Nick Kuhn and Mike Jarvis co-wrote this post.
On two occasions in December 2021, VMware Tanzu Application Service released remediations within 48 hours of critical CVEs being announced. These remediations were both in response to the Log4j saga, enabling VMware customers to defend against attack vectors quickly after the Day 0 event. This quick response is a reflection of the dedication of the VMware engineering teams working on Tanzu Application Service today.
Log4j is a library prevalent in Java ecosystems used by millions of applications everywhere, so the repercussions of this CVE, known as Log4Shell, have been massive. Proof of its impact is the high CVSS score given to this CVE: 10 out of 10.
The events around Log4Shell are burned into the IT community’s memory, as most of the industry scrambled to react to these critical vulnerabilities right before most organizations prepared to go on their end-of-year holiday breaks. With the rapid response and availability of remediations, customers using Tanzu Application Service were able to use the Tanzu Operations Manager to quickly roll out updates to their application platforms, which consist of more than 200 virtual machines in many cases.
Tanzu Operations Manager is powered by BOSH, the core infrastructure management tooling that allows Tanzu Application Service operators to rapidly perform mitigation of their platforms. BOSH will rebuild Tanzu Application Service in a highly automated fashion from known good states, without incurring platform downtime. Without BOSH, a platform mitigation effort could be quite time consuming from a core operational perspective.
VMware's efforts related to this critical vulnerability reinforce that Tanzu Application Service is truly the best place to run your mission-critical applications. Read more about Tanzu Application Service.