Pivotal Knowledge Base

Follow

BOSH Stemcells upgrade in production and vulnerability scanning

Environment

Pivotal Cloud Foundry

Purpose

Before deploying/upgrading a Stemcell in production, it is common for a customer's security team to run vulnerability scans on staging deployments.

When a security team scans a Stemcell that has been deployed by a customer, it is possible that the vulnerability database being used is newer than the Stemcell being evaluated and will thus detect issues that were not known at the time the Stemcell was released. The following questions frequently arise in such a situation:

Solution

Pivotal deploys updated Stemcells regularly to Pivotal Web Server; high and critical CVEs have a 48-hour goal. We catch up on lows and mediums approximately once per month.

If you'd like to see how often we release Stemcell or tile updates, you can look at PivNet which shows previous releases and their release dates.

Although Pivotal is very proactive about producing security updates to keep our customers safe, the customers need to be setup to consume and deploy those updates promptly or their systems can be left exposed and vulnerable. It is very important to install the updates to be protected.

Comments

Powered by Zendesk