Guidance for cloud.gov customers in complying with DHS BOD 22-01
On November 3, 2021, the DHS Cybersecurity and Infrastructure Security Agency (CISA) published Binding Operational Directive 22-01.
In part, this BOD, “establishes a CISA-managed catalog of known exploited vulnerabilities (KEVs) that carry significant risk to the federal enterprise and establishes requirements for agencies to remediate any such vulnerabilities included in the catalog.”
For cloud.gov customers, there are three responsibility realms with respect to KEVs:
Customer responsibility: Ensuring your application code and dependencies do not include KEVs.
Shared responsibility: cloud.gov is responsible for providing “buildpacks” (container OS + language libraries) that we update regularly to be free of KEVs, but customers are responsible for regularly re-staging their applications to use the updated buildpacks.
- Some past buildpacks are known to include KEVs. If you have re-staged or updated your application after November 10, 2021, then you do not have any buildpack-level KEVs.
- In the future, we will review updates to the DHS KEV list, and will notify customers when you need to restage your app to mitigate the vulnerability.
cloud.gov responsibility: It’s cloud.gov’s responsibility to ensure there are no KEVs within our underlying infrastructure. We do not publicly confirm nor deny our status with respect to DHS BODs, nor can we provide updates via the FedRAMP Max.gov repository (per PMO guidance). If you need more information, please open a cloud.gov support request.
PHP buildpack users: The PHP buildpack v4.4.46 (released on cloud.gov October 13, 2021) included Apache httpd 2.4.49, which is on the KEV list. Our release of PHP buildpack v4.4.49 on November 10, 2021, included the patched httpd. Customers using the PHP buildpack should restage their applications, if they have not already, so PHP apps will use the updated buildpack.
The related CVE, CVE-2021-41773 was not exploitable on cloud.gov unless a customer took the unusual steps of overriding the default values of the PHP buildpack, as described more fully in the Cloud Foundry documentation, by changing settings in
Version information: Originally published 2021-11-15, updated 2023-06-12 to clarify PMO guidance on notifications.