TKGI and TAP: steps to check if a CVE is fixed by a Bosh stemcell
search cancel

TKGI and TAP: steps to check if a CVE is fixed by a Bosh stemcell

book

Article ID: 389717

calendar_today

Updated On: 03-03-2025

Products

VMware Tanzu Kubernetes Grid Integrated Edition VMware Tanzu Kubernetes Grid Integrated (TKGi) VMware Tanzu Kubernetes Grid Integrated Edition (Core) VMware Tanzu Kubernetes Grid Integrated Edition 1.x VMware Tanzu Kubernetes Grid Integrated EditionStarter Pack (Core)

Issue/Introduction

With a known CVE, below are steps to identify:

  • If a stemcell is released which fixes the CVE vulnerability.
  • If the new Bosh stemcell is compatible with the Tanzu product being used.

Environment

TKGI

TAP

Bosh

Opsmanager

Resolution

Procedure:

 

  • Identify an Ubuntu CVE. 

Example: 

Ubuntu Security Notice: https://ubuntu.com/security/notices/USN-7206-3

CVE-2024-12084: https://ubuntu.com/security/CVE-2024-12084

 

  • Identify an affected VM being used by an Opsmanager Tile

 

  • Determine Assigned Stemcell line being used: Jammy, Xenial, Windows, etc

    • Login to Opsmanager UI

    • Select Stemcell Library

    • Locate the Product Tile
      • Example: Tanzu Kubernetes Grid Integrated Edition
      • Version 1.20.0-build.52

    • Locate the current Stemcell line and version being used in the Deployed column
      • Example: ubuntu-jammy 1.506

 

  • Reference the Stemcell Release Notes

Example: Jammy 1.x Stemcell Release Notes

 

  • Search for the CVE:

Example: From above, CVE-2024-12084 showed fixed starting with Stemcell 1.719

 

  • Determine if the stemcell fix is compatible with the product tile

Refer to KB: Retrieve Product Version Compatibilities from the Tanzu API

For product tile:

Tile Name: Tanzu Kubernetes Grid Integrated Edition

Tile Version: 1.20.0-build.52

API outputs:

Example product slug name and product name from above KB show that:

Product Name: "Tanzu Kubernetes Grid Integrated Edition (TKGi) - CLI & Tile"

Slug Name: "pivotal-container-service"

 

Human-readable version and database ID for TKGI 1.20:

Release version: 1.20.0

Release ID: 523043

      "id": 523043,
      "version": "1.20.0",

 

Dependencies output shows Stemcell 1.719 is compatible.  Also, newer compatible stemcells (1.737, etc)

        "version": "1.775",
          "slug": "stemcells-ubuntu-jammy",
          "name": "Stemcells (Ubuntu Jammy)"
        "version": "1.737",
          "slug": "stemcells-ubuntu-jammy",
          "name": "Stemcells (Ubuntu Jammy)"
        "version": "1.719",
          "slug": "stemcells-ubuntu-jammy",
          "name": "Stemcells (Ubuntu Jammy)"