Release notes for Spring Cloud Services for VMware Tanzu

Caution If you install Spring Cloud Services (SCS) v3.1 alongside v2.x, deleting SCS v2.1.2 or earlier will delete the p-spring-cloud-services org used by both v2.x and v3.1. (See Known Issues.) For steps to migrate completely to SCS v3.1, see the Installing or Upgrading topics.

Known issues

Spring Cloud Services v3.1.48 might switch AZs

Caution Spring Cloud Services v3.1.48 has activated single_az_only flag and its VMs will be placed in the AZ for singleton jobs. This means if the current VMs are not in the singleton jobs AZ they will be deleted and recreated in the singleton jobs AZ which can cause data loss and orphaned disks. This issue has been fixed in v3.1.49.
Spring Cloud Services v3.1.48 has been recalled due to the above issue. Spring Cloud Service v3.1.49 contains all fixes from 3.1.48 other than the single_az_only flag request.

Spring Cloud Services <v3.1.48 Config Server is impacted by CVE-2023-20873

Caution SCS Config Server prior to v3.1.48 is susceptible to a security bypass from CVE-2023-20873.
To mitigate this issue, you must either upgrade to v3.1.48+ or deactivate Cloud Foundry actuator endpoints for the backing applications of Config Server instances (`management.cloudfoundry.enabled=false`).

Spring Cloud Services v3.1.46 introduced a bug which causes backup task to fail due to directory permission issue

This issue has been fixed in v3.1.47 but the workaround in impacted version is to update permissions of '/var/vcap/store/mirror' in mirror service and give read access to other users.

Spring Cloud Services v3.1.42-v3.1.43 has a breaking change regarding timestamp-like values in the properties

This was due to some changes in the new version of SnakeYaml which Spring Boot was not able to handle successfully. As a result values like 2023-03-03 were being parsed as timestamp in the service instance before being sent to the client application. This issue has been fixed in v3.1.46 but the workaround in impacted versions is to quote those values to explicitly make them yaml strings.

Spring Cloud Services 3.1.30+ has a breaking change regarding multi-document and profile-specific configuration files

Spring Cloud Service 3.1.30 upgraded to Spring Boot v2.5 and there are some breaking changes regarding the way Spring Boot v2.4+ handles multi-document and profile-specific configuration files. If you are using multi-document or profile-specific configuration files, you need to migrate them following Spring Boot Config Data Migration Guide.

Spring Cloud Services <v3.1.24 Config Server logs sensitive binding information

Sensitive binding information has been being logged since version 3.1.0. The impact of this would be that anyone who had access to the logs of the p.config-server backing application logs in the p-spring-cloud-services org, they could use these credentials to access service instance APIs.

Please upgrade to version 3.1.24 to resolve this issue.

Spring Cloud Services v3.1.20 introduced bug in Config Server host key verification

Spring Cloud Services v3.1.20 introduced a problem which can cause the Config Server's SSH host key verification check to incorrectly fail. This problem occurs in the Mirror Service on creation or update of mirrors when host key verification is activated, and the repository being mirrored is served on SSH port 22.

To resolve this issue, upgrade to Spring Cloud Services version 3.1.21.

Spring Cloud Services v3.1.0-v3.1.19 fails on service broker commands with Tanzu Application Service v2.11.x

Tanzu Application Service deprecated the state field for service broker endpoints. This causes Spring Cloud Services v3.1.0 to v3.1.19 versions to fail on service broker commands for service instances including create-service, update-service and bind-service.

To resolve this issue, upgrade to Spring Cloud Services version 3.1.20 which now has Tanzu Application Service v2.11.x support.

Spring Cloud Services v3.1.15 introduced bug on Config Server dashboard mirrors synchronization display

Spring Cloud Services v3.1.15 introduced a change that causes existing Config Server instances that are not upgraded to 3.1.15 or above to not show the result of Synchronize Mirrors execution on the dashboard. This results in the commit hash not updating after the mirror has been synchronized. This does not affect the actual mirror synchronization and therefore refreshing the Config Server dashboard will show the current commit hash.

To resolve this issue, upgrade the Config Server instance using the cf update-service [NAME] -c '{"upgrade": true}' command. The Config Server instance dashboard should then behave as expected.

Spring Cloud Services v3.1 shares org used by 2.x

Spring Cloud Services (SCS) v3.1 uses the p-spring-cloud-services org for deployment of backing apps for service instances. SCS v2.x, which is a separate tile, also uses this org. In SCS =< v2.0.10 and =< v2.1.2, the Broker Deregistrar pre-delete lifecycle errand deletes the p-spring-cloud-services org. Because of this, deleting the v2.x tile will also affect the v3.1 tile. Deletion of the p-spring-cloud-services org can result in loss of v3.1 service instance backing apps, potentially affecting client apps bound to the service instances.

If you have installed Spring Cloud Services v3.1 alongside =< v2.0.10 or =< v2.1.2, do NOT delete the v2.x tile. If you do wish to delete the 2.x tile, upgrade to SCS >= v3.0.4 or later and SCS >= v2.0.11 or >= v2.1.3, and then delete the v2.x tile.

Cannot update credentials for Git repositories that use HTTP(S) URLs

In Spring Cloud Services v3.1.0--v3.1.5, you cannot update credentials for a Git repository that was originally added to a Config Server service instance using a HTTP or HTTPS URL. This means that if the repository's credentials are rotated, the Config Server's mirror service will be unable to update its mirror of the repository.

To resolve this issue, you can update the Config Server to use SSH, rather than HTTP or HTTPS, to access the Git repository. See SSH Repository Access.

3.1.55

Release Date: 16 July 2024

  • Addresses CVE-2024-22257 by upgrading the spring security version.
  • Addresses CVE-2024-22262, CVE-2024-22259 and CVE-2024-22243 by upgrading the spring framework version.
  • Upgrades other dependencies to address some Low and Medium priority CVEs.

Dependency upgrades in this release:

  • Spring Framework to 5.3.37
  • Spring Boot to 2.7.18
  • Spring Cloud to 2021.0.9
  • Spring Security to 5.8.13
  • Cloud Foundry Java Client to 5.12.2

3.1.54

Release Date: 29 August 2023

  • Restricts access to the service instance actuator endpoints to admins, space developers and auditors only.
  • Addresses CVE-2023-34034 and CVE-2023-34035 by upgrading the spring security version.
  • Upgrades dependencies and Bosh releases to address some other Low and Medium priority CVEs.

Dependency upgrades in this release:

  • Spring Boot to 2.7.14
  • Spring Security to 5.8.5

Additionally this release upgraded the following bosh releases:

  • Routing to 0.276.0
  • Backup and Restore SDK to 1.18.87
  • BPM to 1.2.5

3.1.53

Release Date: 18 August 2023

Due to a configuration issue in the release pipeline, this releases includes the older version (v3.1.52) of Spring Cloud Services Bosh Release. So effectively there is no difference between this release and 3.1.52. You may skip this release and upgrade to 3.1.54 instead.

3.1.52

Release Date: 28 July 2023

  • Addresses an issue in Service Registry where peer replications were incomplete in platforms with multiple gorouter instances.
  • Upgrades stemcell minor version to Ubuntu Xenial 621.609.

3.1.51

Release Date: 17 July 2023

  • Addresses CVE-2023-1370 by upgrading the spring security version.
  • Upgrades dependencies and Bosh releases to address some CVEs.

Dependency upgrades in this release:

  • Spring Boot to 2.7.13
  • Spring Cloud to 2021.0.8
  • Spring Cloud App Broker to 1.6.1
  • Spring Security to 5.8.4

Additionally this release upgraded the following bosh releases:

  • PXC (MySQL) to 0.54.0
  • Routing to 0.274.0
  • Backup and Restore SDK to 1.18.81
  • BPM to 1.2.3
  • OpenJDK to 1.8.0_372

3.1.50

Release Date: 23 May 2023

  • Fixes the trust-store permission issue which was causing mirror service startup failure, after bbr backup or restore.
  • Fixes the Config Server dashboard issue where the assets (css,images and javascript files) were not downloaded.

3.1.49

Release Date: 11 May 2023

  • Removes single_az_only flag which was introduced in Spring Cloud Services v3.1.48.
  • Upgrades and fixes from 3.1.48 are included in this release

3.1.48

Release Date: 26 April 2023

  • Uses url-encoded username in the git URL, to support special chars in the username.
  • Sets keystore passwords via environment variable to prevent password leakage.
  • Fixes mirror-service storage accessibility issue.
  • Addresses CVE-2023-20873 by upgrading Spring Boot version

Dependency upgrades in this release:

  • Spring Boot to 2.7.11
  • Spring Cloud to 2021.0.6
  • Spring Cloud Open Service Broker to 3.6.1
  • Spring Cloud App Broker to 1.6.0

Additionally this release upgraded the following bosh releases:

  • PXC (MySQL) to 0.50.0
  • Routing to 0.260.0
  • Backup and Restore SDK to 1.18.62
  • BPM to 1.1.21
  • OpenJDK to 1.8.0_362

3.1.47

Release Date: 15 March 2023

  • Fixes an issue which was causing backup task to fail due to directoy access issue

3.1.46

Release Date: 03 March 2023

  • Fixes the issue where timestamp-like values were parsed as timestamp in the service instances.
  • Limits the access to home and storage directories to owner (mirror) only.
  • Fixes the duplicate GID issue when adding mirror user.
  • Addresses CVE-2022-45685, CVE-2022-45693 and CVE-2022-40150 by upgrading Jettison version
  • Addresses CVE-2022-40151 and CVE-2022-41966 upgrading Xstream version

Dependency upgrades in this release:

  • Jettison to 1.5.3
  • Xsream to 1.4.20

3.1.43

Release Date: 9 January 2023

  • Sets the 30s cache duration for UAA client, to avoid caching error responses for long time.
  • Changes the mirror-service system user (mirror) to a normal user, for scurity compliance.
  • Upgraded the JDK to 1.8.0_352-b08 for security patches.

Additionally this release upgraded the following bosh releases:

  • PXC (MySQL) to 0.48.0
  • Routing to 0.248.0
  • Backup and Restore SDK to 1.18.59
  • BPM to 1.1.20

3.1.42

Release Date: 3 November 2022

  • Fixes the issue where dashboard URL was not updated when apps domain was changed.
  • Fixes the NPE in config-server dasbhoard when the label was a commit-sha.
  • Upgraded the JDK to 1.8.0_345-b01 for security patches.

Additionally this release upgraded the following bosh releases:

  • PXC (MySQL) to 0.47.0
  • Routing to 0.244.0
  • Backup and Restore SDK to 1.18.55
  • BPM to 1.1.19
  • Git to 2.24.4

3.1.40

Release Date: 16 August 2022

  • The upgrade-all-instances errand now ignores missing service instances during the upgrade. In foundations with many service instances, the errand may take a couple of hours to finish. In these foundations there might be situations where a service instance initially is listed for upgrade but it is removed before its turn to upgrade.
  • Changes the default log-level of Cloud Foundry Java Client in upgrade-all-instances errand to INFO.

3.1.38

Release Date: 4 August 2022

  • Fixed issue in service-registry dashboard where Space Developers and Space Auditors were not authorized to see shared service instances dashboard.

3.1.37

Release Date: 26 May 2022

  • Addresses CVE-2022-22970 and CVE-2022-22978 by upgrading the Spring Boot version

Dependency upgrades in this release:

  • Spring Boot to 2.5.14

3.1.36

Release Date: 4 May 2022

  • Resolved issue preventing encrypt.key from being passed to config service instances causing the /encrypt endpoint to fail.
  • Addresses CVE-2022-22968 by upgrading the Spring Boot version

Dependency upgrades in this release:

  • Spring Boot to 2.5.13

3.1.35

Release Date: 15 April 2022

  • Addresses CVE-2020-36518 by upgrading the jackson version.
  • Addresses CVE-2022-22965 by upgrading the Spring Boot version

Dependency upgrades in this release:

  • Jackson to 2.13.2
  • Spring Boot to 2.5.12

Note: Because Spring Cloud Services uses Java 8, it is not vulnerable to CVE-2022-22965, and this update is not necessary for secure operation. However, in the interest of avoiding false positives in security tools, and to allow maximum customer confidence, we have produced this maintenance release, which also updates the affected Spring libraries to alleviate any concern.

3.1.32

Release Date: 22 March 2022

This release:

  • Fixed the truststore permissions issue in the mirror-service post-backup by recreating the truststore.
  • Fixed issue in dashboard page where dashboard client-id was not loaded from CredHub.

3.1.31

Release Date: 22 March 2022

This release:

  • Added support for Tanzu Application Service version 2.13.x
  • upgraded the JDK to 1.8.0_322-b06 for security patches.

Additionally this release upgraded the following bosh releases:

  • PXC (MySQL) to 0.41.0
  • Routing to 0.230.0
  • Backup and Restore SDK to 1.8.35
  • BPM to 1.1.16

3.1.30

Release Date: 8th March 2022

  • Spring Boot has been upgraded to 2.5.9 and Spring Cloud has been upgraded to 2020.0.4.
  • Cloud Foundry Java Client has been upgraded to 5.7.0, resolving an issue in which UAA tokens become expired.
  • The upgrade-all-instances errand now excludes the failed or in progress service instances and only upgrades services in succeeded state.

Dependency upgrades in this release:

  • Spring Boot to 2.5.9
  • Spring Cloud Services to 2020.0.4
  • Spring Cloud App Broker to 1.4.0
  • Spring Cloud Open Service Broker to 3.4.1
  • Spring CredHub to 2.2.0
  • Cloud Foundry Java Client to 5.7.0

Important Since upgrade-all-instances errand now excludes the failed or in progress service instances, those instances need to be upgraded manually afterwards.

Important There are some breaking changes regarding the way Spring Boot v2.4+ handles multi-document and profile-specific configuration files. If you are using multi-document or profile-specific configuration files, you need to migrate them following Spring Boot Config Data Migration Guide.

3.1.29

Release Date: 3rd February 2022

  • Addresses CVE 2021-45105 and 2021-44832. Spring Cloud Services does not include log4j-core in supported versions, and all other log4j-related dependencies have been updated.
  • Limited the number of concurrent upgrades during the upgrade-all-instances errand to resolve several potential issues during the errand. This value is configurable through the "concurrent service instance upgrade" setting.
  • Errands now use the same service instance status timeout as the the SCS broker, improving resiliency of errands to timeouts.

Dependency upgrades in this release:

  • Apache log4j-api to 2.17.1
  • Apache log4j-to-slf4j to 2.17.1

Important A tile configuration property called status-change-timeout-minutes has been renamed to service-completion-timeout-minutes in this release. If you are using CLI to upgrade SCS, you need to update your config files to use the new property name.

3.1.27

Release Date: 15th December 2021

  • Addresses CVE 2021-45046. Spring Cloud Services does not include log4j-core in supported versions, and all other log4j-related dependencies have been updated.

Dependency upgrades in this release:

  • Apache log4j-api to 2.16
  • Apache log4j-to-slf4j to 2.16

3.1.26

Release Date: 13th December 2021

  • Addresses CVE 2021-44228. Spring Cloud Services does not include log4j-core in supported versions, and all other log4j-related dependencies have been updated.

Dependency upgrades in this release:

  • Apache log4j-api to 2.15
  • Apache log4j-to-slf4j to 2.15

3.1.25

Release Date: 30th November 2021

  • Fixed issue in Mirror Service where connection-pull to UAA was getting exhausted because some connections were stuck in CLOSE-WAIT state.

3.1.24

Release Date: 10th November 2021

  • Fixed issue in Config Server where sensitive binding details were being logged.

3.1.23

Release Date: 14th October 2021

  • Added errand that can be turned on to upgrade all existing instances on the foundation

3.1.22

Release Date: 2nd September 2021

  • Resolved issue where some network connections were remaining in CLOSE_WAIT state

3.1.21

Release Date: 29th June 2021

  • Fixed Config Server host key verification for Git servers running on SSH port 22

3.1.20

Release Date: 13th May 2021

  • Added support for Tanzu Application Service version 2.11.x

3.1.19

Release Date: 17th February 2021

  • Added the ability to deactivate CredHub integration from the tile
  • Fixed an error where the mirror-service periodic refresh fails
  • Upgraded PXC (MySQL) release to activate TLS

3.1.18

Release Date: 8th December 2020

  • Added support for Spring Boot 2.3

3.1.17

Release Date: 27th October 2020

  • Added support for http(s) proxy in the mirror-service.

3.1.16

Release Date: 7th October 2020

  • Resolved issue with login to dashboard due to an invalid redirect URI being generated by the config server.
  • Now we support the configuration of Git SSH URL on the Config Server
  • Fixed regression of plaintext files not being served with default label in root of the repo
  • Allowed Vault token to renew when using composite Config Server configuration
  • Added in parameters to Vault health check for "perfstandbyok" and "standbyok"

3.1.15

Release Date: 25th August 2020

  • Resolved issue when a Git repository configuration in composite array for Config Server fails during refresh with periodic set to true then all subsequent Git repository refreshes fail.
  • Resolved issue with Config Server service instance dashboard responding with 500 internal server error when HashiCorp Vault is configured.

3.1.14

Release Date: 13th July 2020

  • Resolved issue with Git repository passwords not encoding some special characters appropriately leading to failed mirroring of the repository.

3.1.13

Release Date: 13th July 2020

  • Resolved issue with application-security-groups configuration not applying on cf create-service.

3.1.12

Release Date: 25th June 2020

  • Added ability to provide names of Application Security Groups (ASGs) to be used for a service instance. When creating or updating a service instance using the cf create-service or cf update-service commands, you can include an application-security-groups parameter listing the ASGs which should be applied for the service instance, and these ASGs will be added to the space used by the service instance's backing app.
  • The configuration shown on a Config Server service instance's dashboard now includes the list of ASGs applied for that service instance.
  • The Config Server is now compatible with the Service Instance Logging cf CLI plug-in cf service-logs (or cf sil) command, including the --recent flag.
  • The Service Registry is now compatible with the Service Instance Logging cf CLI plug-in cf service-logs (or cf sil) command, including the --recent flag.

3.1.11

Release Date: 29th May 2020

  • Added ability to activate off-platform service key access for service instances in tile configuration.
  • Fixed issue when Config Server Git repo is set to specific label and executing "Sync Mirrors" from dashboard was reporting the incorrect commit hash after the sync.
  • Fixed issue when Config Server uses Git repo with no master branch.
  • Fixed issue when Config Server is configured with multiple Git repos with same URL but different labels.

3.1.10

Release Date: 4th May 2020

  • Fixed issue for users with Space Developer role accessing dashboards when there a significant amount of spaces created on platform.

3.1.9

Release Date: 21st April 2020

  • Upgraded stemcell major version to Ubuntu Xenial 621.*.

3.1.8

Release Date: 14th April 2020

  • Fixed issue with periodic configuration view on service instance dashboard.

3.1.7

Release Date: 27th March 2020

  • Added ability to see that encrypt.key is configured via Config Server dashboard but redacted to ensure key token is not exposed.
  • Added back API support on Config Server service instances to encrypt values based on encrypt.key configured token.

3.1.6

Release Date: 13th March 2020

  • Removed ability to create service keys to ensure secure access for client applications.
  • Added the ability to set encrypt.key on Git repository configurations, allowing hashed secrets in property files.
  • Fixed issue with updating credentials on Git repository defined with a HTTPS URI.
  • Fixed issue with custom domain not being used in dashboard URL.

3.1.5

Release Date: 22nd January 2020

  • Further improved fix for rotating Certificate Authorities while maintaining certificate uniqueness in errand JVM truststore.

3.1.4

Release Date: 15th January 2020

  • A periodic parameter added to Config Server service instance configuration updates Git repository mirrors on the Config Server's mirror service every five minutes.
  • Added tile configuration for the timeout used for pushing backing apps for a service instance.
  • Fixed an issue that could cause a server error to appear on the Config Server dashboard when using the HashiCorp Vault backend.
  • Fixed use of the default label configured per Config Server Git repository for client app property requests.

3.1.3

Release Date: 25th November 2019

  • Fixed issue when rotating Certificate Authorities while maintaining certificate uniqueness in errand JVM truststore.

3.1.2

Release Date: 14th November 2019

  • Fixed CredHub bootstrapper errand so that it can update client credential permissions when re-running after tile install failure.

3.1.1

Release Date: 28th October 2019

  • Resolved issue with accessing service instance dashboard when VMware Tanzu Application Service for VMs (TAS for VMs) tile is configured with "Authentication and Enterprise SSO" as SAML.

v3.1.0

Release Date: 7th October 2019

Enhancements included in this release:

  • The Spring Cloud Services broker has been upgraded to Spring Boot 2.1.8.RELEASE and Spring Cloud Greenwich.SR3.
  • Service Registry service has been added back with a new name: p.service-registry.
  • The existing Service Registry configuration options have not changed although there is now a new option named peer-timeout that can be set in milliseconds. This can alleviate issues with peer replication timing out when there is higher latency in the network between peers.
  • There is now a process for doing backup and restore of Spring Cloud Services stateful resources.

Important items to note:

  • Spring Cloud Services v3.1.0 does not include Circuit Breaker Dashboard services. To use these services, you can install Spring Cloud Services v2.0 alongside v3.1.0.

    Warning: You cannot upgrade to Ops Manager v2.7 if you are running Spring Cloud Services v2.0.

  • The Circuit Breaker Dashboard service will not return, as the underlying Netflix OSS Hystrix Dashboard project has been deprecated.
check-circle-line exclamation-circle-line close-line
Scroll to top icon