Pivotal Knowledge Base


BOSH Stemcells Upgrade in Production and Vulnerability Scanning


Pivotal Cloud Foundry


Before deploying/upgrading a Stemcell in production, it is common for a customer's security team to run vulnerability scans on staging deployments.

When a security team scans a Stemcell that has been deployed by a customer, it is possible that the vulnerability database being used is newer than the Stemcell being evaluated and will thus detect issues that were not known at the time the Stemcell was released. The following questions frequently arise in such a situation:

    <li">How often are new Stemcells produced by Pivotal?
  • How often are Stemcells upgraded in production?
  • How does Pivotal handle vulnerability scanning of BOSH deployed apps?


Pivotal deploys updated Stemcells regularly to Pivotal Web Server; high and critical CVEs have a 48-hour goal. We catch up on lows and mediums approximately once per month.

If you'd like to see how often we release Stemcell or tile updates, you can look at PivNet which shows previous releases and their release dates.

Although Pivotal is very proactive about producing security updates to keep our customers safe, the customers need to be set up to consume and deploy those updates promptly or their systems can be left exposed and vulnerable. It is very important to install the updates to be protected.


Powered by Zendesk