4.51.00.03 - Edge for Private Cloud release notes

You're viewing Apigee Edge documentation.
View Apigee X documentation.

On January, 13, 2022, we released a new version of Apigee Edge for Private Cloud. The purpose of this release is to address the Apache Log4j Security Vulnerabilities issue. See Security issues fixed.

Update procedure

Updating this release will update the components in the following list of RPMs:

  • edge-gateway-4.51.00-0.0.60151.noarch.rpm
  • edge-management-server-4.51.00-0.0.60151.noarch.rpm
  • edge-message-processor-4.51.00-0.0.60151.noarch.rpm
  • edge-postgres-server-4.51.00-0.0.60151.noarch.rpm
  • edge-qpid-server-4.51.00-0.0.60151.noarch.rpm
  • edge-router-4.51.00-0.0.60151.noarch.rpm
  • edge-analytics-4.51.00-0.0.40054.noarch.rpm
  • apigee-machinekey-1.1.2-0.0.20018.noarch.rpm

You can check the RPM versions you currently have installed, to see if they need to be updated, by entering:

apigee-all version

To update your installation, perform the following procedure on the Edge nodes:

  1. On all Edge nodes:

    1. Clean the Yum repos:
      sudo yum clean all
    2. Download the latest Edge 4.51.00 bootstrap_4.51.00.sh file to /tmp/bootstrap_4.51.00.sh:
      curl https://software.apigee.com/bootstrap_4.51.00.sh -o /tmp/bootstrap_4.51.00.sh
    3. Install the Edge 4.51.00 apigee-service utility and dependencies:
      sudo bash /tmp/bootstrap_4.51.00.sh apigeeuser=uName apigeepassword=pWord

      where uName:pWord are the username and password you received from Apigee. If you omit pWord, you will be prompted to enter it.

    4. Use the source command to execute the apigee-service.sh script:
      source /etc/profile.d/apigee-service.sh
  2. Update the apigee-machinekey utility:
    /opt/apigee/apigee-service/bin/apigee-service apigee-machinekey update
  3. On all Edge nodes, execute the update.sh script for the edge process:
    /opt/apigee/apigee-setup/bin/update.sh -c edge -f configFile
  4. If you are using Apigee mTLS, follow the procedure described in Upgrade Apigee mTLS. For more information, see Introduction to Apigee mTLS.

Security issues fixed

The following security issue has been fixed in this release.

Issue ID Description
CVE-2021-44228

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

This issue has been fixed. See Bug fixes.

Changes to supported software

There are no changes to supported software in this release.

Deprecations and retirements

There are no new deprecations or retirements in this release.

New features

There are no new features in this release.

Bug fixes

This section lists the Private Cloud bugs that were fixed in this release.

Issue ID Description
211001890

The Apache Log4j library shipped with Gateway components' third party libraries has been updated to version 2.17.0

Known issues

See Known issues with Edge for Private Cloud for a complete list of known issues.