Security update for open-vm-tools

Announcement ID:	SUSE-SU-2022:2961-1
Rating:	important
References:	bsc#1160408 bsc#1162119 bsc#1162435 bsc#1165955 bsc#1202657
Cross-References:	CVE-2022-31676
CVSS scores:	CVE-2022-31676 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-31676 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise High Performance Computing 15 LTSS 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server 15 LTSS 15 SUSE Linux Enterprise Server ESPOS 15 SUSE Linux Enterprise Server for SAP Applications 15

An update that solves one vulnerability and has four security fixes can now be installed.

Description:

This update for open-vm-tools fixes the following issues:

• CVE-2022-31676: Fixed an issue that could allow unprivileged users inside a virtual machine to escalate privileges (bsc#1202657).

Non-security fixes:

• Update to 11.0.5 (build 15389592) (bsc#1165955) DNS server is reported incorrectly in GuestInfo as '127.0.0.53', when the OS uses systemd-resolved. This issue is fixed in this release. Added Application Discover (appInfo) plugin.
  The plugin collects the information about running applications inside the guest and publishes the information to a guest variable.

• GCC-10 compiler failure (bsc#1160408) The update will solve a GNU compiler Collection GCC10 failure with -fno-common.

• Rectify a log spew in vmsvc logging (bsc#1162435, bsc#1162119) When a LSI Logic Parallel SCSI controller sits in PCI bus 0 (SCSI controller 0), the Linux disk device enumeration does not provide a "label" file with the controller name. This results in messages like "GuestInfoGetDiskDevice: Missing disk device name; VMDK mapping unavailable for "/var/log", fsName: "/dev/sda2" repeatedly appearing in the vmsvc logging. The update converts what previously was a warning message to a debug message and thus avoids the log spew.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server ESPOS 15
  zypper in -t patch SUSE-SLE-Product-HPC-15-2022-2961=1
• SUSE Linux Enterprise High Performance Computing 15 LTSS 15
  zypper in -t patch SUSE-SLE-Product-HPC-15-2022-2961=1
• SUSE Linux Enterprise Server 15 LTSS 15
  zypper in -t patch SUSE-SLE-Product-SLES-15-2022-2961=1
• SUSE Linux Enterprise Server for SAP Applications 15
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2022-2961=1

Package List:

• SUSE Linux Enterprise Server ESPOS 15 (x86_64)
  • open-vm-tools-debuginfo-11.0.5-150000.3.29.1
  • libvmtools0-debuginfo-11.0.5-150000.3.29.1
  • open-vm-tools-11.0.5-150000.3.29.1
  • open-vm-tools-desktop-debuginfo-11.0.5-150000.3.29.1
  • libvmtools0-11.0.5-150000.3.29.1
  • open-vm-tools-desktop-11.0.5-150000.3.29.1
  • libvmtools-devel-11.0.5-150000.3.29.1
  • open-vm-tools-debugsource-11.0.5-150000.3.29.1
• SUSE Linux Enterprise High Performance Computing 15 LTSS 15 (x86_64)
  • open-vm-tools-debuginfo-11.0.5-150000.3.29.1
  • libvmtools0-debuginfo-11.0.5-150000.3.29.1
  • open-vm-tools-11.0.5-150000.3.29.1
  • open-vm-tools-desktop-debuginfo-11.0.5-150000.3.29.1
  • libvmtools0-11.0.5-150000.3.29.1
  • open-vm-tools-desktop-11.0.5-150000.3.29.1
  • libvmtools-devel-11.0.5-150000.3.29.1
  • open-vm-tools-debugsource-11.0.5-150000.3.29.1
• SUSE Linux Enterprise Server 15 LTSS 15 (x86_64)
  • open-vm-tools-debuginfo-11.0.5-150000.3.29.1
  • libvmtools0-debuginfo-11.0.5-150000.3.29.1
  • open-vm-tools-11.0.5-150000.3.29.1
  • open-vm-tools-desktop-debuginfo-11.0.5-150000.3.29.1
  • libvmtools0-11.0.5-150000.3.29.1
  • open-vm-tools-desktop-11.0.5-150000.3.29.1
  • libvmtools-devel-11.0.5-150000.3.29.1
  • open-vm-tools-debugsource-11.0.5-150000.3.29.1
• SUSE Linux Enterprise Server for SAP Applications 15 (x86_64)
  • open-vm-tools-debuginfo-11.0.5-150000.3.29.1
  • libvmtools0-debuginfo-11.0.5-150000.3.29.1
  • open-vm-tools-11.0.5-150000.3.29.1
  • open-vm-tools-desktop-debuginfo-11.0.5-150000.3.29.1
  • libvmtools0-11.0.5-150000.3.29.1
  • open-vm-tools-desktop-11.0.5-150000.3.29.1
  • libvmtools-devel-11.0.5-150000.3.29.1
  • open-vm-tools-debugsource-11.0.5-150000.3.29.1

References:

• https://www.suse.com/security/cve/CVE-2022-31676.html
• https://bugzilla.suse.com/show_bug.cgi?id=1160408
• https://bugzilla.suse.com/show_bug.cgi?id=1162119
• https://bugzilla.suse.com/show_bug.cgi?id=1162435
• https://bugzilla.suse.com/show_bug.cgi?id=1165955
• https://bugzilla.suse.com/show_bug.cgi?id=1202657