to mitigate two High Severity UAA vulnerabilities we will upgrade all Cloud Foundry components tomorrow. We do not expect downtime but you may experience one of the following inconveniences during the maintenance:
- Inability to push or restage apps, as the Staging components auth gets migrated to mutual TLS.
- App instances will be restarted. You should not experience downtime, since the Executors are evacuated before they restart. We still advise you to use at least 2 instances of production apps at all times.
- Depending on your cf cli version you may need to upgrade your cli. You can always find the last cli version here: https://github.com/cloudfoundry/cli/releases
- Connection rubberbanding while the Routing Components reboot.
UAA vulnerabilities that will be mitigated:
CVE-2017-4973: Privilege Escalation in UAA: https://www.cloudfoundry.org/cve-2017-4973/
CVE-2017-4972: Blind SQL Injection in UAA: https://www.cloudfoundry.org/cve-2017-4972/