GCP-2024-006

Google Cloud Platform Security Advisory

Published: 2024-02-5

Description

DescriptionSeverityNotes

When an Apigee API Management proxy connects to a target endpoint or target server, the proxy does not perform hostname validation for the certificate presented by the target endpoint or target server by default. If hostname validation is not enabled using one of the following options, Apigee proxies connecting to a target endpoint or target server may be at risk for a man-in-the-middle attack by an authorized user. For more information, see Configuring TLS from Edge to the backend (Cloud and Private Cloud).

Apigee proxy deployments on the following Apigee platforms are affected:

  • Apigee Edge for Public Cloud
  • Apigee Edge for Private Cloud

For instructions and more details, see the Apigee security bulletin.

High

CLICK FOR MORE INFORMATION