Tanzu What’s New - Jul 5,2024 Edition

"You don't have to be great to start, but you have to start to be great." - Zig Ziglar

VMware Tanzu Product Security Notice
The Qualys Threat Research Unit (TRU) has discovered a Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) on glibc-based Linux systems. This vulnerability has been assigned CVE-2024-6387 

Tanzu Application Service and tiles such as Postgres/MySQL/GemFire/Valkey(Redis) and RabbitMQ for TAS that use the Jammy stemcell have patches for CVE-2024-6387 in Stemcell 1.486. Updated Stemcell (Ubuntu Jammy) 1.486 available now. Release Date:  2024-07-02.  Release notes can be found below with a summary of all CVE in the Security Updates below.

Tanzu RabbitMQ version 3.13.3.1 build is released after the OVA 3.13.3 release. Release date: 2024-07-03. The v3.13.3.1 build includes the latest OpenSSH package, which is a fix for CVE-2024-6387. 

Bitnami SSH server is installed and running in OVAs and Cloud Images for AWS, Google, and Azure Marketplaces. Bitnami Helm charts and container images are not affected. By default, OVAs and Cloud Images include the unattended-upgrades package that will try to install security updates automatically daily. The Bitnami team has releases for updated versions in the Marketplace. 

Tanzu Application Platform (TAP), Tanzu Spring Runtime (TSR), Azure Spring Apps Enterprise (ASA-E), Tanzu Data (Greenplum, Postgres & MySQL for K8s and Postgres standalone), Tanzu Data Hub were reviewed for CVE-2024-6387 and are not vulnerable.

Please contact Broadcom Support or your account team if you have any questions about CVE-2024-6387.
VMware Tanzu Product Releases 
In this section, we will add releases information on Tanzu Platform for Cloud Foundry, Tanzu Platform for Kubernetes, Tanzu Data Services, and Tanzu Spring Essentials Products that are part of Tanzu Platform and Standalone solutions along with its release date and release notes. 

(Note : Broadcom Support portal requires you to register)
Tanzu Product Downloads  |  KB article on How to Download Products |  Tanzu Product Lifecycle (Select Tanzu Division to find Tanzu product releases) 

VMware Tanzu Product Security Updates
Within the release notes there may be security or governance specific updates that are worth highlighting.  The Tanzu Security team reviews each release and summarizes security or governance specific highlights found within the release notes.  

Tanzu Security Team Disclaimer:
The summary below is a review of the above product release notes from a security and governance point of view and may not reflect specific security or governance requirements you may require. It also does not include all details from the release notes. Please review the full release notes for release details.

VMware Tanzu Platform
Ubuntu Jammy Stemcell (TAS, TKGI, Jammy based tiles)

•         LSN-0104-1: High: Kernel live patch 8 CVE resolved
•         USN-6819-4: High: Linux kernel (oracle) 298 CVE resolved
•         USN-6859-1: High: OpenSSH CVE-2024-6387 resolved
•         USN-6847-1: libheif 16 CVE resolved
•         USN-6842-1: gdb 6 CVE resolved
•         USN-6809-1: bluez 4 CVE resolved
•         USN-6846-1: Anisble 4 CVE resolved
•         USN-6854-1: OpenSSL CVE-2022-40735 resolved
•         USN-6851-1: Netplan CVE-2022-4868 resolved
•         USN-6822-1: Node.js 6 CVE resolved
•         USN-6800-1: browserify-sign CVE-2023-46234 resolved
•         USN-6805-1: libarchive CVE-2024-26256 resolved
•         USN-6844-1: CUPS CVE-2024-35235 resolved
•         USN-6801-1: PyMySQL CVE-2024-36039 resolved
•         USN-6843-1: Plasma CVE-2024-36041 resolved
•         USN-6852-1: Wget CVE-2024-38428 resolved
•         USN-6798-1: gstream CVE-2024-4453 resolved 

VMware Tanzu Platform for Kubernetes
VMware Tanzu Application Platform (TAP)

•         Tanzu Application Platform was reviewed for CVE-2024-6387 and it does not contain SSH and is not vulnerable to this CVE.
•         Adds enhancements to minimize traffic disruptions during upgrades due to nodes being drained when upgrading Kubernetes.
•         Supply Chain Security Tools (SCST) - Scan
  
  •         Adds vulnerability policy enforcement to SCST - Scan v2.0.
•         Breaking changes: Tanzu Application Platform all releases
  
  •         Tanzu Application Platform releases have migrated from VMware Tanzu Network to the Broadcom Support Portal and Broadcom registry. Using VMware Tanzu Network to install or upgrade Tanzu Application Platform is no longer supported.
•         Breaking changes 1.11.0: Carbon Black for Supply Chain Security Tools - Scan v1.0
  
  •         VMware Carbon Black for Supply Chain Security Tools - Scan v1.0 is now removed.
•         Breaking changes 1.11.0: Tanzu CLI
  
  •         The Tanzu Insight plug-in is now removed.
•         Breaking changes 1.11.0: Tanzu Developer Portal
  
  •         Tanzu Developer Portal Configurator is now removed.
•         1.11.0 includes the following security fixes, see release notes for full CVE listing:
  
  •         accelerator.apps.tanzu.vmware.com: 10 CVE resolved 
  •         alm-catalog.component.apps.tanzu.vmware.com: 52 CVE resolved
  •         amr-observer.apps.tanzu.vmware.com: 1 CVE resolved
  •         application-configuration-service.tanzu.vmware.com: 11 CVE resolved
  •         base-jammy-stack-lite.buildpacks.tanzu.vmware.com: 164 CVE resolved
  •         buildservice.tanzu.vmware.com: 26 CVE resolved
  •         carbonblack.scanning.apps.tanzu.vmware.com: 53 CVE resolved
  •         cnrs.tanzu.vmware.com: 1 CVE resolved
  •         config-server.spring.tanzu.vmware.com: 8 CVE resolved
  •         crossplane.tanzu.vmware.com: 1 CVE resolved
  •         dotnet-core-lite.buildpacks.tanzu.vmware.com: 3 CVE resolved 
  •         managed-resource-controller.apps.tanzu.vmware.com: 1 CVE resolved
  •         metadata-store.apps.tanzu.vmware.com: 3 CVE resolved
  •         nodejs-lite.buildpacks.tanzu.vmware.com: 4 CVE resolved
  •         ootb-templates.tanzu.vmware.com: 52 CVE resolved
  •         python-lite.buildpacks.tanzu.vmware.com: 12 CVE resolved
  •         ruby-lite.buildpacks.tanzu.vmware.com: 1 CVE resolved
  •         source.component.apps.tanzu.vmware.com: 66 CVE resolved
  •         supply-chain-catalog.apps.tanzu.vmware.com: 4 CVE resolved
  •         supply-chain.apps.tanzu.vmware.com: 3 CVE resolved
  •         tekton.tanzu.vmware.com: 223 CVE resolved
  •         trivy.app-scanning.component.apps.tanzu.vmware.com: 1 CVE resolved
•         1.8.5 includes the following security fixes, see release notes for full CVE listing:
  
  •         application-configuration-service.tanzu.vmware.com: 4 CVE resolved
  •         base-jammy-stack-lite.buildpacks.tanzu.vmware.com: 102 CVE resolved
  •         cert-manager.tanzu.vmware.com: 3 CVE resolved
  •         cnrs.tanzu.vmware.com: 6 CVE resolved
  •         crossplane.tanzu.vmware.com: 1 CVE resolved
  •         dotnet-core-lite.buildpacks.tanzu.vmware.com: 2 CVE resolved
  •         git-writer.component.apps.tanzu.vmware.com: 99 CVE resolved
  •         java-lite.buildpacks.tanzu.vmware.com: 3 CVE resolved
  •         managed-resource-controller.apps.tanzu.vmware.com: 2 CVE resolved
  •         ootb-templates.tanzu.vmware.com: 51 CVE resolved
  •         service-registry.spring.apps.tanzu.vmware.com: 11 CVE resolved
  •         source.component.apps.tanzu.vmware.com: 152 CVE resolved
  •         sso.apps.tanzu.vmware.com: 2 CVE resolved
  •         supply-chain-catalog.apps.tanzu.vmware.com: 94 CVE resolved
  •         supply-chain.apps.tanzu.vmware.com: 2 CVE resolved
•         1.7.9 includes the following security fixes, see release notes for full CVE listing:
  
  •         base-jammy-stack-lite.buildpacks.tanzu.vmware.com: 102 CVE resolved
  •         cert-manager.tanzu.vmware.com: 2 CVE resolved
  •         java-lite.buildpacks.tanzu.vmware.com: 9 CVE resolved
  •         ootb-templates.tanzu.vmware.com: 14 CVE resolved
•         1.6.13 includes the following security fixes, see release notes for full CVE listing:
  
  •         base-jammy-stack-lite.buildpacks.tanzu.vmware.com: 102 CVE resolved
  •         cert-manager.tanzu.vmware.com: 2 CVE resolved
  •         ootb-templates.tanzu.vmware.com: 303 CVE resolved

VMware Tanzu Data Solutions
VMware Tanzu RabbitMQ

•         The current VMware Tanzu RabbitMQ OVA release is 3.13 (the latest patch is 3.13.3). For users who are currently using 1.5 releases, note that 3.13 is the next release after 1.5. This is different from the expectation that the next release would be 1.6. The reason for this change is to align product version numbers between open source RabbitMQ and commercial VMware Tanzu RabbitMQ product versions.
•         Open-source RabbitMQ version 3.13.2 is a maintenance release in the 3.13.x release series.
•         OAuth2 support for Warm Standby Replication synchronization: This enhances the security of data links between the upstream (primary) and downstream (standby) cluster used in Warm Standby Replication by using a more secure OAuth 2.0 authentication mechanism.
•         ​​One of the key features exclusive to this 3.13.3 Tanzu RabbitMQ OVA release is compliance with the Federal Information Processing Standard (FIPS) 140-2. Now with the Tanzu RabbitMQ OVA 3.13 release, this FIPS configuration is provided ‘out of the box’. If you are using FIPS, you must pull the FIPS variant images from the Broadcom Support Portal.
•         This release includes the following security fixes:
  
  •         Version 3.13.3.1 build is released after the OVA 3.13.3 release. The v3.13.3.1 build includes the latest OpenSSH package, which is a fix for CVE-2024-6387. If you are using the VMware Tanzu RabbitMQ 3.13.3 OVA, you can run tdnf update openssh to update the OpenSSH package or you can download the 3.13.3.1 OVA build from the Broadcom Support Portal

Check out the troubleshooting Tips and Resolutions on various Tanzu Products. This section is a great resource for you to bookmark and quickly prevent issues before pushing applications to Production. 

VMware Tanzu Platform for Cloud Foundry
VMware Tanzu Application Service (TAS)
How to bypass a load balancer in TAS platform - When troubleshooting scenarios where an app is not accessible, cf cli commands do not work, there are unexpected HTTP responses, timeouts reached etc. it is always good practice to bypass the load balancer to verify if the issue.

Other Tanzu Platform Services
VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)
Leftover VMs on vCenter after TKGi cluster deletion - After successfully deleting a TKGI cluster, some of its VMs remain present on vCenter. 

VMware Tanzu Kubernetes Grid - Management Clusters (TKGm)
How to rotate certificates in a Tanzu Kubernetes Grid cluster - This article describes the process to rotate the Kubernetes core components including kubelet for both Management and Workload Tanzu Kubernetes Grid (TKG) clusters. 

VMware Tanzu Platform 
Can Cloud Foundry and Kubernetes Get Along? (A Tanzu Platform Tale) - (Video) - Cloud Foundry Guru Nicky Pike, and Kubernetes Traveler Corby Page, look at the new Tanzu Platform that offers a developer experience on both runtimes. 

VMware Tanzu Platform for Cloud Foundry
Join the public beta for GenAI on Tanzu Platform today! - (Blog) - Nick Kuhn Thrilled to announce that the initial release of GenAI on Tanzu Platform for Cloud Foundry is now available on the Broadcom Support Portal. Look at some of the features in this blog. 

VMware Tanzu 
Two Friends Talking Tanzu Series
Two Friends Talking Tanzu Preview - (Video) Oren Penso & Whitney Lee, Check out the preview on their upcoming video series, two friends geeking out over application platforms and sharing their (VMware Tanzu) take on this ever-evolving landscape.

• What Is VMware Tanzu? Part 1: The Problem - How does Tanzu Platform solve this complexity, and what benefits arise from streamlining operations?
• What Is VMware Tanzu? Part 2: Build and Package - How Tanzu Platform supports building source code into a container image, resulting in secure images that follow industry standards and are built on consistent foundations.
• What Is VMware Tanzu? Part 3: Deploy and Bind - Deploying an application to an application space and binding that app to one or many backing services, and how platform engineers can enable this for the developers that they serve.
• What Is VMware Tanzu? Part 4: Tanzu Hub - The Tanzu Hub UI is customizable based on what users care about, and Oren and Whitney discuss some of the benefits of Tanzu Hub. They additionally go over some examples of what different types of users might want to see in their particular Tanzu Hub dashboard.
• What Is VMware Tanzu? Part 5: Conclusion and Recap - How Tanzu Platform assists with Day 2 operations. Discuss the Tanzu Platform as a whole, especially highlighting that this great user experience can happen on either Kubernetes or Cloud Foundry.

VMware Tanzu Data Solutions
VMware Tanzu MySQL for Tanzu Platform for Cloud Foundry
What’s New for MySQL for VMware Tanzu Platform - (Blog) Prem Victor, in this blog, we focus on the latest enhancements to Tanzu for MySQL for Tanzu Platform for Cloud Foundry and what benefits customers can expect when leveraging through their environment(s). 

Other Tanzu Platform Services
VMware Tanzu CloudHealth
June Product Updates: Enhancements, New User Experience, and FinOps X! - (Blog) Dan Naparstek This blog is a continuation of our monthly product update summary series. June 2024 saw some enhancements to CloudHealth, but an especially exciting development that we unveiled at FinOps X in San Diego.
Upcoming Events and Webinars sorted in Date order below for your convenience with relevant links and information for you to not miss these key happenings. 

VMware Tanzu 
July 24 - Exploring the State of Cloud Native App Platforms and VMware Tanzu - Join us for this interactive session to learn how Tanzu Platform empowers development teams by allowing them to focus on the four golden commands (build, bind, deploy, and scale) and integrates security enhancing capabilities trusted by security teams. 

VMware Explore 2024 AUGUST 26 – 29, 2024
Content Catalog Is Open Register Now!!!
Aug 26 -VMware Explore 2024 - Map your next move at the industry’s essential cloud event. Don’t delay.  FAQ , Agenda, Content Catalog

Tanzu What's New Series - Weekly Tanzu digest on Tanzu product Releases, KB Articles, Success Stories, Updates, Blogs, Videos & More. RSS feed is also available. You can also Subscribe for this weekly update on the official VMWare Tanzu Linked In Newsletter Now!!!!  We already have 9K plus subscribers and are still growing!!!
Tanzu Academy - An on-demand, comprehensive learning hub for platform and application operators to become experts at achieving meaningful outcomes with Tanzu products. Checkout the Academy account management changes and Broadcom login required information in the Blog section.
Spring Academy - The new Spring Academy Pro FREE is live! Check out the details here
Tanzu Fundamentals (Videos)
Tanzu Documentation 
Tanzu Courses

Note: Sign in to Tanzu TechZone to browse between editions, pin content, rate content, build favorites lists, etc. 
Thanks and Regards,
Aruna Srinivasan (She/Her)
Client Services Consultant - Tanzu Customer Success