Why aren’t VMware Tools at the right version on patched hosts?
A customer called with a question about updating VMware Tools as part of a recent security patch (https://www.vmware.com/security/advisories/VMSA-2019-0009.html). The patch resolves an address out-of-bounds vulnerability in VMware Tools that was present in certain versions of the software (10.2.x and 10.3.x prior to 10.3.10). He wanted to install the new version; but the VMware Tools installations on his VMs indicated they were current; but still were running an affected version. His hosts were patched and up-to-date. He knew he could manually update VMware Tools on each of his VMs; but was hoping there was an easier way – and there is!
The status of VMware Tools on a virtual machine is relative to the the host. Typically VMware Tools updates are delivered through an ESXi patch. In this case, the VMware Tools 10.3.10 release hasn’t been rolled into an ESXi patch yet. It will be shortly. The amount of testing that goes into an ESXi patch requires a good amount of time. When VMware patches VMware Tools like they did in the case of this vulnerability, they release it to customers so they can deploy the fix sooner if they choose. VMware calls this an Async release.