“Does open-vm-tools xx.y.z equals VMware Tools xx.y.z?”
That’s the kind of deceptively simple customer question that can send you down a rabbit hole of KBs, VMSAs, and mailing lists. And honestly? The official answer isn’t always front-and-center. You have to piece it together, like a side quest in an RPG where the final boss is Documentation Obscurity.
So let’s break it down.
VMware Tools and open-vm-tools: What’s the difference?
- VMware Tools: The “classic” package. Delivered directly by VMware/Broadcom as an ISO or installer. Primarily aimed at Windows guests (though historically Linux too).
- open-vm-tools (OVT): The open-source implementation, maintained in the open and packaged by Linux distributions. It’s the default on most modern distributions.
Here’s the key: both share the same upstream code base. The distinction is really about who ships and maintains it:
- Broadcom → VMware Tools for Windows.
- Linux vendors → open-vm-tools for Linux.
Version numbers: Do they match?
Yes and no.
- If your distro provides open-vm-tools 12.5.4, it’s equivalent to VMware Tools 12.5.4 in terms of fixes and features relevant to Linux.
- But… some enterprise distros (hello RHEL, SUSE) often backport security patches into older package branches. That means your version string might read 12.1.x, but under the hood it already includes the CVEs addressed in 12.5.4.
That’s why version strings alone aren’t a reliable indicator, you need to check your distribution’s security advisory.
References:
- VMware KB 313456 (ex-2073803): VMware support for open-vm-tools
- VMware Tools version mapping
- https://github.com/vmware/open-vm-tools
Security updates and VMSAs
Here’s the part that matters when a VMSA (VMware Security Advisory) drops:
- Broadcom notifies Linux vendors of the CVE before the advisory is public.
- Vendors patch and release updated open-vm-tools packages into their official repos.
- When the VMSA goes live, the fixes are already (or shortly) available via your distro updates.
So yes, if a VMSA says “VMware Tools 12.5.4 fixes CVE-XXXX”, then open-vm-tools 12.5.4 for Linux covers it too.
And if your distro shows a lower version number, check the distro’s changelog — chances are, they’ve backported the fix.
What should customers do?
- Windows VMs → Update to the latest VMware Tools ISO from Broadcom.
- Linux VMs → Stick with your distro’s open-vm-tools. Update via apt, yum, or zypper. Don’t try to mix and match with the VMware ISO.
- When a VMSA lands → Don’t panic about matching numbers. Verify with your distro’s advisories that the CVE is addressed.
TL;DR
- open-vm-tools and VMware Tools are equivalent codebases, just shipped by different vendors.
- A release like 12.5.4 means the same CVEs are fixed across both Windows (VMware Tools) and Linux (open-vm-tools).
- For Linux, trust your distribution’s updates. Version numbers may differ due to backporting, but the fixes are there.
-
VMware’s own BU statement:
"VMware Tools and open-vm-tools are equivalent, with the difference that VMware Tools X.Y.Z applies to Windows guests, while open-vm-tools X.Y.Z applies to Linux guests. Broadcom delivers VMware Tools for Windows, and Linux vendors distribute open-vm-tools for their supported platforms. Before a VMSA is publicly released, Linux vendors receive advance notice of the security issue along with the necessary patches, so they can update their open-vm-tools packages accordingly."
In the end, VMware Tools and open-vm-tools are two ways of delivering the same code. For Windows, update VMware Tools from Broadcom; for Linux, rely on your distribution’s open-vm-tools packages. Keep them up to date, and you’ll stay aligned with VMware’s security advisories without extra effort