In progress - Scheduled maintenance is currently in progress. We will provide updates as necessary.
Aug 30, 2022 - 00:30 PDT
Scheduled - Apigee Edge Message Processor release window scheduled for starting from 10:00 AM (PT) Wed Aug 31, 2022. The releases are rolled out in phases based on regions. This release is not expected to cause any interruption to Apigee Edge.
There are no functional updates made to Apigee Edge, you will not see new release notes.
In progress - Scheduled maintenance is currently in progress. We will provide updates as necessary.
Aug 25, 2022 - 13:15 PDT
Scheduled - Customers can now contact the Google Cloud Support team to prepare for increased traffic during the 2022 holiday season. If you expect significantly higher traffic for Apigee products during Black Friday or Cyber Monday, and can run load tests for your expected holiday usage in the months of September and October, contact us before September 10, 2022. We can help you prepare for a smooth holiday season for load tested holiday usage.
Note: If you do not expect increased Apigee traffic during Black Friday or Cyber Monday 2022, no action is necessary on your part and you can ignore this announcement.
Subject for the ticket: Apigee Holiday 2022 Support
Details to be added in the ticket: Customer name: Customer organization: Point of contact: Contact email: Contact phone number: When do you expect peak traffic? (e.g. Thanksgiving/Black Friday, Cyber Monday, Christmas, Boxing Day, New Year)
We will reach out to you with the next steps when you submit your ticket, including coordinating early load testing of your holiday season usage and traffic.
Update - Log4j v1.x: We are aware of the recent upgrade to CVE-2021-4104 which affects versions of Log4j 1 which are used on Apigee Edge and OPDK. This CVE requires a specific configuration of Log4j 1 which Apigee Edge does not use and which Apigee OPDK does not ship as a default configuration.
User Supplied Log4j 1 Java Callouts Apigee SaaS (X and Edge): Customers can upload vulnerable configurations of Log4j 1 in their custom resources, but CVE-2021-4104 is mitigated due to Java Security Manager restrictions.
Google Apigee is actively following the security vulnerability in the open-source Apache “Log4j 2" utility (CVE-2021-44228 and CVE-2021-45046). We encourage you to update to the latest version of Log4j 2. We are currently assessing the potential impact of the vulnerability for Apigee products and services. This is an ongoing event and we will continue to provide updates through this page and our customer communications channels.
Background: The Apache Log4j 2 utility is a commonly used component for logging requests. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j 2 version 2.14.1 or below to be compromised and allow an attacker to execute arbitrary code.
On December 10, 2021, NIST published a critical Common Vulnerabilities and Exposure alert, CVE-2021-44228. More specifically, Java Naming Directory Interface (JNDI) features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from remote servers when message lookup substitution is enabled.
==== Platform ====
Apigee X: Apigee X does not use Log4j 2.
Apigee Hybrid: Current supported versions of Hybrid do not use Log4j 2. Unsupported versions of Hybrid used Log4j 1.x, but it is not included in any of the currently supported versions. Customers on Hybrid 1.4 or lower are unaffected by this CVE but should still upgrade to a supported version.
Apigee Edge: Apigee Edge’s default configuration contained Log4j 2 but was not vulnerable to Log4j 2 (CVE-2021-44228).
Apigee OPDK: Apigee OPDK’s default configuration contained Log4j 2 but was not vulnerable to Log4j 2 (CVE-2021-44228). The service “apigee-machinekey” includes Log4j 2 and does not process any user-provided input. It is not susceptible to the vulnerability CVE-2021-44228.
==== User Supplied Log4j 2 Instances ====
Apigee SaaS (X and Edge): Customers can upload vulnerable versions of Log4j 2 in their custom resources, but CVE-2021-4228 is mitigated due to Java Security Manager restrictions.
Log4j v1.x: Apigee Edge and Apigee OPDK contain Log4j 1.x and Log4j 2.x libraries. Log4j 1 is not part of this particular assessment. All instances of Log4j 1 will be upgraded across all Apigee products in upcoming releases to the latest version of Log4j 2. Upgrades to SaaS services and releases for OPDK are expected in January.
==== More Information ====
Information on this page is based on findings in our ongoing investigations.
Please see these helpful articles published to the Apigee Community:
Resolved -
This incident has been resolved.
Sep 14, 10:38 PDT
Investigating -
We are currently investigating the issue. Further updates will follow.
Aug 30, 01:24 PDT
Update -
We are continuing to monitor for any further issues.
Aug 29, 05:24 PDT
Monitoring -
The cause of the issue has been identified at the Apigee load balancers. We have mitigated the incident and current being monitored by the Apigee team.
Aug 29, 05:23 PDT
Investigating -
We are currently investigating the issue. We will update as we progress the investigation. Runtime traffic is not affected.
Aug 29, 02:12 PDT