►
From YouTube: Cloud Foundry CAB call recording 16th Dec 2021
Description
Recording from the Cloud Foundry Community Advisory Board call held on 16th December 2021. Discussions centered around #Log4Shell mitigation and general community updates.
A
Hello,
everyone
welcome
to
the
december
edition
of
the
cab
call
before
I
even
realized
that
the
year
has
started.
We
seem
to
have
come
to
the
end
of
it,
so
I
hope
everyone
had
a
wonderful
2021,
definitely
better
than
2020.
I
guess
but
yeah
here
we
are
and
as
everybody
knows,
this
is
the
community
advisory
board.
A
The
aim
of
this
call
is
to
basically
get
folks
to
interact
with
each
other
about
you
know,
general
community
matters
pertaining
to
cloud
foundry
and
as
the
community
stewards
at
the
cloud,
foundry
foundation,
representatives
against
me
and
chris,
maybe
we
will
share
some
details
from
the
community,
or
rather
the
governance
perspective
of
what's
been
happening
with
the
cloud
foundry.
So,
generally
speaking,
we
just
concluded
a
board
meeting
yesterday,
and
things
are
looking
very
optimistic
for
cloud
foundry
in
general
and
specifically
the
cloud
foundry
community.
A
A
There's
there's
been
some
interesting
developments
in
that
regard.
So
all
our
working
group
maintainers
have
been
marking
a
lot
of
issues
as
good
first
issues.
So
if
there
are
folks
out
there
who
are
listening,
who
want
to
get
started
on
contributing
to
cloud
foundry,
I
think
it's
a
wonderful
place
to
get
started
and
start
making
use
of
these
issues
marked
as
good
first
issue
in
order
to
you
know,
pick
things
up
and
work
with
them.
A
A
A
Start
both
consuming
and
contributing
to
the
roadmap
of
each
of
the
different
working
groups
and
have
more
of
a
say
in
steering
the
way
working
groups
are
putting
out
solutions
in
general,
so
yeah.
Those
are
really
the
the
big
sort
of
updates
from
the
community.
A
Much
like
the
rest
of
the
world,
I
guess
the
cloud
foundry
community
has
also
had
a
busy
weekend.
Unfortunately,
it
had
to
happen
before
the
holidays.
When
you.
B
A
Everybody
is
in
like
a
celebratory
mode,
but
at
least
it
happened
when
everybody
was
in
office,
I
guess
and
not
exactly
celebrating
so
for
those
who
need
a
little
more
context.
A
The
cloud
foundry
code
base
is
not
an
exception
to
to,
I
guess,
a
lot
of
other
software.
We
are
also
we've
also
been
using
log4j
in
a
few
components,
and
we
specifically
identified
like
five
areas
where
we
needed
some
urgent
efforts
to
go
in
and
and
do
the
fix
so
mitigating
this
is,
you
know,
fairly
straightforward.
A
You
had
to
update
the
version
of
log4j
that
you
basically
used,
and
after
we
had
heard
about
this-
which
I
guess
was
on
the
10th
the
friday,
the
security,
vulnerability
management
working
group
so
to
say,
that's
a
mouthful,
but
basically
there
is
a
working
group
that
is
responsible
for
voluntarily
vulnerability
management,
and
so
those
folks,
you
know,
got
on
board
quickly.
They
ordered
some
scans
to
be
done,
so
there
is
a
tool
called
app
check
and
basically,
the
results
of
the
scan
pointed
out.
A
Five
areas,
like
I
mentioned
so
uaa,
which
is
the
authentication
tool
great
hub,
which
we
use
for
credential
management
and
rotation
c
of
deployment
itself
made
use
of
log
for
j,
and
then
the
newer
cf4
gates
was
also
making
use
of
log4j
in
some
cases,
because
there
was
significant
overlap
with,
I
guess,
uaa
and
gridhub,
but
there's
also
a
couple
of
build
backs.
Specifically,
obviously
the
java
buildback,
I
guess,
but
also
the
php
buildback,
were-
were
declared
as
affected.
A
So
after
you
know,
we
got
this
list
and
made
sure
that
appscan
completed
its
entire
protein,
which
is
basically
coughing
up
uaa
like
multiple
times
and
stuff
by
late
evening
on
december
10th,
we
had
this
set
of
areas
where
we
definitely
needed
to
go
in
and
cut
a
few
new
releases
and
things.
A
So
there
was
some
information
that
we
got
again
later
on
friday
about
this
being
slightly
more
multi-dimensional
than
than
what
it
seemed.
It
was
not
like
as
simple
as
just
you
know,
go
and
change
versions,
and
things
like
that,
so
there
so
a
couple
of
different
ways
in
which
we
could
fix.
This
was
what
was
discussed
and
recommended,
and
later
on,
saturday
was
when
we
started
to
think
about
cutting
our
first
releases
and
updates,
so
the
uaa
team
actually
released
the
first
fix.
A
On
monday,
early,
like
rather
late
on
sunday
morning,
but
for
practical
purposes
monday,
I
guess
cred
hub
released
the
2.10
version,
which
mitigates
which
mitigated
the
the
problem
for
grid
hub.
This
was
followed
by
caa
sorry
cfr,
kids
having
a
simpler
path,
because
uaa
and
credit
have
both
had
new
releases.
Then
cfor
kids
was
just
bumped
up
to
use
these
two
new
versions
on
monday,
and
we
had
like
the
problem
solved
in
like
three
four
areas
in
terms
of
communicating
this.
A
The
security
team
also
put
up
like
some
advisory
on
the
cloud,
foundry
blog
and
we
were
able
to
push
this
news
through
twitter
as
well.
Now.
A
On
wednesday,
I
guess
yesterday
somebody
had
reported
that
it
they
were
hearing
news
about
2.15.0,
also
being
vulnerable,
so
it
was
recommended
to
bump
up
log4j
to
2.16
and
then
all
of
the
different
components
are
now
updated
to
2.16.
A
So
everything
is
through
the
pipeline,
great
hub,
uaa
cfr
gates
and
some
of
the
build
pack
stuff.
So
I
guess
we're
yet
to
hear
about
the
java
buildback,
but
otherwise
all
other
components
seem
to
be
updated
and
the
mitigation
is
is
declared
complete.
A
As
of
now
so
that's
been
the
story
from
the
cloud
foundry
community
site
about
what
we've
been
doing
so
far
to
fix
this.
If
folks
have
any
other
experiences
or
stories
or
anything
they
want
to
share,
you
know
please
come
forward
and
make
use
of
the
time
it's
as
much
yours
as
it
is
us.
B
So
I
can
share
a
little
bit
about
the
cloud.gov
experience.
If
folks
would
find
that
interesting,
I'm
not
sure
how
other
people
did,
but
I
first
heard
about
this
friday
morning,
u.s
east
coast
time,
and
even
though
we
had
no
evidence
that
we
were
being
attacked
or
were
vulnerable
to.
It
immediately
declared
a
potential
incident.
B
Since
we
knew
that
uaa
and
kredhub
and
some
other
components
we
run
might
be
vulnerable
and
it
was.
It
was
gratifying
that
we
have
tools
within
our
deployment
process
to
use
operators
to
set
the
initial
property
value
that
you
could
pass
to,
jvms,
that
the
dash
g
switch
for
log
4j
dash
no
format
message
lookups
or
whatever.
B
So
we
were
able
to
get
ourselves
into
a
a
pretty
good
position
before
the
end
of
the
day
on
on
friday,
as
well
as
having
having
wife
pools
and
then
I've
just
been
very
pleased
with
the
speed
at
which
the
the
patches
have
come
come
out
of
the
community
and
and
the
attention
that
you
all
have
paid
to
it.
So
yeah
thanks.
A
Okay,
well
thanks
everybody
for
joining
the
december
edition.
C
Sorry
so
I'll
say
I
used
to
be
on
the
cloud
because
team,
but
now
I'm
a
cloud
like
a
user
for
another
government
team.
It
was
gratifying
for
me
to
be
able
to
you
know,
knowing
that
we
were
on
a
standardized
platform
that
we
could
look
at
ourselves
in
the
community
and
see
what
was
going
on,
and
I
was
able
to
bring
that
the
attention
to
the
cloud.gov
team
about
that
operator.
Environment
variable
group
setting.
C
So
I
could,
you
know,
help
other
people,
so
that
was
great
and
benefited
platform.
One
thing
I
would
have
spent
more
effort
on
the
cf
side
was
the
the
php
build
pack,
the
php
pack,
you
know
issued
a
a
new
version
because
of
app
dynamics.
App
dynamics
is
a
service.
That's
only
available,
I
think
on
mostly
on
pivotal
deployments
or
sorry
vmware
deployments,
it's
generally
not
applicable
to
the
to
anybody
running
the
open
source
version.
C
I
think
most
of
them
are
not
don't
have
an
app
dynamics
service
on
their
platform
and
it
was
the
driver
for
that
service
that
was
susceptible,
and
so
I
think
one
thing
that
could
help
is
when,
when
they're,
when
releasing
updates
for
things
like
that,
be
explicit
about
what
might
have
put
you
in
a
category
to
be
susceptible
to
the
vulnerability,
because
when
I
saw
it
you
know,
I
do
have
php
applications
that
were
not
on
my
radar
at
all
as
being
affected,
and
when
I
saw
there
was
a
php
build
back
affected.
C
I
you
know
I
went
into
high
alert,
saying
oh
my
gosh.
I
thought
I
wasn't
affected.
Maybe
I
am
so
I
think
you
know
the
release
notes
for
remediations,
saying
not
only
we've
remediated
the
vulnerability,
but
also
this
is
how
you
can
tell
if
you
were
if
this
might
have
affected
your
application,
because
in
this
case
it
was
an
optional
piece
of
code
that
was
not
invoked
unless
you
have
an
app
dynamic
service
available
and
deployed
and
bound
on
the
platform.
C
C
But
if
you
weren't
using
app
dynamics,
then
it
doesn't
matter
to
you
that
would
have
helped
a
tremendous
amount.
In
my
case
I
was
I
was
curious
enough
to
to
go.
Look
at
the
php
bill
pack
source
and
say
what
did
they
fix
and
I
saw
that
it
was
academics,
and
I
could
look
at
the
code
and
say:
oh
it
only
it's
only
invoked
if
there's
a
service
bound.
C
So
chris
chris
is
saying.
Is
that
the
case?
C
And
the
answer
is
yes,
as
far
as
I
can
tell,
and
so
that
that's
important,
because
you
know
the
the
nature
of
which
component
or
build
pack
is
updated,
will
determine
a
whole
swath
of
of
incident
response
process
that
cascades
down
from
that
in
the
organizations
that
are
that
are
using
those
things
and
a
lot
of
people
won't
be
as
curious
as
I
am,
or
have
the
time
that
I
that
I
did
to
go
dig
in
and
figure
out
well
like
was
I
actually
affected,
based
on
the
change
they
made
as
opposed
to
well,
I
used
the
php
build
pack
and
there
was
an
update,
so
I
must
have
been
affected
so
that
can
that
can
trigger
a
lot
of
scrambling
and
running
around,
and
so
thinking
about
you
know
whenever
you,
whenever
you
give
a
notice
to
somebody
saying
hey,
there
was
a
problem.
C
You
also
want
to
give
them
information,
hey,
there's
a
problem,
we
fixed
it.
You
also
want
to
give
the
information
to
say
and
here's
how
you
can
tell
if
you
were
affected,
so
I
would
suggest
that,
as
just
a
general
security
practice
for
any
kind
of
security
update
notification.
A
Yep-
and
I
really
apologize
for
not
having
considered
that
as
part
of
any
of
the
updates
that
I
personally
put
out
in
in
any
of
the
communications
that
I
wrote
on
behalf
of
the
community.
So.
A
C
Just
you
know
for
future
something
to
consider
as
sort
of
a
standard
process
when
you're,
when
you're
making
these
announcements.
A
Absolutely,
and
and
even
in
specifically
in
this
case,
I
think
that's
a
great
point
that
you
made
and
yeah
totally
agree
with
you
in
terms
of
also
communicating
the
scope
of
what
gets
affected.
But
it's
not
so.
Thank
you
for
bringing
that
up.
B
B
Set
run
environment
group
variable
so
that
gave
us
the
ability
to
across.
That
would
give
an
operator.
I
should
say
exactly
what
what
we
did
or
didn't
do,
because
I
haven't
been
cleared
to
speak
on
this,
but
it
would
give
the
opportunity
for
a
an
operator
of
a
foundry
to
set
a
variable
that
for
log
for
j
versions,
between
2.10
and
2.14
to
not
by
default
parse,
the
jnda
lookups,
and
so
one
could
set
that
across
a
foundation
and
then
in
the
course
of
a
deployment
when
cells
get
rolled
over.
B
All
of
the
tenants
will
have
the
applications
restarted
and
should
pick
up
that
environment
variable
particular
developers
are:
do
have
the
opportunity
to
override
that
variable
if,
if
they
need
to
by
setting
their
own
environment
variable
and
but
it
was
just
a
a
nice
tool
that
operators
have
in
their
pocket
for
making
changes
across
the
platform
in
a
minimally
invasive
way
to
secure
their
tenant
applications.
B
It
doesn't
solve
everything
because
you
know
you
still
need
people
to
restage
their
applications
and
check
their
dependencies
to
make
sure
that
they're
not
holding
a
log4j
someplace
else.
But
you
know
every
mitigation
that
you
can
get
out
quickly
sort
of
narrows
the
the
opportunities
for
bad
actors
to
to
get
in
yeah.
I
I.
C
Think
on
the
on
the
environment,
verbal
thing,
I
think
that
the
tweet
I
was
actually
quoting
or
passed
over
had
said
something
about
like
you
know,
you
have
to
set
this
as
an
operator
and
then
ask
everybody
to
roll
their
apps.
It's
like!
No,
you
don't
really
have
to
ask
everybody
to
roll
their
apps,
because
the
platform
contract
basically
says
we
might
evacuate
you
from
a
cell
and
therefore
your
app
is
going
to
get
restarted
and
we'll
pick
up
environment
variables.
C
The
only
reason
they
would
need
to
be
restaged
in
this
case
since
the
since
the
variable
affects
runtime
behavior,
they
would
only
need
to
be
restaged
if
the
environment
variable
you
set
affects
staging
behavior
and
actually
the
platform
has
been
a
little
overly
cautious
on
that
in
a
lot
of
documentation.
It
says:
hey
if
you
said
environment
variable,
you
have
to
restage
your
app
and
that's
not
true.
You
only
have
to
restage
your
app
if
the
environment
variable
you
set
is
used
during
the
staging
process.
C
So,
yes,
that's
a
blanket
statement
you
can
make.
That
will
make
sure
it's
always
right,
but
the
reality
is,
if
you
said,
environment
variable
and
it's
not
used
in
the
staging
process.
All
you
have
to
do
is
restart
your
app
to
pick
up
that
environment
variable,
and
so
for
that
reason
you
know
you
can
set
it
as
a
as
a
as
an
operator
and
no
restaging
is
an
necessary.
We
know
this
variable
is
only
used
during
the
running
period.
It's
not
used
during
the
staging
period,
so
they
don't
have
to
restage.
C
So
I
really
appreciate
the
fact
that
the
platform
allows
you
to
minimize
the
impact
on
customers
that
way,
and
it's
it's
a
huge
it's
a
huge
deal
and
I
think
we
should
all
be
trumpeting
it
from
the
clouds
in
blog
posts
everywhere
to
say
this
is
why
you
should
use
a
pass,
and
this
is
why
cloud
foundry
is
good.
C
B
Yeah,
particularly
because
web
application
firewalls
are
so
limited
in
their
utility
here,
because
there
are
so
many
different
patterns
that
it
you
know,
no
regular
expression
was
going
to
catch
them
all
and
any
particular
I
mean
it
would
certainly
catch.
You
know
protect
you
from
the
spray
and
pray
people
out
there
that
are
just
saying:
hey.
C
B
What's
targetable
out
there,
but
you
know
any
one
who
was
particularly
wanting
to
target
your
organization
would
easily
find
their
way
past
a
web
application.
Firewall
is
my
understanding,
I'm
afraid
I'd
have
to
leave
in
a
minute,
because
at
another
meeting
I
couldn't
reschedule
but
I'd
be
curious
of
other
people
had
experiences
that
they
wanted
to
share
on
responding
to
this
before
I
drop
off.
A
Thanks
for
joining
us,
peter
and
and
sharing
all
that
information,
the
folks
have
anything
else
to
share
anybody's
mics
on
mute
by
mistake.
A
No,
I
guess
not
again.
Thank
you
so
much
for
joining
us
in
this
edition's
cab
call,
let's
all
meet
the
following
year
and
thank
you
ashley
for
patiently
recording
and
helping
upload.
All
of
these
calls
and
keeping
the
tradition
of
cab
calls
alive
throughout
the
year.
See
see
you
all
next
year,
then
bye-bye.