Security bulletins

The following describes all security bulletins related to Apigee.

To get the latest security bulletins delivered to you, do one of the following:

Add the URL of this page to your feed reader.
Add the feed URL directly to your feed reader: https://cloud.google.com/feeds/apigee-security-bulletins.xml

GCP-2024-040

Published: 2024-07-02

Edge Public Cloud

Description	Severity	Notes
A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, Apigee Edge for Public Cloud is not exploitable and mitigations are in place. Even though this CVE is not exploitable, Apigee will upgrade the workloads to address the above CVE. What should I do? No action item is required from Apigee users. Patching for workloads will be done in the upcoming days and the security bulletin will be updated once the patching is completed.	Critical

Description

Severity

Notes

Even though this CVE is not exploitable, Apigee will upgrade the workloads to address the above CVE.

What should I do?

No action item is required from Apigee users.

Patching for workloads will be done in the upcoming days and the security bulletin will be updated once the patching is completed.

Critical

Edge Private Cloud

Description Severity

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to VM nodes. Edge Private Cloud customers own and manage the VMs/Physical hosts where Edge Private Cloud is deployed.

Version	Impact
OpenSSH < 4.4p1	Vulnerable
4.4p1 <= OpenSSH < 8.5p1	Not Vulnerable
8.5p1 <= OpenSSH < 9.8p1	Vulnerable

What should I do?

Review the OpenSSH version by issuing the command ssh -V and validate the OpenSSH version. If you are running on any OpenSSH versions that are impacted, update to a version which is NOT vulnerable to this CVE. OpenSSH has released 9.8p1 on July 1, 2024.

Critical

Edge Microgateway

Description Severity Notes

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to VM nodes. Edge Microgateway customers own and manage the VMs/Physical hosts where Edge Microgateway is deployed.

Version	Impact
OpenSSH < 4.4p1	Vulnerable
4.4p1 <= OpenSSH < 8.5p1	Not Vulnerable
8.5p1 <= OpenSSH < 9.8p1	Vulnerable

What should I do?

Please review the OpenSSH version by issuing commands ssh -V and validate the OpenSSH version. If you are running on any OpenSSH versions which are impacted, please update to a version which is NOT vulnerable to this CVE. OpenSSH has released 9.8p1 on July 1, 2024.

Critical

Apigee

Description	Severity	Notes
A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, Apigee is not exploitable and mitigations are in place. Even though this CVE is not exploitable, Apigee will upgrade the workloads to address CVE-2024-6387. What should I do? No action item is required from Apigee users. Patching for workloads will be done in the upcoming days and the security bulletin will be updated once the patching is completed. Note: If Managed Instance Groups are deployed in a customer project for northbound load balancing, specifically InternalRouting (VPC) and ExternalRouting (MIG), verify the OpenSSH version installed on them. If the version is vulnerable to the CVE, then update to OpenSSH version 9.8p1 released on July 1, 2024 by yourself, as Apigee does not manage these MIGs.	Critical

Description

Severity

Notes

Even though this CVE is not exploitable, Apigee will upgrade the workloads to address CVE-2024-6387.

What should I do?

No action item is required from Apigee users. Patching for workloads will be done in the upcoming days and the security bulletin will be updated once the patching is completed.

Note: If Managed Instance Groups are deployed in a customer project for northbound load balancing, specifically InternalRouting (VPC) and ExternalRouting (MIG), verify the OpenSSH version installed on them. If the version is vulnerable to the CVE, then update to OpenSSH version 9.8p1 released on July 1, 2024 by yourself, as Apigee does not manage these MIGs.

Critical

Apigee hybrid

Description

Severity

Notes

A remote code execution vulnerability, CVE-2024-6387, was recently discovered in OpenSSH. The vulnerability exploits a race condition that could be used to obtain access to a remote shell, enabling attackers to gain root access to GKE nodes. At the time of publication, hybrid images are not vulnerable because OpenSSH is not packaged into any of the hybrid container images. However if your host/GKE-node OS is running with the below vulnerable versions of OpenSSH, your hybrid clusters will be exploitable.

Version	Impact
OpenSSH < 4.4p1	Vulnerable
4.4p1 <= OpenSSH < 8.5p1	Not Vulnerable
8.5p1 <= OpenSSH < 9.8p1	Vulnerable

What should I do?

This issue has been addressed in Google Cloud Customer Care Security Bulletin GCP-2024-040.

For instructions and more details, see the following bulletins:

GKE security bulletin
GKE on VMware security bulletin
GKE on AWS security bulletin
GKE on Azure security bulletin
GKE on Bare Metal security bulletin
AWS: There is no update yet (As of July 1st 2024 2:22 PM PST). Refer their bulletin page for CVE-2024-6387
Azure: There is no update yet (As of July 1st 2024 2:22 PM PST). Refer their bulletin page for CVE-2024-6387
OpenShift: OpenSSH's server (sshd) [CVE-2024-6387] | Red Hat Customer Portal

Critical

GCP-2024-006

Published: 2024-2-5

Description Severity Notes

Description	Severity	Notes
When an Apigee API Management proxy connects to a target endpoint or target server, the proxy does not perform hostname validation for the certificate presented by the target endpoint or target server by default. If hostname validation is not enabled using one of the following options, Apigee proxies connecting to a target endpoint or target server may be at risk for a man-in-the-middle attack by an authorized user. For more information, see Configuring TLS from Edge to the backend (Cloud and Private Cloud). Affected Products Apigee proxy deployments on the following Apigee platforms are affected: Apigee Edge for Public Cloud Apigee Edge for Private Cloud What Should I Do? Customers can utilize either of the following options to enable this validation: Option 1 - Add a configuration to your proxy You can enable validation of your target endpoint or target server by adding a `<CommonName>` configuration to the `SSLInfo` section of the `<HTTPTargetConnection>` element in your proxy configuration as shown: <HTTPTargetConnection> <SSLInfo> <Enabled>true</Enabled> <TrustStore>ref://mytruststoreref</TrustStore> <CommonName>.example.com</CommonName> </SSLInfo> <URL>https://my.example.com/</URL> </HTTPTargetConnection> If this configuration is present in the `<HTTPTargetConnection>` element of your proxy configuration, Apigee will use the value specified in `<CommonName>`for hostname validation. Wildcards may be used in this field. Apigee recommends this approach. You can test proxies individually to confirm that validation is performing as intended, with minimal potential disruption to traffic. For more information on testing hostname validation in your proxies and viewing faults, see Using the Trace Tool. Option 2 - Set an organization-level flag* You can set an Apigee organization-level flag to enable hostname validation for all deployed proxies and targets in your organization. If the `features.strictSSLEnforcement` flag is set to `true` in org properties, hostname validation will be enforced each time the proxy connects to a target endpoint or target server. Note: While this option can help you enable the feature across the organization, hostname validation failures can occur if your targets do not present the expected certificates. For Apigee Edge for Public Cloud deployments: Contact Google Cloud Support to have the `features.strictSSLEnforcement` flag set to `true` in org properties. Note: Enabling this flag will enforce the SSL check for all environments in an organization and all proxies deployed within those environments. For Apigee Edge for Private Cloud deployments: The `features.strictSSLEnforcement` flag can be set to `true` by the organization or system administrator. For more information on setting the flag, see Updating organization properties. Note: When updating organization level flags using the Organizations API, make sure to include all existing flags in your POST request to avoid overwriting earlier configuration settings. Once the flag is set, each message processor must be individually restarted for the change to take effect. Use the following command: apigee-service edge-message-processor restart To roll back this change, use the same Organizations API to set the flag to `false` and then restart each message processor. Note: Enabling this flag will enforce the SSL check for all environments in an organization and all proxies deployed within those environments. However, if `<IgnoreValidationErrors>` is set to `true`, any validation errors detected will be ignored. Apigee recommends implementing this change in non-production environments first, to ensure that the validation works as intended and does not result in production outages. In the event that hostname validation fails for any targets, the following fault message is returned: {"fault":{"faultstring":"SSL Handshake failed java.security.cert.CertificateException: No subject alternative DNS name matching example.com found.","detail":{"errorcode":"messaging.adaptors.http.flow.SslHandshakeFailed"}}}	High

When an Apigee API Management proxy connects to a target endpoint or target server, the proxy does not perform hostname validation for the certificate presented by the target endpoint or target server by default. If hostname validation is not enabled using one of the following options, Apigee proxies connecting to a target endpoint or target server may be at risk for a man-in-the-middle attack by an authorized user. For more information, see Configuring TLS from Edge to the backend (Cloud and Private Cloud).

Affected Products

Apigee proxy deployments on the following Apigee platforms are affected:

Apigee Edge for Public Cloud
Apigee Edge for Private Cloud

What Should I Do?

Customers can utilize either of the following options to enable this validation:

Option 1 - Add a configuration to your proxy

You can enable validation of your target endpoint or target server by adding a <CommonName> configuration to the SSLInfo section of the <HTTPTargetConnection> element in your proxy configuration as shown:

<HTTPTargetConnection>
  <SSLInfo>
    <Enabled>true</Enabled>
    <TrustStore>ref://mytruststoreref</TrustStore>
    <CommonName>*.example.com</CommonName>
  </SSLInfo>
  <URL>https://my.example.com/</URL>
</HTTPTargetConnection>

If this configuration is present in the <HTTPTargetConnection> element of your proxy configuration, Apigee will use the value specified in <CommonName>for hostname validation. Wildcards may be used in this field.

Apigee recommends this approach. You can test proxies individually to confirm that validation is performing as intended, with minimal potential disruption to traffic. For more information on testing hostname validation in your proxies and viewing faults, see Using the Trace Tool.

Option 2 - Set an organization-level flag

You can set an Apigee organization-level flag to enable hostname validation for all deployed proxies and targets in your organization. If the features.strictSSLEnforcement flag is set to true in org properties, hostname validation will be enforced each time the proxy connects to a target endpoint or target server.

Note: While this option can help you enable the feature across the organization, hostname validation failures can occur if your targets do not present the expected certificates.

For Apigee Edge for Public Cloud deployments:
Contact Google Cloud Support to have the features.strictSSLEnforcement flag set to true in org properties.

Note: Enabling this flag will enforce the SSL check for all environments in an organization and all proxies deployed within those environments.
For Apigee Edge for Private Cloud deployments:
The features.strictSSLEnforcement flag can be set to true by the organization or system administrator. For more information on setting the flag, see Updating organization properties.

Note: When updating organization level flags using the Organizations API, make sure to include all existing flags in your POST request to avoid overwriting earlier configuration settings.

Once the flag is set, each message processor must be individually restarted for the change to take effect. Use the following command:
```
apigee-service edge-message-processor restart
```
To roll back this change, use the same Organizations API to set the flag to false and then restart each message processor.

Note: Enabling this flag will enforce the SSL check for all environments in an organization and all proxies deployed within those environments. However, if <IgnoreValidationErrors> is set to true, any validation errors detected will be ignored.

Apigee recommends implementing this change in non-production environments first, to ensure that the validation works as intended and does not result in production outages. In the event that hostname validation fails for any targets, the following fault message is returned:

{"fault":{"faultstring":"SSL Handshake failed java.security.cert.CertificateException: No subject alternative DNS name matching example.com found.","detail":{"errorcode":"messaging.adaptors.http.flow.SslHandshakeFailed"}}}

High

GCP-2023-032

Published: 2023-10-13

Updated: 2023-11-03

Description	Severity	Notes
2023-11-03 Update: Added known issue for Apigee Edge for Private Cloud. A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the Apigee Ingress (Cloud Service Mesh) service used by Apigee X and Apigee hybrid. The vulnerability could lead to a DoS of Apigee API management functionality. Affected Products Apigee X Deployments of Apigee X that are accessible through a Google Cloud Network Load Balancer (Layer 4), or a custom layer 4 load balancer, are affected. A hotfix has been applied to all Apigee X instances. Apigee hybrid Apigee hybrid instances that allow HTTP/2 requests to reach the Apigee Ingress are affected. Customers should verify if the load balancers fronting their Apigee hybrid ingresses allow for HTTP/2 requests to reach the Apigee Ingress service. Apigee Edge for Private Cloud The Edge for Private Cloud router and management server components are exposed to the internet and can potentially be vulnerable. Although HTTP/2 is enabled on the management port of other Edge-specific components of Edge for Private Cloud, none of those components are exposed to the internet. On non-Edge components, like Cassandra, Zookeeper and others, HTTP/2 is not enabled. We recommend that you take the steps in Known issues with Edge for Private Cloud to address the Edge for Private Cloud vulnerability. Unaffected products Apigee X Apigee X instances which are accessed only via Google Cloud Application Load Balancers (Layer 7) are not affected. This includes deployments that have HTTP/2 enabled for gRPC proxies. Google Cloud API Gateway Google Cloud API Gateway is not affected. Apigee Edge Cloud Apigee Edge Cloud is not impacted by this vulnerability. What Should I Do? Apigee X November 3, 2023 Update: the vulnerability has been addressed via the update to Apigee X instances that was released on October 13, 2023. See the Release notes for details. Apigee hybrid Apigee hybrid customers will need to upgrade to one of the following patch versions: v1.10.3-hotfix.2 released on Friday, October 13, 2023 v1.9.4-hotfix.1 released on Friday, October 13, 2023 Apigee Edge for Private Cloud Apigee Edge for Private Cloud users can follow the instructions published in Known issues with Edge for Private Cloud for explicit disablement of HTTP/2 for exposed components. What Vulnerabilities Are Addressed By These Patches? The vulnerability, CVE-2023-44487, could lead to a DoS of Apigee API management functionality.	High	CVE-2023-44487

Description

Severity

Notes

2023-11-03 Update: Added known issue for Apigee Edge for Private Cloud.

A Denial-of-Service (DoS) vulnerability was recently discovered in multiple implementations of the HTTP/2 protocol (CVE-2023-44487), including the Apigee Ingress (Cloud Service Mesh) service used by Apigee X and Apigee hybrid. The vulnerability could lead to a DoS of Apigee API management functionality.

Affected Products

Apigee X

Deployments of Apigee X that are accessible through a Google Cloud Network Load Balancer (Layer 4), or a custom layer 4 load balancer, are affected. A hotfix has been applied to all Apigee X instances.
Apigee hybrid

Apigee hybrid instances that allow HTTP/2 requests to reach the Apigee Ingress are affected. Customers should verify if the load balancers fronting their Apigee hybrid ingresses allow for HTTP/2 requests to reach the Apigee Ingress service.
Apigee Edge for Private Cloud

The Edge for Private Cloud router and management server components are exposed to the internet and can potentially be vulnerable. Although HTTP/2 is enabled on the management port of other Edge-specific components of Edge for Private Cloud, none of those components are exposed to the internet. On non-Edge components, like Cassandra, Zookeeper and others, HTTP/2 is not enabled. We recommend that you take the steps in Known issues with Edge for Private Cloud to address the Edge for Private Cloud vulnerability.

Unaffected products

Apigee X

Apigee X instances which are accessed only via Google Cloud Application Load Balancers (Layer 7) are not affected. This includes deployments that have HTTP/2 enabled for gRPC proxies.
Google Cloud API Gateway

Google Cloud API Gateway is not affected.
Apigee Edge Cloud

Apigee Edge Cloud is not impacted by this vulnerability.

What Should I Do?

Apigee X

November 3, 2023 Update: the vulnerability has been addressed via the update to Apigee X instances that was released on October 13, 2023. See the Release notes for details.
Apigee hybrid

Apigee hybrid customers will need to upgrade to one of the following patch versions:
- v1.10.3-hotfix.2 released on Friday, October 13, 2023
- v1.9.4-hotfix.1 released on Friday, October 13, 2023
Apigee Edge for Private Cloud

Apigee Edge for Private Cloud users can follow the instructions published in Known issues with Edge for Private Cloud for explicit disablement of HTTP/2 for exposed components.

What Vulnerabilities Are Addressed By These Patches?

The vulnerability, CVE-2023-44487, could lead to a DoS of Apigee API management functionality.

High

CVE-2023-44487