Deployments of Concourse for VMware Tanzu that utilize UAA and/or CredHub may be left vulnerable to Log4j RCE vulnerabilities CVE-2021-44228 and CVE-2021-45046.

The following versions are impacted:

• Concourse for VMware Tanzu versions prior to version 6
• Concourse for VMware Tanzu version 6, prior to 6.7.9
• Concourse for VMware Tanzu version 7, prior to 7.4.4

Important: Read Before Proceeding

• Concourse itself uses no Java components and is therefore not subject to any Log4j vulnerabilities on its own. Only deployments that utilize UAA and/or Credhub are impacted.
• Any vulnerabilities not explicitly listed are not covered in the guidance of this article.

Impacted concourse deployments should be updated immediately.

Support for Concourse for VMware Tanzu - Platform Automation version 6.7.9 has been extended until 2022-04-30 to facilitate upgrades of version 6 deployments for the purposes of vulnerability remediation in the event that updating to version 7.4.4 is not currently feasible.

It may also be desirable to update the UAA and Credhub releases independently of the Concourse release. If so, please use the following versions of each:

• UAA release version 75.12 or higher
• Credhub release version 2.11 or higher