►
From YouTube: Cloud Foundry CAB call recording 16th Dec 2021
Description
Recording from the Cloud Foundry Community Advisory Board call held on 16th December 2021. Discussions centered around #Log4Shell mitigation and general community updates.
A
Hello,
everyone
welcome
to
the
december
edition
of
the
cab
call
before
I
even
realized
that
the
year
has
started.
We
seem
to
have
come
to
the
end
of
it,
so
I
hope
everyone
had
a
wonderful
2021,
definitely
better
than
2020.
I
guess
but
yeah
here
we
are
and
as
everybody
knows,
this
is
the
community
advisory
board.
A
The
aim
of
this
call
is
to
basically
get
folks
to
interact
with
each
other
about
you
know,
general
community
matters
pertaining
to
cloud
foundry
and
as
the
community
stewards
at
the
cloud,
foundry
foundation,
representatives
against
me
and
chris,
maybe
we
will
share
some
details
from
the
community,
or
rather
the
governance
perspective
of
what's
been
happening
with
the
cloud
foundry.
So,
generally
speaking,
we
just
concluded
a
board
meeting
yesterday,
and
things
are
looking
very
optimistic
for
cloud
foundry
in
general
and
specifically
the
cloud
foundry
community.
A
A
There's
there's
been
some
interesting
developments
in
that
regard.
So
all
our
working
group
maintainers
have
been
marking
a
lot
of
issues
as
good
first
issues.
So
if
there
are
folks
out
there
who
are
listening,
who
want
to
get
started
on
contributing
to
cloud
foundry,
I
think
it's
a
wonderful
place
to
get
started
and
start
making
use
of
these
issues
marked
as
good
first
issue
in
order
to
you
know,
pick
things
up
and
work
with
them.
A
A
A
A
B
A
The
cloud
foundry
code
base
is
not
an
exception
to
to,
I
guess,
a
lot
of
other
software.
We
are
also
we've
also
been
using
log4j
in
a
few
components,
and
we
specifically
identified
like
five
areas
where
we
needed
some
urgent
efforts
to
go
in
and
and
do
the
fix
so
mitigating
this
is,
you
know,
fairly
straightforward.
A
You
had
to
update
the
version
of
log4j
that
you
basically
used,
and
after
we
had
heard
about
this-
which
I
guess
was
on
the
10th
the
friday,
the
security,
vulnerability
management
working
group
so
to
say,
that's
a
mouthful,
but
basically
there
is
a
working
group
that
is
responsible
for
voluntarily
vulnerability
management,
and
so
those
folks,
you
know,
got
on
board
quickly.
They
ordered
some
scans
to
be
done,
so
there
is
a
tool
called
app
check
and
basically,
the
results
of
the
scan
pointed
out.
A
Five
areas,
like
I
mentioned
so
uaa,
which
is
the
authentication
tool
great
hub,
which
we
use
for
credential
management
and
rotation
c
of
deployment
itself
made
use
of
log
for
j,
and
then
the
newer
cf4
gates
was
also
making
use
of
log4j
in
some
cases,
because
there
was
significant
overlap
with,
I
guess,
uaa
and
gridhub,
but
there's
also
a
couple
of
build
backs.
Specifically,
obviously
the
java
buildback,
I
guess,
but
also
the
php
buildback,
were-
were
declared
as
affected.
A
So
there
was
some
information
that
we
got
again
later
on
friday
about
this
being
slightly
more
multi-dimensional
than
than
what
it
seemed.
It
was
not
like
as
simple
as
just
you
know,
go
and
change
versions,
and
things
like
that,
so
there
so
a
couple
of
different
ways
in
which
we
could
fix.
This
was
what
was
discussed
and
recommended,
and
later
on,
saturday
was
when
we
started
to
think
about
cutting
our
first
releases
and
updates,
so
the
uaa
team
actually
released
the
first
fix.
A
On
monday,
early,
like
rather
late
on
sunday
morning,
but
for
practical
purposes
monday,
I
guess
cred
hub
released
the
2.10
version,
which
mitigates
which
mitigated
the
the
problem
for
grid
hub.
This
was
followed
by
caa
sorry
cfr,
kids
having
a
simpler
path,
because
uaa
and
credit
have
both
had
new
releases.
Then
cfor
kids
was
just
bumped
up
to
use
these
two
new
versions
on
monday,
and
we
had
like
the
problem
solved
in
like
three
four
areas
in
terms
of
communicating
this.
A
A
A
B
So
I
can
share
a
little
bit
about
the
cloud.gov
experience.
If
folks
would
find
that
interesting,
I'm
not
sure
how
other
people
did,
but
I
first
heard
about
this
friday
morning,
u.s
east
coast
time,
and
even
though
we
had
no
evidence
that
we
were
being
attacked
or
were
vulnerable
to.
It
immediately
declared
a
potential
incident.
B
Since
we
knew
that
uaa
and
kredhub
and
some
other
components
we
run
might
be
vulnerable
and
it
was.
It
was
gratifying
that
we
have
tools
within
our
deployment
process
to
use
operators
to
set
the
initial
property
value
that
you
could
pass
to,
jvms,
that
the
dash
g
switch
for
log
4j
dash
no
format
message
lookups
or
whatever.
B
So
we
were
able
to
get
ourselves
into
a
a
pretty
good
position
before
the
end
of
the
day
on
on
friday,
as
well
as
having
having
wife
pools
and
then
I've
just
been
very
pleased
with
the
speed
at
which
the
the
patches
have
come
come
out
of
the
community
and
and
the
attention
that
you
all
have
paid
to
it.
So
yeah
thanks.
C
Sorry
so
I'll
say
I
used
to
be
on
the
cloud
because
team,
but
now
I'm
a
cloud
like
a
user
for
another
government
team.
It
was
gratifying
for
me
to
be
able
to
you
know,
knowing
that
we
were
on
a
standardized
platform
that
we
could
look
at
ourselves
in
the
community
and
see
what
was
going
on,
and
I
was
able
to
bring
that
the
attention
to
the
cloud.gov
team
about
that
operator.
Environment
variable
group
setting.
C
So
I
could,
you
know,
help
other
people,
so
that
was
great
and
benefited
platform.
One
thing
I
would
have
spent
more
effort
on
the
cf
side
was
the
the
php
build
pack,
the
php
pack,
you
know
issued
a
a
new
version
because
of
app
dynamics.
App
dynamics
is
a
service.
That's
only
available,
I
think
on
mostly
on
pivotal
deployments
or
sorry
vmware
deployments,
it's
generally
not
applicable
to
the
to
anybody
running
the
open
source
version.
C
I
you
know
I
went
into
high
alert,
saying
oh
my
gosh.
I
thought
I
wasn't
affected.
Maybe
I
am
so
I
think
you
know
the
release
notes
for
remediations,
saying
not
only
we've
remediated
the
vulnerability,
but
also
this
is
how
you
can
tell
if
you
were
if
this
might
have
affected
your
application,
because
in
this
case
it
was
an
optional
piece
of
code
that
was
not
invoked
unless
you
have
an
app
dynamic
service
available
and
deployed
and
bound
on
the
platform.
C
C
But
if
you
weren't
using
app
dynamics,
then
it
doesn't
matter
to
you
that
would
have
helped
a
tremendous
amount.
In
my
case
I
was
I
was
curious
enough
to
to
go.
Look
at
the
php
bill
pack
source
and
say
what
did
they
fix
and
I
saw
that
it
was
academics,
and
I
could
look
at
the
code
and
say:
oh
it
only
it's
only
invoked
if
there's
a
service
bound.
C
A
A
A
B
Set
run
environment
group
variable
so
that
gave
us
the
ability
to
across.
That
would
give
an
operator.
I
should
say
exactly
what
what
we
did
or
didn't
do,
because
I
haven't
been
cleared
to
speak
on
this,
but
it
would
give
the
opportunity
for
a
an
operator
of
a
foundry
to
set
a
variable
that
for
log
for
j
versions,
between
2.10
and
2.14
to
not
by
default
parse,
the
jnda
lookups,
and
so
one
could
set
that
across
a
foundation
and
then
in
the
course
of
a
deployment
when
cells
get
rolled
over.
B
It
doesn't
solve
everything
because
you
know
you
still
need
people
to
restage
their
applications
and
check
their
dependencies
to
make
sure
that
they're
not
holding
a
log4j
someplace
else.
But
you
know
every
mitigation
that
you
can
get
out
quickly
sort
of
narrows
the
the
opportunities
for
bad
actors
to
to
get
in
yeah.
I
I.
C
Think
on
the
on
the
environment,
verbal
thing,
I
think
that
the
tweet
I
was
actually
quoting
or
passed
over
had
said
something
about
like
you
know,
you
have
to
set
this
as
an
operator
and
then
ask
everybody
to
roll
their
apps.
It's
like!
No,
you
don't
really
have
to
ask
everybody
to
roll
their
apps,
because
the
platform
contract
basically
says
we
might
evacuate
you
from
a
cell
and
therefore
your
app
is
going
to
get
restarted
and
we'll
pick
up
environment
variables.
C
The
only
reason
they
would
need
to
be
restaged
in
this
case
since
the
since
the
variable
affects
runtime
behavior,
they
would
only
need
to
be
restaged
if
the
environment
variable
you
set
affects
staging
behavior
and
actually
the
platform
has
been
a
little
overly
cautious
on
that
in
a
lot
of
documentation.
It
says:
hey
if
you
said
environment
variable,
you
have
to
restage
your
app
and
that's
not
true.
You
only
have
to
restage
your
app
if
the
environment
variable
you
set
is
used
during
the
staging
process.
C
So,
yes,
that's
a
blanket
statement
you
can
make.
That
will
make
sure
it's
always
right,
but
the
reality
is,
if
you
said,
environment
variable
and
it's
not
used
in
the
staging
process.
All
you
have
to
do
is
restart
your
app
to
pick
up
that
environment
variable,
and
so
for
that
reason
you
know
you
can
set
it
as
a
as
a
as
an
operator
and
no
restaging
is
an
necessary.
We
know
this
variable
is
only
used
during
the
running
period.
It's
not
used
during
the
staging
period,
so
they
don't
have
to
restage.
C
B
Yeah,
particularly
because
web
application
firewalls
are
so
limited
in
their
utility
here,
because
there
are
so
many
different
patterns
that
it
you
know,
no
regular
expression
was
going
to
catch
them
all
and
any
particular
I
mean
it
would
certainly
catch.
You
know
protect
you
from
the
spray
and
pray
people
out
there
that
are
just
saying:
hey.
C
B
What's
targetable
out
there,
but
you
know
any
one
who
was
particularly
wanting
to
target
your
organization
would
easily
find
their
way
past
a
web
application.
Firewall
is
my
understanding,
I'm
afraid
I'd
have
to
leave
in
a
minute,
because
at
another
meeting
I
couldn't
reschedule
but
I'd
be
curious
of
other
people
had
experiences
that
they
wanted
to
share
on
responding
to
this
before
I
drop
off.
A
No,
I
guess
not
again.
Thank
you
so
much
for
joining
us
in
this
edition's
cab
call,
let's
all
meet
the
following
year
and
thank
you
ashley
for
patiently
recording
and
helping
upload.
All
of
these
calls
and
keeping
the
tradition
of
cab
calls
alive
throughout
the
year.
See
see
you
all
next
year,
then
bye-bye.