The diagnostics archive created by vm-support was created in /tmp/ with world-readable permissions. A local attacker could possibly use this flaw to obtain sensitive information. References: http://seclists.org/fulldisclosure/2014/Aug/71
Created open-vm-tools tracking bugs for this issue: Affects: fedora-all [bug 1165901] Affects: epel-6 [bug 1165902]
open-vm-tools version 9.4.6 package contains the fix. Fedora 20 and EPEL 6 have already picked version 9.4.6 and therefore have the fix.
This will also get fixed by rebasing open-vm-tools to 9.10.2, bug 1172833.
Statement: This issue affects the versions of open-vm-tools as shipped with Red Hat Enterprise Linux 7 and Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Errata URL: https://access.redhat.com/errata/RHBA-2015:2246