubuntu focal InRelease
Get:3 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Hit:4 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease
Fetched 114 kB in 2s (56.1 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
xxxxxxxx@XXXXXXXXXXX:/usr/lib/vmware-tools/lib64/libcrypto.so.1.0.1# apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
------------------------------OS Patching----------------------------------------------------------
-----------------------------Tenable Output-----------------------------------------------------
Path : /usr/lib/vmware-tools/lib32/libcrypto.so.1.0.1/libcrypto.so.1.0.1
Reported version : 1.0.1p
Fixed version : 1.0.1s
Path : /usr/lib/vmware-tools/lib32/libssl.so.1.0.1/libssl.so.1.0.1
Reported version : 1.0.1p
Fixed version : 1.0.1s
Path : /usr/lib/vmware-tools/lib64/libcrypto.so.1.0.1/libcrypto.so.1.0.1
Reported version : 1.0.1p
Fixed version : 1.0.1s
Path : /usr/lib/vmware-tools/lib64/libssl.so.1.0.1/libssl.so.1.0.1
Reported version : 1.0.1p
Fixed version : 1.0.1s
-----------------------------Tenable Output-----------------------------------------------------
If the OS and application are upto date but tenable is reporting that openSSL in open-vm-tools is vulnerable how can I update the embedded version in the locations listed from Tenable?
Can a patched open-vm-tools be release for the OS release or remediation steps be released?
Thanks