This is for internal use by the PaaS team. Public-facing documentation is located at docs.cloud.service.gov.uk.

Responding to CVEs, upgrading stemcells and cflinuxfs

The team must be prepared to triage and address common vulnerabilities and exposures (CVEs). Most CVEs also require upgrading the stemcells and cflinuxfs.

How we learn about CVEs

We learn about CVEs through:

• automated CVE notifications through Zendesk from the CloudFoundry security RSS feed – the feed is converted to Zendesk tickets using IFTTT
• notifications from cf-dev mailing list from CloudFoundry
• notifications in Slack (for example, the Cloud Foundry Slack channel) Dependabot (for frontend vulnerabilities)

How to triage CVEs

To triage CVEs, you should consider:

• which libraries or tools are affected
• how severely the libraries or tools are affected
• how the vulnerability affects us or tenants
• the likelihood of the vulnerability being exploited – for example, what kind of library or program is it? Would it be public facing in some way? Is it likely to be fed user input in a tenant application? What would an attacker need to do to get into a position where they could exploit it on PaaS?

You should then record the priority decision (high, low) in the ticket.

How to address the CVE

If the CVE is high priority, you should:

• immediately create a story in Pivotal Tracker with all known information about the CVE (if there are multiple CVEs, merge them into one Pivotal story)
• link to the original CVE report
• identify which components are affected
• identify what needs to be done to mitigate the issue (for example, upgrading to a newer version)

If the CVE is low priority or there is a low likelihood of exploitation, you should:

• put a ticket at the top of the icebox section in Pivotal Tracker and prioritise it at the next session
• check if you can address the CVE by upgrading to a newer stemcell and cflinuxfs3 or cflinuxfs4 version during the regular platform upgrade process

For both high and low priority CVEs, you should:

• use instructions from the CVE report to mitigate the issue (for example, upgrading to a newer version of the affected component) or find other practical ways to mitigate the issue (for example, disabling features or altering configurations)
• record the previous and new version of the affected component if upgrading
• decide if the comms person needs to contact tenants with information about vulnerabilities, changes or new implementations (for example, if tenants need a buildpack upgrade)
• record the result on the Pivotal story associated with the issue

Upgrading stemcells and cflinuxfs

Obtaining latest bionic stemcell and cflinuxfs releases

You can find the latest version of Ubuntu stemcells (Ubuntu Jammy) on the Cloud Foundry BOSH website, along with the latest version of cflinuxfs3 and cflinuxfs4.

Testing and deploying

In GitHub, create a pull request in the paas-cf and paas-bootstrap repositories (see sample pull requests for updating paas-cf and updating paas-bootstrap), then deploy to a dev environment. If the deployment is successful, merge the pull request and deploy to both staging and production.