Looking for open-vm-tools security update - CVE-2022-31676 for burmilla/os-openvmtools docker image

[laxmankk]

BurmillaOS Version: v1.9.2

Where are you running BurmillaOS? As Virtual appliance

Do you use some service(s) which are not enabled by default : open-vm-tools

Looking for open-vm-tools security update - CVE-2022-31676 for burmilla/os-openvmtools docker image . when the latest image will be available? https://hub.docker.com/r/burmilla/os-openvmtools

[olljanat]

It is a bit hard imagine real world scenario where BurmillaOS would be affected by that CVE.

You would need to have:

1. Container running as non-root.
2. Devices created by VMware tools mounted inside of that container.
3. Attacker need find way run commands inside of that container.

However, feel free to open pull request if you see this critical. It basically would need update this to later version https://github.com/burmilla/os-services/blob/master/o/open-vm-tools.yml#L2 , same version to be updated in here https://github.com/burmilla/os-services/blob/master/images/10-openvmtools/Dockerfile#L38 and potentially update some other libraries because of switch from 11.x to 12.x.

[laxmankk]

Do I have permission to create branch and open PR. What is the process to get it in case required.

[olljanat]

Fix included on https://github.com/burmilla/os-services/commit/90ba9e37420c3e79fdf4ce5d837d171ffba9ce91 but it will go to next (1.9.6) BurmillaOS version so I need to check what else need to be updated.

We are already behind of couple of Docker versions and looks that there will be new one quite soon after https://github.com/moby/moby/pull/44593 and https://github.com/moby/moby/pull/44597 merged.

[laxmankk]

Thank you very much Olli Janatuinen. I appreciate your help so much.

[olljanat]

Included to just released v1.9.6 version: