4.50.00.08 - Edge for Private Cloud release notes

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation.
info

On March 30, 2021, we released a new version of Apigee Edge for Private Cloud.

Update procedure

Updating this release will update the components in the following list of RPMs:

  • edge-gateway-4.50.00-0.0.20116.noarch.rpm
  • edge-management-server-4.50.00-0.0.20116.noarch.rpm
  • edge-message-processor-4.50.00-0.0.20116.noarch.rpm
  • edge-postgres-server-4.50.00-0.0.20116.noarch.rpm
  • edge-qpid-server-4.50.00-0.0.20116.noarch.rpm
  • edge-router-4.50.00-0.0.20116.noarch.rpm
  • edge-ui-4.50.00-0.0.20173.noarch.rpm

You can check the RPM versions you currently have installed, to see if they need to be updated, by entering:

apigee-all version

To update your installation, perform the following procedure on the Edge nodes:

  1. On all Edge nodes:

    1. Clean the Yum repos:
      sudo yum clean all
    2. Download the latest Edge 4.50.00 bootstrap_4.50.00.sh file to /tmp/bootstrap_4.50.00.sh:
      curl https://software.apigee.com/bootstrap_4.50.00.sh -o /tmp/bootstrap_4.50.00.sh
    3. Install the Edge 4.50.00 apigee-service utility and dependencies:
      sudo bash /tmp/bootstrap_4.50.00.sh apigeeuser=uName apigeepassword=pWord

      where uName:pWord are the username and password you received from Apigee. If you omit pWord, you will be prompted to enter it.

    4. Update the apigee-setup utility:
      sudo /opt/apigee/apigee-service/bin/apigee-service apigee-setup update
    5. Use the source command to execute the apigee-service.sh script:
      source /etc/profile.d/apigee-service.sh
  2. On all Edge nodes, execute the update.sh script for the edge process. To do this, execute the following command on each node:
    /opt/apigee/apigee-setup/bin/update.sh -c edge -f configFile
  3. Execute the update.sh script for the UI on all nodes. On each node, execute the following command:
    /opt/apigee/apigee-setup/bin/update.sh -c ui -f configFile

Changes to supported software

There are no changes to supported software in this release.

Deprecations and retirements

There are no new deprecations or retirements in this release.

New Features

This release introduces the following new feature:

  • We have introduced a new property for Message Processor that you can use to configure forwarding proxy to a backend server: use.proxy.host.header.with.target.uri. The property sets the target host and port as a Host header.

Bugs fixed

The following table lists the bugs fixed in this release:

Issue ID Description
158132963

Some target flow variables were not being populated in trace for 504s.

We have added improvements to capture relevant target flow variables in trace and analytics in case of target timeouts.

141670890

Instructions for setting system level TLS settings were not working.

A bug that was preventing TLS settings from taking effect on message processors has been fixed.

123311920

update.sh script was failing after enabling TLS on management server.

The update script now works correctly even if TLS is enabled on management server.

67168818

When an HTTP Proxy was used in conjunction with a Target Server, the IP of the proxy server was displayed instead of the hostname or IP of the actual target.

This has been fixed by the addition of a new Message Processor property that lets you configure forwarding proxy to a backend server.

Security issues fixed

The following is a list of known security issues that have been fixed in this release. To avoid these issues, install the latest version of Edge Private Cloud.

Issue ID Description
CVE-2019-14379

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandle default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

CVE-2019-14540

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

CVE-2019-14892

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

CVE-2019-14893

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

CVE-2019-16335

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

CVE-2019-16942

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

CVE-2019-16943

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

CVE-2019-17267

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

CVE-2019-20330

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

CVE-2017-9801

When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.

Known issues

For a list of known issues with Edge Private Cloud, see Known issues with Edge Private Cloud.