Security bulletins

The following describes all security bulletins related to Apigee.

To get the latest security bulletins delivered to you, do one of the following:

  • Add the URL of this page to your feed reader.
  • Add the feed URL directly to your feed reader: https://cloud.google.com/feeds/apigee-security-bulletins.xml

GCP-2024-040

Published: 2024-07-02

Edge Public Cloud

Description Severity Notes

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, Apigee Edge for Public Cloud is not exploitable and mitigations are in place.

Even though this CVE is not exploitable, Apigee will upgrade the workloads to address the above CVE.

What should I do?

No action item is required from Apigee users.

Patching for workloads will be done in the upcoming days and the security bulletin will be updated once the patching is completed.

Critical

Edge Private Cloud

Description Severity

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to VM nodes. Edge Private Cloud customers own and manage the VMs/Physical hosts where Edge Private Cloud is deployed.

Version Impact
OpenSSH < 4.4p1 Vulnerable
4.4p1 <= OpenSSH < 8.5p1 Not Vulnerable
8.5p1 <= OpenSSH < 9.8p1 Vulnerable

What should I do?

Review the OpenSSH version by issuing the command ssh -V and validate the OpenSSH version. If you are running on any OpenSSH versions that are impacted, update to a version which is NOT vulnerable to this CVE. OpenSSH has released 9.8p1 on July 1, 2024.

Critical

Edge Microgateway

Description Severity Notes

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to VM nodes. Edge Microgateway customers own and manage the VMs/Physical hosts where Edge Microgateway is deployed.

Version Impact
OpenSSH < 4.4p1 Vulnerable
4.4p1 <= OpenSSH < 8.5p1 Not Vulnerable
8.5p1 <= OpenSSH < 9.8p1 Vulnerable

What should I do?

Please review the OpenSSH version by issuing commands ssh -V and validate the OpenSSH version. If you are running on any OpenSSH versions which are impacted, please update to a version which is NOT vulnerable to this CVE. OpenSSH has released 9.8p1 on July 1, 2024.

Critical

Apigee

Description Severity Notes

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, Apigee is not exploitable and mitigations are in place.

Even though this CVE is not exploitable, Apigee will upgrade the workloads to address CVE-2024-6387.

What should I do?

No action item is required from Apigee users. Patching for workloads will be done in the upcoming days and the security bulletin will be updated once the patching is completed.

Note: If Managed Instance Groups are deployed in a customer project for northbound load balancing, specifically InternalRouting (VPC) and ExternalRouting (MIG), verify the OpenSSH version installed on them. If the version is vulnerable to the CVE, then update to OpenSSH version 9.8p1 released on July 1, 2024 by yourself, as Apigee does not manage these MIGs.

Critical

Apigee hybrid

Description Severity Notes

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, hybrid images are not vulnerable because OpenSSH is not packaged into any of the hybrid container images. However if your host/GKE-node OS is running with the below vulnerable versions of OpenSSH, your hybrid clusters will be exploitable.

Version Impact
OpenSSH < 4.4p1 Vulnerable
4.4p1 <= OpenSSH < 8.5p1 Not Vulnerable
8.5p1 <= OpenSSH < 9.8p1 Vulnerable

What should I do?

This issue has been addressed in Google Cloud Customer Care Security Bulletin GCP-2024-040.

For instructions and more details, see the following bulletins:

Critical

GCP-2024-006

Published: 2024-2-5

Description Severity Notes

When an Apigee API Management proxy connects to a target endpoint or target server, the proxy does not perform hostname validation for the certificate presented by the target endpoint or target server by default. If hostname validation is not enabled using one of the following options, Apigee proxies connecting to a target endpoint or target server may be at risk for a man-in-the-middle attack by an authorized user. For more information, see Configuring TLS from Edge to the backend (Cloud and Private Cloud).

Affected Products

Apigee proxy deployments on the following Apigee platforms are affected:

  • Apigee Edge for Public Cloud
  • Apigee Edge for Private Cloud

What Should I Do?

Customers can utilize either of the following options to enable this validation:

Option 1 - Add a configuration to your proxy

You can enable validation of your target endpoint or target server by adding a <CommonName> configuration to the SSLInfo section of the <HTTPTargetConnection> element in your proxy configuration as shown:

<HTTPTargetConnection>
  <SSLInfo>
    <Enabled>true</Enabled>
    <TrustStore>ref://mytruststoreref</TrustStore>
    <CommonName>*.example.com</CommonName>
  </SSLInfo>
  <URL>https://my.example.com/</URL>
</HTTPTargetConnection>

If this configuration is present in the <HTTPTargetConnection> element of your proxy configuration, Apigee will use the value specified in <CommonName>for hostname validation. Wildcards may be used in this field.

Apigee recommends this approach. You can test proxies individually to confirm that validation is performing as intended, with minimal potential disruption to traffic. For more information on testing hostname validation in your proxies and viewing faults, see Using the Trace Tool.

Option 2 - Set an organization-level flag

You can set an Apigee organization-level flag to enable hostname validation for all deployed proxies and targets in your organization. If the features.strictSSLEnforcement flag is set to true in org properties, hostname validation will be enforced each time the proxy connects to a target endpoint or target server.

Note: While this option can help you enable the feature across the organization, hostname validation failures can occur if your targets do not present the expected certificates.

  • For Apigee Edge for Public Cloud deployments:

    Contact Google Cloud Support to have the features.strictSSLEnforcement flag set to true in org properties.

    Note: Enabling this flag will enforce the SSL check for all environments in an organization and all proxies deployed within those environments.

  • For Apigee Edge for Private Cloud deployments:

    The features.strictSSLEnforcement flag can be set to true by the organization or system administrator. For more information on setting the flag, see Updating organization properties.

    Note: When updating organization level flags using the Organizations API, make sure to include all existing flags in your POST request to avoid overwriting earlier configuration settings.

    Once the flag is set, each message processor must be individually restarted for the change to take effect. Use the following command:

    apigee-service edge-message-processor restart

    To roll back this change, use the same Organizations API to set the flag to false and then restart each message processor.

    Note: Enabling this flag will enforce the SSL check for all environments in an organization and all proxies deployed within those environments. However, if <IgnoreValidationErrors> is set to true, any validation errors detected will be ignored.

Apigee recommends implementing this change in non-production environments first, to ensure that the validation works as intended and does not result in production outages. In the event that hostname validation fails for any targets, the following fault message is returned:

{"fault":{"faultstring":"SSL Handshake failed java.security.cert.CertificateException: No subject alternative DNS name matching example.com found.","detail":{"errorcode":"messaging.adaptors.http.flow.SslHandshakeFailed"}}}
High

GCP-2023-032

Published: 2023-10-13

Updated: 2023-11-03

Description Severity Notes

2023-11-03 Update: Added known issue for Apigee Edge for Private Cloud.

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the Apigee Ingress (Cloud Service Mesh) service used by Apigee X and Apigee hybrid. The vulnerability could lead to a DoS of Apigee API management functionality.

Affected Products

  • Apigee X

    Deployments of Apigee X that are accessible through a Google Cloud Network Load Balancer (Layer 4), or a custom layer 4 load balancer, are affected. A hotfix has been applied to all Apigee X instances.

  • Apigee hybrid

    Apigee hybrid instances that allow HTTP/2 requests to reach the Apigee Ingress are affected. Customers should verify if the load balancers fronting their Apigee hybrid ingresses allow for HTTP/2 requests to reach the Apigee Ingress service.

  • Apigee Edge for Private Cloud

    The Edge for Private Cloud router and management server components are exposed to the internet and can potentially be vulnerable. Although HTTP/2 is enabled on the management port of other Edge-specific components of Edge for Private Cloud, none of those components are exposed to the internet. On non-Edge components, like Cassandra, Zookeeper and others, HTTP/2 is not enabled. We recommend that you take the steps in Known issues with Edge for Private Cloud to address the Edge for Private Cloud vulnerability.

Unaffected products

  • Apigee X

    Apigee X instances which are accessed only via Google Cloud Application Load Balancers (Layer 7) are not affected. This includes deployments that have HTTP/2 enabled for gRPC proxies.

  • Google Cloud API Gateway

    Google Cloud API Gateway is not affected.

  • Apigee Edge Cloud

    Apigee Edge Cloud is not impacted by this vulnerability.

What Should I Do?

  • Apigee X

    November 3, 2023 Update: the vulnerability has been addressed via the update to Apigee X instances that was released on October 13, 2023. See the Release notes for details.

  • Apigee hybrid

    Apigee hybrid customers will need to upgrade to one of the following patch versions:

  • Apigee Edge for Private Cloud

    Apigee Edge for Private Cloud users can follow the instructions published in Known issues with Edge for Private Cloud for explicit disablement of HTTP/2 for exposed components.

What Vulnerabilities Are Addressed By These Patches?

The vulnerability, CVE-2023-44487, could lead to a DoS of Apigee API management functionality.

High CVE-2023-44487