From 68384f6ab79233817b5bf3370f0a46ee20a7f7e8 Mon Sep 17 00:00:00 2001 From: Vitaly Kuznetsov Date: Wed, 1 Oct 2025 10:49:34 +0200 Subject: [PATCH] SDMP: Service Discovery Plugin RH-Author: Vitaly Kuznetsov RH-MergeRequest: 56: SDMP: Service Discovery Plugin RH-Jira: RHEL-117388 RH-Acked-by: roverflow RH-Acked-by: Maxim Levitsky RH-Acked-by: Ani Sinha RH-Commit: [1/1] b8e63c398b7615bbbd86ae3b4539717e4fff74b1 JIRA: https://issues.redhat.com/browse/RHEL-117388 CVE: CVE-2025-41244 commit 7ed196cf01f8acd09011815a605b6733894b8aab Author: Kruti Pendharkar Date: Mon Sep 29 01:02:40 2025 -0700 Address CVE-2025-41244 - Disable (default) the execution of the SDMP get-versions.sh script. With the Linux SDMP get-versions.sh script disabled, version information of installed services will not be made available to VMware Aria RHEL-only: used https://github.com/vmware/open-vm-tools/blob/CVE-2025-41244.patch/CVE-2025-41244-1230-1235-SDMP.patch patch for 12.3 version. Signed-off-by: Vitaly Kuznetsov --- .../serviceDiscovery/serviceDiscovery.c | 34 ++++++++++++++++--- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c index 103cf14e..2f65294b 100644 --- a/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c +++ b/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscovery.c @@ -115,6 +115,12 @@ static gchar* scriptInstallDir = NULL; */ #define SERVICE_DISCOVERY_RPC_WAIT_TIME 100 +/* + * Defines the configuration to enable/disable version obtaining logic + */ +#define CONFNAME_SERVICEDISCOVERY_VERSION_CHECK "version-check-enabled" +#define SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK FALSE + /* * Defines the configuration to cache data in gdp plugin */ @@ -1239,23 +1245,27 @@ ServiceDiscoveryServerShutdown(gpointer src, * * Construct final paths of the scripts that will be used for execution. * + * @param[in] versionCheckEnabled TRUE to include the SERVICE_DISCOVERY_KEY_VERSIONS + * entry; FALSE to skip it (derived from config). + * ***************************************************************************** */ static void -ConstructScriptPaths(void) +ConstructScriptPaths(Bool versionCheckEnabled) { int i; #if !defined(OPEN_VM_TOOLS) gchar *toolsInstallDir; #endif + int insertIndex = 0; if (gFullPaths != NULL) { return; } gFullPaths = g_array_sized_new(FALSE, TRUE, sizeof(KeyNameValue), - ARRAYSIZE(gKeyScripts)); + ARRAYSIZE(gKeyScripts) - (versionCheckEnabled ? 0u : 1u)); if (scriptInstallDir == NULL) { #if defined(OPEN_VM_TOOLS) scriptInstallDir = Util_SafeStrdup(VMTOOLS_SERVICE_DISCOVERY_SCRIPTS); @@ -1267,6 +1277,15 @@ ConstructScriptPaths(void) #endif } for (i = 0; i < ARRAYSIZE(gKeyScripts); ++i) { + /* + * Skip adding if: + * 1. Version check is disabled, AND + * 2. The keyName matches SERVICE_DISCOVERY_KEY_VERSIONS + */ + if (!versionCheckEnabled && + g_strcmp0(gKeyScripts[i].keyName, SERVICE_DISCOVERY_KEY_VERSIONS) == 0) { + continue; + } KeyNameValue tmp; tmp.keyName = g_strdup_printf("%s", gKeyScripts[i].keyName); #if defined(_WIN32) @@ -1274,7 +1293,8 @@ ConstructScriptPaths(void) #else tmp.val = g_strdup_printf("%s%s%s", scriptInstallDir, DIRSEPS, gKeyScripts[i].val); #endif - g_array_insert_val(gFullPaths, i, tmp); + g_array_insert_val(gFullPaths, insertIndex, tmp); + insertIndex++; } } @@ -1340,14 +1360,20 @@ ToolsOnLoad(ToolsAppCtx *ctx) } }; gboolean disabled; + Bool versionCheckEnabled; regData.regs = VMTools_WrapArray(regs, sizeof *regs, ARRAYSIZE(regs)); + versionCheckEnabled = VMTools_ConfigGetBoolean( + ctx->config, + CONFGROUPNAME_SERVICEDISCOVERY, + CONFNAME_SERVICEDISCOVERY_VERSION_CHECK, + SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK); /* * Append scripts execution command line */ - ConstructScriptPaths(); + ConstructScriptPaths(versionCheckEnabled); disabled = VMTools_ConfigGetBoolean(ctx->config, -- 2.47.3