Comment 33 for bug 1741390

VMSA-2017-0013 describes the following CVEs: CVE-2017-4921, CVE-2017-4922, CVE-2017-4923, CVE-2015-5191. Of these, only CVE-2015-5191 is applicable to open-vm-tools and it is partially mitigated via symlink restrictions. It is on the list to be fixed, but is currently rated low.

VMSA-2018-0003 describes CVE-2017-4945, CVE-2017-4946, and CVE-2017-4948. CVE-2017-4945 is applicable to VM tools, but only for Windows guests, so it is not applicable to the open-vm-tools package. CVE-2017-4946 and CVE-2017-4948 are not applicable to open-vm-tools.

You can see the CVE status for the package at
http://people.canonical.com/~ubuntu-security/cve/pkg/open-vm-tools.html