You're viewing Apigee Edge documentation.
Go to the
Apigee X documentation. info
On March 30, 2021, we released a new version of Apigee Edge for Private Cloud.
Update procedure
Updating this release will update the components in the following list of RPMs:
- edge-gateway-4.50.00-0.0.20116.noarch.rpm
- edge-management-server-4.50.00-0.0.20116.noarch.rpm
- edge-message-processor-4.50.00-0.0.20116.noarch.rpm
- edge-postgres-server-4.50.00-0.0.20116.noarch.rpm
- edge-qpid-server-4.50.00-0.0.20116.noarch.rpm
- edge-router-4.50.00-0.0.20116.noarch.rpm
- edge-ui-4.50.00-0.0.20173.noarch.rpm
You can check the RPM versions you currently have installed, to see if they need to be updated, by entering:
apigee-all version
To update your installation, perform the following procedure on the Edge nodes:
-
On all Edge nodes:
- Clean the Yum repos:
sudo yum clean all
- Download the latest Edge 4.50.00
bootstrap_4.50.00.shfile to/tmp/bootstrap_4.50.00.sh:curl https://software.apigee.com/bootstrap_4.50.00.sh -o /tmp/bootstrap_4.50.00.sh
- Install the Edge 4.50.00
apigee-serviceutility and dependencies:sudo bash /tmp/bootstrap_4.50.00.sh apigeeuser=uName apigeepassword=pWord
where uName:pWord are the username and password you received from Apigee. If you omit pWord, you will be prompted to enter it.
- Update the
apigee-setuputility:sudo /opt/apigee/apigee-service/bin/apigee-service apigee-setup update
- Use the
sourcecommand to execute theapigee-service.shscript:source /etc/profile.d/apigee-service.sh
- Clean the Yum repos:
- On all Edge nodes, execute the
update.shscript for theedgeprocess. To do this, execute the following command on each node:/opt/apigee/apigee-setup/bin/update.sh -c edge -f configFile
- Execute the update.sh script for the UI on all nodes. On each node, execute the following command:
/opt/apigee/apigee-setup/bin/update.sh -c ui -f configFile
Changes to supported software
There are no changes to supported software in this release.
Deprecations and retirements
There are no new deprecations or retirements in this release.
New Features
This release introduces the following new feature:
- We have introduced a new property for Message Processor that you can
use to configure forwarding proxy to a backend server:
use.proxy.host.header.with.target.uri. The property sets the target host and port as a Host header.
Bugs fixed
The following table lists the bugs fixed in this release:
| Issue ID | Description |
|---|---|
| 158132963 | Some target flow variables were not being populated in trace for 504s. We have added improvements to capture relevant target flow variables in trace and analytics in case of target timeouts. |
| 141670890 | Instructions for setting system level TLS settings were not working. A bug that was preventing TLS settings from taking effect on message processors has been fixed. |
| 123311920 |
The update script now works correctly even if TLS is enabled on management server.
|
| 67168818 | When an HTTP Proxy was used in conjunction with a Target Server, the IP of the proxy server was displayed instead of the hostname or IP of the actual target. This has been fixed by the addition of a new Message Processor property that lets you configure forwarding proxy to a backend server. |
Security issues fixed
The following is a list of known security issues that have been fixed in this release. To avoid these issues, install the latest version of Edge Private Cloud.
| Issue ID | Description |
|---|---|
| CVE-2019-14379 |
|
| CVE-2019-14540 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before
2.9.10. It is related to |
| CVE-2019-14892 | A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. |
| CVE-2019-14893 | A flaw was discovered in FasterXML jackson-databind in all versions before
2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious
objects using the xalan JNDI gadget when used in conjunction with polymorphic type
handling methods such as |
| CVE-2019-16335 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before
2.9.10. It is related to |
| CVE-2019-16942 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0
through 2.9.10. When Default Typing is enabled (either globally or for a specific property)
for an externally exposed JSON endpoint and the service has the
commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint
to access, it is possible to make the service execute a malicious payload. This issue
exists because of |
| CVE-2019-16943 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0
through 2.9.10. When Default Typing is enabled (either globally or for a specific property)
for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the
classpath, and an attacker can find an RMI service endpoint to access, it is possible
to make the service execute a malicious payload. This issue exists because of
|
| CVE-2019-17267 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before
2.9.10. It is related to
|
| CVE-2019-20330 | FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain
|
| CVE-2017-9801 | When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers. |