Tanzu Build Service to overcome Log4j CVE-2021-44228

The recent Log4j Security vulnerability (CVE-2021-44228) made it once again very clear that robust and fast handling in your development lifecycle is crucial. Because log4j is so widespread and intertwined with many applications it’s a major security risk that should have been fixed yesterday.

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Scan and fix in minutes

Companies run hundreds of applications. Identifying and rolling out updates for all of these applications can be complex and very time consuming.

Automation is key and the degree in which you can react as a company to these risks is vital.

The 1st question is: can you easily identify which applications/services are impacted? There are many vulnerability scanners out there and you should have at least one integrated in your CI/CD pipeline. Not only on application level but also on a container level to check for best practices, standards and security risks.

2nd question: once you have identified the impacted applications, how easy is it to roll out fixes? Does it take manual intervention and downtime? Or can you apply these fixes in an automated way without any impact? 

Cloud Native Build Packs

At Galagio, we help companies in getting their applications to production in a fast but robust way. A key component in modern development is the use of containers and for that we rely on Cloud Native Buildpacks.  This project was initiated by Pivotal and Heroku and is at the heart of transforming your source code into a runnable application image that follows container standards regarding security as well as architecture.

fig. 1 : Transform application to container image

One of these best practices is to make use of image layers to separate your application code from the library dependencies. This allows us to have a very smooth upgrade process by using image layer rebasing support to allow app developers and operators to rapidly update an app image when its stack’s.run image has changed. This avoids the need to fully rebuild the app and by using a platform like Tanzu Build Service this can even be done in an automated way.  

fig. 2 : Rebase run image 

Tanzu Build Service

Tanzu Build Service offers the convenience of these workflows with more automation and the governance capabilities enterprises need. It is based on Cloud Native Buildpacks and follows a declarative model to execute builds automatically against user-defined.

Tanzu Build Service uses Cloud Native Buildpacks to rebase app images when specialized contractual base images are updated in a registry. When such a new base image is detected, Tanzu Build Service will automatically detect the applications that are based on this image and will deliver new application images to your registry reflecting these updates.

This means you can resolve common vulnerabilities and exposures (CVE), like the recent Log4j CVE-2021-44228, without a rebuild without sacrificing control by introducing Operator-driven image promotion. Tanzu Build Service includes a powerful, team-based permissions model so Platform operators can control the Buildpack configurations that groups of developers are allowed to use.

How can we help?

Companies should use this recent Log4j risk as an opportunity to revise the way applications are build and managed. Tools like Cloud Native Buildpacks & Tanzu Build Service are key in fixing CVE issues fast and reliable.

Let’s discuss the pains this recent CVE introduced in your company and demo how to ease that pain in the future. Let us help you in getting your applications to production in a fast but robust way.

More To Explore

Development

Tanzu Build Service to overcome Log4j CVE-2021-44228

The recent Log4j Security vulnerability (CVE-2021-44228) made it once again very clear that robust and fast handling in your development lifecycle is crucial. Because log4j is so widespread and intertwined with many applications it’s a major security risk that should have been fixed yesterday.

Do You Want To Boost Your Business?

drop us a line and keep in touch