new file mode 100644
@@ -0,0 +1,123 @@
+From 7ed196cf01f8acd09011815a605b6733894b8aab Mon Sep 17 00:00:00 2001
+From: Kruti Pendharkar <kp025370@broadcom.com>
+Date: Mon, 29 Sep 2025 01:02:40 -0700
+Subject: [PATCH] Address CVE-2025-41244 - Disable (default) the execution of
+ the SDMP get-versions.sh script.
+
+With the Linux SDMP get-versions.sh script disabled, version information
+of installed services will not be made available to VMware Aria
+
+CVE: CVE-2025-41244
+
+Upstream-Status: Backport [https://github.com/vmware/open-vm-tools/commit/7ed196cf01f8acd09011815a605b6733894b8aab]
+
+Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com>
+---
+ .../serviceDiscovery/serviceDiscovery.c | 37 ++++++++++++++++---
+ 1 file changed, 32 insertions(+), 5 deletions(-)
+
+diff --git a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
+index 103cf14..bf928c8 100644
+--- a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
++++ b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c
+@@ -1,5 +1,6 @@
+ /*********************************************************
+- * Copyright (C) 2020-2021,2023 VMware, Inc. All rights reserved.
++ * Copyright (c) 2020-2025 Broadcom. All Rights Reserved.
++ * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published
+@@ -115,6 +116,12 @@ static gchar* scriptInstallDir = NULL;
+ */
+ #define SERVICE_DISCOVERY_RPC_WAIT_TIME 100
+
++/*
++ * Defines the configuration to enable/disable version obtaining logic
++ */
++#define CONFNAME_SERVICEDISCOVERY_VERSION_CHECK "version-check-enabled"
++#define SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK FALSE
++
+ /*
+ * Defines the configuration to cache data in gdp plugin
+ */
+@@ -1239,23 +1246,27 @@ ServiceDiscoveryServerShutdown(gpointer src,
+ *
+ * Construct final paths of the scripts that will be used for execution.
+ *
++ * @param[in] versionCheckEnabled TRUE to include the SERVICE_DISCOVERY_KEY_VERSIONS
++ * entry; FALSE to skip it (derived from config).
++ *
+ *****************************************************************************
+ */
+
+ static void
+-ConstructScriptPaths(void)
++ConstructScriptPaths(Bool versionCheckEnabled)
+ {
+ int i;
+ #if !defined(OPEN_VM_TOOLS)
+ gchar *toolsInstallDir;
+ #endif
++ int insertIndex = 0;
+
+ if (gFullPaths != NULL) {
+ return;
+ }
+
+ gFullPaths = g_array_sized_new(FALSE, TRUE, sizeof(KeyNameValue),
+- ARRAYSIZE(gKeyScripts));
++ ARRAYSIZE(gKeyScripts) - (versionCheckEnabled ? 0u : 1u));
+ if (scriptInstallDir == NULL) {
+ #if defined(OPEN_VM_TOOLS)
+ scriptInstallDir = Util_SafeStrdup(VMTOOLS_SERVICE_DISCOVERY_SCRIPTS);
+@@ -1267,6 +1278,15 @@ ConstructScriptPaths(void)
+ #endif
+ }
+ for (i = 0; i < ARRAYSIZE(gKeyScripts); ++i) {
++ /*
++ * Skip adding if:
++ * 1. Version check is disabled, AND
++ * 2. The keyName matches SERVICE_DISCOVERY_KEY_VERSIONS
++ */
++ if (!versionCheckEnabled &&
++ g_strcmp0(gKeyScripts[i].keyName, SERVICE_DISCOVERY_KEY_VERSIONS) == 0) {
++ continue;
++ }
+ KeyNameValue tmp;
+ tmp.keyName = g_strdup_printf("%s", gKeyScripts[i].keyName);
+ #if defined(_WIN32)
+@@ -1274,7 +1294,8 @@ ConstructScriptPaths(void)
+ #else
+ tmp.val = g_strdup_printf("%s%s%s", scriptInstallDir, DIRSEPS, gKeyScripts[i].val);
+ #endif
+- g_array_insert_val(gFullPaths, i, tmp);
++ g_array_insert_val(gFullPaths, insertIndex, tmp);
++ insertIndex++;
+ }
+ }
+
+@@ -1340,14 +1361,20 @@ ToolsOnLoad(ToolsAppCtx *ctx)
+ }
+ };
+ gboolean disabled;
++ Bool versionCheckEnabled;
+
+ regData.regs = VMTools_WrapArray(regs,
+ sizeof *regs,
+ ARRAYSIZE(regs));
++ versionCheckEnabled = VMTools_ConfigGetBoolean(
++ ctx->config,
++ CONFGROUPNAME_SERVICEDISCOVERY,
++ CONFNAME_SERVICEDISCOVERY_VERSION_CHECK,
++ SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK);
+ /*
+ * Append scripts execution command line
+ */
+- ConstructScriptPaths();
++ ConstructScriptPaths(versionCheckEnabled);
+
+ disabled =
+ VMTools_ConfigGetBoolean(ctx->config,
+--
+2.40.0
@@ -44,6 +44,7 @@ SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https;branch=stabl
file://0013-open-vm-tools-Correct-include-path-for-poll.h.patch;patchdir=.. \
file://0014-timeSync-Portable-way-to-print-64bit-time_t.patch;patchdir=.. \
file://CVE-2025-22247.patch;patchdir=.. \
+ file://CVE-2025-41244.patch;patchdir=.. \
"
UPSTREAM_CHECK_GITTAGREGEX = "stable-(?P<pver>\d+(\.\d+)+)"
VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-41244 Upstream-patch: https://github.com/vmware/open-vm-tools/commit/7ed196cf01f8acd09011815a605b6733894b8aab Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com> --- .../open-vm-tools/CVE-2025-41244.patch | 123 ++++++++++++++++++ .../open-vm-tools/open-vm-tools_12.3.5.bb | 1 + 2 files changed, 124 insertions(+) create mode 100644 meta-networking/recipes-support/open-vm-tools/open-vm-tools/CVE-2025-41244.patch