Apigee hybrid - Release notes

February 06, 2026

2026-02-06T00:00:00-08:00

v1.15.0

Announcement

hybrid 1.16.0-hotfix.1

On February 6, 2026 we released Apigee hybrid 1.16.0-hotfix.1.

Apply this hotfix with the following steps:

In your overrides file, update the image.url and image.tag properties of ao and mart to version 1.16.0-hotfix.1:

ao:
  image:
    url: "gcr.io/apigee-release/hybrid/apigee-operators"
    tag: "1.16.0-hotfix.1"

mart:
  image:
    url: "gcr.io/apigee-release/hybrid/apigee-mart-server"
    tag: "1.16.0-hotfix.1"

Install the hotfix release for Apigee operators, beginning with a dry run:

helm upgrade operator apigee-operator/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

If the dry run is successful, install the hotfix release for Apigee operators:

helm upgrade operator apigee-operator/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Install the hotfix release for your organization, beginning with a dry run:

helm upgrade $ORG_NAME apigee-org/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

If the dry run is successful, install the hotfix release for your organization:

helm upgrade $ORG_NAME apigee-org/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify the organization chart by checking the state:
```
kubectl -n APIGEE_NAMESPACE get apigeeorg
```

Install the hotfix release for your environment, beginning with a dry run:

helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set env=$ENV_NAME \
  -f overrides.yaml \
  --dry-run=server

If the dry run is successful, install the hotfix release for your environment:

helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  --set env=$ENV_NAME \
  -f overrides.yaml

Verify the environment chart by checking the state:
```
kubectl -n APIGEE_NAMESPACE get apigeeenv
```

Fixed

Fixed in this release

Bug ID	Description
479872706	An issue that prevented loading API products, apps, and developers after migrating data to Apigee hybrid 1.16.0 in certain configurations has been resolved.
481793880	An issue that prevented upgrading an existing organization when monetization was enabled has been fixed.

December 19, 2025

2025-12-19T00:00:00-08:00

v1.16.0

Change

UDCA component removed

In Apigee hybrid v1.16, the Unified Data Collection Agent (UDCA) component has been removed. The responsibilities of sending analytics, trace, and deployment status data to the Apigee control plane are now handled using a Google Cloud Pub/Sub based data pipeline. Using the Pub/Sub based data pipeline has been the default data collection mechanism since Apigee hybrid v1.14.0.

Feature

apigee-guardrails service account

In v1.16.0, Apigee Hybrid introduces an apigee-guardrails Google IAM service account. This is used by the apigee-operator chart during initial installation to check that all needed APIs are enabled in your project.

See:

Change

Support for cert-manager release 1.18 and 1.19

Apigee hybrid v1.16 supports cert-manager release 1.18 and 1.19.

Fixed

Fixed in this release

Bug ID	Description
448647917	Fixed a issue where non-SSL connections through a forward proxy could be improperly shared. (also fixed in Apigee 1-16-0-apigee-4)
442501403	Fixed an issue that caused incorrect target latency metrics in Apigee Analytics when a TargetEndpoint is configured with a . (also fixed in Apigee 1-16-0-apigee-3)
438192028	Updated the geolocation database to mitigate stale IP-to-location mappings. (also fixed in Apigee 1-16-0-apigee-3)
437999897	Reduced the log level for failed geo IP lookups to address excessive log messages for private IP addresses. (also fixed in Apigee 1-16-0-apigee-3)
436323210	Fixed ingress cert keys to allow both `tls.key`/`key` and `tls.crt`/`cert`.
N/A	Updates to security, infrastructure, and libraries. (also fixed in Apigee 1-16-0-apigee-4)

Announcement

hybrid v1.16.0

On December 19, 2025 we released an updated version of the Apigee hybrid software, 1.16.0.

For information on upgrading, see Upgrading Apigee hybrid to version v1.16.
For information on new installations, see The big picture.

Security

Fixed in this release

Bug ID	Description
452621774, 452381632, 441266643, 448498138	Security fix for Apigee infrastructure. (also fixed in Apigee 1-16-0-apigee-4) This addresses the following vulnerabilities: CVE-2025-53864 Updated Nimbus JWT library from 9.37.2 to 9.37.4, which introduced changes in behavior including changes to error string verbiage. CVE-2025-8916 CVE-2025-5115 CVE-2024-40094
440419558, 433759657	Security fix for Apigee infrastructure. (also fixed in Apigee 1-16-0-apigee-3) This addresses the following vulnerabilities: CVE-2025-22868 CVE-2025-48924 Note: This fix updates a Java library that is included in Apigee. Reliance on Java libraries that are included with Apigee is not supported. Those libraries are for Apigee product functionality only, and there's no guarantee that a library will be available from release to release. For more information, see Restrictions.
443902061	Security fix for Apigee infrastructure (also fixed in Apigee 1-16-0-apigee-3) This addresses the following vulnerability: CVE-2025-13292 Fixed an issue with improper access control that resulted in cross-tenant analytics modification and access to log data.
N/A	Security fixes for `apigee-asm-ingress`. This addresses the following vulnerabilities: CVE-2025-58188 CVE-2025-58187
N/A	Security fixes for `apigee-asm-istiod`. This addresses the following vulnerabilities: CVE-2025-58188 CVE-2025-58187
N/A	Security fixes for `apigee-connect-agent`. This addresses the following vulnerabilities: CVE-2025-61725 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2025-47907
N/A	Security fixes for `apigee-fluent-bit`. This addresses the following vulnerability: CVE-2025-9230
N/A	Security fixes for `apigee-hybrid-cassandra`. This addresses the following vulnerabilities: CVE-2025-61725 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2025-47913 CVE-2025-47907
N/A	Security fixes for `apigee-hybrid-cassandra-client`. This addresses the following vulnerabilities: CVE-2025-61725 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2025-47907
N/A	Security fixes for `apigee-kube-rbac-proxy`. This addresses the following vulnerabilities: CVE-2025-61725 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187
N/A	Security fixes for `apigee-mart-server`. This addresses the following vulnerabilities: CVE-2025-53066 CVE-2025-50106 CVE-2025-50059 CVE-2025-48913 CVE-2025-30749 CVE-2024-13009
N/A	Security fixes for `apigee-open-telemetry-collector`. This addresses the following vulnerabilities: CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2025-29786
N/A	Security fixes for `apigee-operators`. This addresses the following vulnerabilities: CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2025-61725
N/A	Security fixes for `apigee-prom-prometheus`. This addresses the following vulnerabilities: CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2022-48174
N/A	Security fixes for `apigee-prometheus-adapter`. This addresses the following vulnerabilities: CVE-2025-61723 CVE-2025-58188 CVE-2025-58187
N/A	Security fixes for `apigee-redis`. This addresses the following vulnerabilities: CVE-2025-61725 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2025-47907
N/A	Security fixes for `apigee-runtime`. This addresses the following vulnerabilities: CVE-2025-50106 CVE-2025-50059 CVE-2025-48913 CVE-2025-30749
N/A	Security fixes for `apigee-stackdriver-logging-agent`. This addresses the following vulnerability: CVE-2025-24294
N/A	Security fixes for `apigee-synchronizer`. This addresses the following vulnerabilities: CVE-2025-50106 CVE-2025-50059 CVE-2025-48913 CVE-2025-30749
N/A	Security fixes for `apigee-udca`. This addresses the following vulnerabilities: CVE-2025-61725 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2025-47913
N/A	Security fixes for `apigee-watcher`. This addresses the following vulnerabilities: CVE-2025-61723 CVE-2025-58188 CVE-2025-58187

Feature

Seccomp Profiles

Apigee Hybrid now offers the capability to apply Seccomp Profiles to your runtime components, significantly enhancing the security posture of your deployment.

This feature allows Apigee administrators and security teams to restrict the system calls (syscalls) a containerized process can make to the host's kernel. By limiting a container to only the necessary syscalls, you can:

Enhance Security: Mitigate the risk of container breakouts and privilege escalation.
Enforce Least Privilege: Ensure components only have access to the exact system calls required for their operation.
Meet Compliance: Provide a critical control for meeting stringent security compliance requirements.

Seccomp profiles are not enabled by default. To enable the feature, see Configure Seccomp profiles for pod security.

Security

Fixed since last minor release

Bug ID	Description
448498138	Security fixes for `apigee-runtime`. (Fixed in v1.15.1) This addresses the following vulnerability: CVE-2024-40094
447367372	Security fixes for `apigee-runtime`. (Fixed in v1.15.1) This addresses the following vulnerability: CVE-2025-58057
433952146	Security fix. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2024-6763
433951774	Security fix. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2024-7254
433950558	Security fix. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2024-47554
433950370	Security fix. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2025-25193
418557195	Security fixes for `apigee-fluent-bit`. (Fixed in v1.15.1) This addresses the following vulnerabilities: CVE-2025-24528 CVE-2025-4207 CVE-2025-1390 CVE-2024-26462 CVE-2024-13176
396944778	Security fixes for `apigee-synchronizer`. (Fixed in v1.13.4) This addresses the following vulnerabilities: CVE-2025-25193 CVE-2025-24970 CVE-2025-23184 CVE-2024-47554
392934392	Security fixes for `apigee-logger`.
N/A	Incorporated an updated base image for `stackdriver-logging-agent`, improving the overall security of the service. (Fixed in 1.14.2-hotfix.1) This addresses the following vulnerabilities (among others and not limited to): CVE-2022-32221 GHSA-jvgm-pfqv-887x
N/A	Security fixes for `apigee-asm-ingress`. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-asm-istiod`. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-envoy`. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2025-0395
N/A	Security fixes for `apigee-fluent-bit`. (Fixed in v1.14.3 & v1.15.1) This addresses the following vulnerabilities: CVE-2025-32990 CVE-2025-32988
N/A	Security fixes for `apigee-hybrid-cassandra-client`. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-hybrid-cassandra`. (Fixed in v1.14.3) This addresses the following vulnerabilities: CVE-2025-23015 CVE-2025-22871 CVE-2025-24970
N/A	Security fixes for `apigee-hybrid-cassandra`. (Fixed in v1.15.1) This addresses the following vulnerability: CVE-2025-23015
N/A	Security fixes for `apigee-kube-rbac-proxy`. (Fixed in v1.14.3) This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-mart-server`. (Fixed in v1.13.4) This addresses the following vulnerability: CVE-2024-20952
N/A	Security fixes for `apigee-mart-server`. (Fixed in v1.14.3) This addresses the following vulnerabilities: CVE-2025-48924 CVE-2025-48795 CVE-2025-48734 CVE-2025-24970 CVE-2024-47554 CVE-2024-47535 CVE-2024-13009 CVE-2024-8184 CVE-2024-7254 CVE-2024-6763

Fixed

Fixed since last minor release

Bug ID	Description
451841788	Apigee hybrid required the `mintTaskScheduler.serviceAccountPath` property even when Monetization was not enabled. (Fixed in v1.15.1 & v1.14.3)
451375397	The `apigee-pull-push.sh` script could return a No such image error message. (Fixed in v1.15.1 & v1.14.3)
445912919	Unused files and folders have been removed from the Apigee hybrid Helm charts to prevent potential security exposure and streamline the product installation and upgrade process. (Fixed in v1.15.1)
442501403	Fixed an issue that caused incorrect target latency metrics in Apigee Analytics when a `TargetEndpoint` is configured with a . (Fixed in v1.15.1)
437999897	Reduced the log level for failed geo IP lookups to address excessive log messages for private IP addresses. (Fixed in v1.15.1)
431930277, 395272878	When the configuration property `envs.managementCallsSkipProxy` is set to `true` via helm for environment-level forward proxy, trace and analytics (which use `googleapis.com`) will skip forward proxy. (Fixed in v1.15.1)
423597917	Post of an `AppGroupAppKey` scopes should result in insert operation instead of update. (Fixed in v1.15.1 & v1.14.3)
420675540	Fixed Cassandra based replication for runtime contracts in synchronizer. (Fixed in v1.15.1, v1.14.3 & v1.13.4)
419578402	Mint-Mart forward proxy compatible. (Fixed in v1.15.1 & v1.14.3)
416634326	Presence of istio.io Custom Resource Definitions (CRDs) in an Apigee hybrid cluster could cause failure in apigee-ingressgateway-manager pods. (Fixed in v1.15.1, v1.14.3 & v1.13.4)
414499328	`ApigeeTelemetry` could become stuck in `creating` state (Fixed in v1.14.3 & v1.13.4)
412740465	Fixed issue where zipkin headers were not generated by Apigee Ingress Gateway. (Fixed in v1.15.1 & v1.14.3)
409048431	Fixes a vulnerability which could allow a SAML signature verification to be bypassed. (Fixed in v1.15.1 & v1.14.3)
401746333	Fixed a `java.lang.ClassCircularityError` that could occur in Java Callouts due to an issue with the class loading mechanism.(Fixed in v1.15.1 & v1.14.3)
395272878	Separate Forward proxy support for `googleapis.com` and `non-googleapis.com` runtime traffic. (Fixed in v1.14.3)
393615439	OASValidation behavior for `allOf` with `additionalProperties: true`. (Fixed in 1.14.2-hotfix.1)
382565315	A memory leak within the Security Policy has been addressed, improving system stability. (Fixed in v1.13.4)
378686709	*The use of wildcards () in Apigee proxy basepaths would conflict with other explicit basepaths, resulting in a 404 error.** To apply this fix, follow the procedure in Known issue 378686709. (Fixed in v1.15.1 & v1.14.3)
375360455	Updated apigee-runtime drain timeout to 300s to fix connection termination issue during pod termination. (Fixed in v1.13.4)
367815792	Two new Flow Variables: `app_group_app` and `app_group_name` have been added to VerifyApiKey and Access Token policy. (Fixed in v1.15.1 & v1.14.3)

October 12, 2025

2025-10-12T00:00:00-07:00

v1.15.1

Feature

Recurring, top-up, and setup fees for Apigee hybrid monetization

Apigee hybrid now supports recurring, top-up, and setup fees for monetization. For information see Enabling monetization for Apigee hybrid.

Announcement

hybrid v1.15.1

On October 10, 2025 we released an updated version of the Apigee hybrid software, 1.15.1.

For information on upgrading, see Upgrading Apigee hybrid to version 1.15.
For information on new installations, see The big picture.

Feature

Apigee policies for LLM/GenAI workloads

Apigee hybrid now supports the following Apigee policies with support for LLM/GenAI workloads.

The Apigee semantic caching policies enable intelligent response reuse based on semantic similarity. Using these policies in your Apigee API proxies can minimize redundant backend API calls, reduce latency, and lower operational costs. With this release, the semantic caching policies support URL templating, enabling the use of variables for AI model endpoint values.

The Model Armor policies protect your AI applications by sanitizing user prompts to and responses from large language models (LLMs). Using these policies in your Apigee API proxies can mitigate the risks associated with LLM usage by leveraging Model Armor to detect prompt injection, prevent jailbreak attacks, apply responsible AI filters, filter malicious URLs, and protect sensitive data.

For more information on using these policies in your Apigee API proxies, see:

Fixed

Bug ID	Description
451841788	Apigee hybrid required the `mintTaskScheduler.serviceAccountPath` property even when Monetization was not enabled.
451375397	The `apigee-pull-push.sh` script could return a "No such image error" message.
445912919	Unused files and folders have been removed from the Apigee hybrid Helm charts to prevent potential security exposure and streamline the product installation and upgrade process.
442501403	Fixed an issue that caused incorrect target latency metrics in Apigee Analytics when a `TargetEndpoint` is configured with a .
437999897	Reduced the log level for failed geo IP lookups to address excessive log messages for private IP addresses.
431930277, 395272878	When the configuration property `envs.managementCallsSkipProxy` is set to `true` via helm for environment-level forward proxy, trace and analytics (which use `googleapis.com`) will skip forward proxy.
423597917	Post of an `AppGroupAppKey` scopes should result in insert operation instead of update.
420675540	Fixed Cassandra based replication for runtime contracts in synchronizer.
419578402	Mint-Mart forward proxy compatible.
416634326	Presence of istio.io Custom Resource Definitions (CRDs) in an Apigee hybrid cluster could cause failure in apigee-ingressgateway-manager pods.
412740465	Fixed issue where zipkin headers were not generated by Apigee Ingress Gateway.
409048431	Fixes a vulnerability which could allow a SAML signature verification to be bypassed.
378686709	*The use of wildcards () in Apigee proxy basepaths would conflict with other explicit basepaths, resulting in a 404 error.** To apply this fix, follow the procedure in Known issue 378686709.
367815792	Two new Flow Variables: `app_group_app` and `app_group_name` have been added to VerifyApiKey and Access Token policy.

Security

Bug ID	Description
448498138	Security fixes for `apigee-runtime`. This addresses the following vulnerability: CVE-2024-40094
447367372	Security fixes for `apigee-runtime`. This addresses the following vulnerability: CVE-2025-58057
418557195	Security fixes for `apigee-fluent-bit`. This addresses the following vulnerabilities: CVE-2025-24528 CVE-2025-4207 CVE-2025-1390 CVE-2024-26462 CVE-2024-13176
N/A	Security fixes for `apigee-fluent-bit`. This addresses the following vulnerabilities: CVE-2025-32990 CVE-2025-32988
N/A	Security fixes for `apigee-hybrid-cassandra`. This addresses the following vulnerability: CVE-2025-23015
N/A	Security fixes for `apigee-mart-server`. This addresses the following vulnerabilities: CVE-2025-58057 CVE-2025-58056 CVE-2025-55163 CVE-2025-48924 CVE-2025-48795 CVE-2025-48734 CVE-2025-24970 CVE-2024-47554 CVE-2024-47535 CVE-2024-13009 CVE-2024-8184 CVE-2024-7254 CVE-2024-6763
N/A	Security fixes for `apigee-stackdriver-logging-agent`. This addresses the following vulnerabilities: CVE-2025-58767 CVE-2025-24294 CVE-2023-33953 CVE-2022-32511 CVE-2022-29181 CVE-2022-24839 CVE-2022-24836 CVE-2022-0759 CVE-2021-41817 CVE-2021-31799 CVE-2021-30560 CVE-2021-28965 CVE-2021-23214 CVE-2020-25695 CVE-2020-25694 CVE-2020-25613 CVE-2019-3881 CVE-2018-25032 CVE-2018-1115 CVE-2018-10915 CVE-2018-1058 CVE-2018-1053 CVE-2017-7546 CVE-2017-7484 CVE-2017-15098 CVE-2017-14798 CVE-2016-7954 CVE-2016-7048 CVE-2016-5424 CVE-2016-5423 CVE-2016-0766 CVE-2015-3167 CVE-2015-3166 CVE-2015-0244 CVE-2015-0243 CVE-2015-0241

Change

Documentation change

The following documents have been changed or introduced to align the Apigee hybrid installation guides with the supported methods for service account authentication:

Service account authentication methods in Apigee hybrid - A new overview topic for service account authentication.
Storing service account keys in Kubernetes secrets - A new topic.
Step 4: Create service accounts - Rewritten to accommodate all supported methods of service account authentication.
Step 5: Set up service account authentication - A new topic on configuring authentication after creating service accounts.
Step 7: Create the overrides and Step 11: Install Apigee hybrid Using Helm - Topics revised to provide templates, examples, and procedures for each supported type of service account authentication.
Step 11(Optional): Configure Workload Identity - Topic removed. The procedures are included in Step 11: Install Apigee hybrid Using Helm: WIF for GKE

October 07, 2025

2025-10-07T00:00:00-07:00

v1.14.3

Announcement

hybrid v1.14.3

On October 7, 2025 we released an enhancement to Apigee hybrid version 1.14.3, recurring, top-up, and setup fees for Apigee hybrid monetization.

For complete information on the contents of the v1.14.3 release, see Apigee hybrid v1.14.3 release notes.

Feature

Recurring, top-up, and setup fees for Apigee hybrid monetization

Apigee hybrid now supports recurring, top-up, and setup fees for monetization. For information see Enabling monetization for Apigee hybrid.

Fixed

Bug ID	Description
419578402	Mint-Mart forward proxy compatible.

September 29, 2025

2025-09-29T00:00:00-07:00

v1.14.3

Announcement

hybrid v1.14.3

On September 29, 2025 we released an updated version of the Apigee hybrid software, 1.14.3.

For information on upgrading, see Upgrading Apigee hybrid to version 1.14.
For information on new installations, see The big picture.

Fixed

Bug ID	Description
451841788	Apigee hybrid required the `mintTaskScheduler.serviceAccountPath` property even when Monetization was not enabled.
451375397	The `apigee-pull-push.sh` script could return a "No such image" error message.
423597917	Post of an `AppGroupAppKey` scopes should result in insert operation instead of update.
420675540	Fixed Cassandra based replication for runtime contracts in synchronizer.
416634326	Presence of istio.io Custom Resource Definitions (CRDs) in an Apigee hybrid cluster could cause failure in apigee-ingressgateway-manager pods.
414499328	`ApigeeTelemetry` could become stuck in `creating` state
412740465	Fixed issue where zipkin headers were not generated by Apigee Ingress Gateway.
409048431	Fixes a vulnerability which could allow a SAML signature verification to be bypassed.
395272878	Separate Forward proxy support for `googleapis.com` and `non-googleapis.com` runtime traffic.
378686709	*The use of wildcards () in Apigee proxy basepaths would conflict with other explicit basepaths, resulting in a 404 error.** To apply this fix, follow the procedure in Known issue 378686709.
367815792	Two new Flow Variables: `app_group_app` and `app_group_name` have been added to VerifyApiKey and Access Token policy.

Security

Bug ID	Description
433952146	Security fix. This addresses the following vulnerability: CVE-2024-6763
433951774	Security fix. This addresses the following vulnerability: CVE-2024-7254
433950558	Security fix. This addresses the following vulnerability: CVE-2024-47554
433950370	Security fix. This addresses the following vulnerability: CVE-2025-25193
N/A	Security fixes for `apigee-asm-ingress`. This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-asm-istiod`. This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-envoy`. This addresses the following vulnerability: CVE-2025-0395
N/A	Security fixes for `apigee-fluent-bit`. This addresses the following vulnerabilities: CVE-2025-32990 CVE-2025-32988
N/A	Security fixes for `apigee-hybrid-cassandra`. This addresses the following vulnerabilities: CVE-2025-23015 CVE-2025-22871 CVE-2025-24970
N/A	Security fixes for `apigee-hybrid-cassandra-client`. This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-kube-rbac-proxy`. This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-mart-server`. This addresses the following vulnerabilities: CVE-2025-48924 CVE-2025-48795 CVE-2025-48734 CVE-2025-24970 CVE-2024-47554 CVE-2024-47535 CVE-2024-13009 CVE-2024-8184 CVE-2024-7254 CVE-2024-6763
N/A	Security fixes for `apigee-operators`. This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-stackdriver-logging-agent`. This addresses the following vulnerabilities: CVE-2025-43857 CVE-2024-41946 CVE-2024-41123 CVE-2024-25062 CVE-2023-42915 CVE-2023-33953 CVE-2022-34169 CVE-2022-32511 CVE-2022-32207 CVE-2022-29181 CVE-2022-28739 CVE-2022-27782 CVE-2022-24839 CVE-2022-24836 CVE-2022-23308 CVE-2022-0759 CVE-2021-41819 CVE-2021-41817 CVE-2021-4044 CVE-2021-3518 CVE-2021-3517 CVE-2021-32740 CVE-2021-32066 CVE-2021-31799 CVE-2021-30560 CVE-2021-28966 CVE-2021-28965 CVE-2021-23214 CVE-2021-22926 CVE-2020-7595 CVE-2020-25695 CVE-2020-25694 CVE-2020-25613 CVE-2019-9193 CVE-2019-3881 CVE-2019-20388 CVE-2019-10211 CVE-2019-10210 CVE-2019-10128 CVE-2019-10127 CVE-2018-25032 CVE-2018-1115 CVE-2018-10915 CVE-2018-1058 CVE-2018-1053 CVE-2017-7546 CVE-2017-7486 CVE-2017-7484 CVE-2017-17405 CVE-2017-15098 CVE-2017-14798 CVE-2016-7954 CVE-2016-7048 CVE-2016-5424 CVE-2016-5423 CVE-2016-0766 CVE-2015-3167 CVE-2015-3166 CVE-2015-0244 CVE-2015-0243 CVE-2015-0242 CVE-2015-0241
N/A	Security fixes for `apigee-watcher`. This addresses the following vulnerability: CVE-2025-22871

September 24, 2025

2025-09-24T00:00:00-07:00

v1.15.0

Announcement

Apigee Operator for Kubernetes for Apigee Hybrid (Preview)

On September 24, 2025 we released the Apigee Operator for Kubernetes for Apigee Hybrid 1.15.0 and newer.

The Apigee Operator for Kubernetes allows you to perform API management tasks, such as defining API products and operations, using Kubernetes tools. This preview release allows you to integrate this capability with your Apigee hybrid (v1.15.0 or newer) installation.

For more information, see:

July 09, 2025

2025-07-09T00:00:00-07:00

v1.13.4

Announcement

hybrid v1.13.4

On July 9, 2025 we released an updated version of the Apigee hybrid software, 1.13.4.

For information on upgrading, see Upgrading Apigee hybrid to version 1.13.
For information on new installations, see The big picture.

Fixed

Bug ID	Description
420675540	Fixed Cassandra based replication for runtime contracts in synchronizer.
401746333	Fixed a `java.lang.ClassCircularityError` that could occur in Java Callouts due to an issue with the class loading mechanism.
382565315	A memory leak within the Security Policy has been addressed, improving system stability.
375360455	Updated apigee-runtime drain timeout to 300s to fix connection termination issue during pod termination.

Security

Bug ID	Description
396944778	Security fixes for `apigee-synchronizer`. This addresses the following vulnerabilities: CVE-2025-25193 CVE-2025-24970 CVE-2025-23184 CVE-2024-47554
392934392	Security fixes for `apigee-logger`.
N/A	Security fixes for `apigee-mart-server`. This addresses the following vulnerability: CVE-2024-20952
N/A	Security fixes for `apigee-mint-task-scheduler`. This addresses the following vulnerability: CVE-2024-20952
N/A	Security fixes for `apigee-redis`. This addresses the following vulnerabilities: CVE-2022-24834 CVE-2022-24735
N/A	Security fixes for `apigee-runtime`. This addresses the following vulnerability: CVE-2024-20952
N/A	Security fixes for `apigee-synchronizer`. This addresses the following vulnerability: CVE-2024-20952
N/A	Security fixes for `vault`. This addresses the following vulnerability: CVE-2025-0377

June 04, 2025

2025-06-04T00:00:00-07:00

v1.15.0

Announcement

hybrid v1.15.0

On June 4, 2025 we released an updated version of the Apigee hybrid software, 1.15.0.

For information on upgrading, see Upgrading Apigee hybrid to version 1.15.
For information on new installations, see The big picture.

Feature

Large message payload support in Apigee hybrid

Apigee now supports message payloads up to 30MB. You configure support for large message payloads in Apigee hybrid for individual environments or for your whole installation. See Configure large message payload support in Apigee hybrid.

Fixed

Bug ID	Description
414499328	`ApigeeTelemetry` could become stuck in `creating` state (Fixed in v1.15.0)
412324617	Fixed issue where Runtime container could spin at 100% cpu limit. (Fixed in v1.14.2)
399447688	API proxy deployment could become stuck in `PROGRESSING` state. (Fixed in v1.14.2)
396886110	Fixed a bug where the HPA max replicas could be lower than min. (Fixed in v1.14.1)
413708061, 396571537	Rotating Cassandra credentials in Kubernetes secrets fixed for Multi-region deployments. (Fixed in v1.14.2)
392547038	Add Helm chart template checks for non-existent environments and virtualhosts. (Fixed in v1.14.1)
391861216	Restore for Google Cloud Platform and HYBRID Cloud Providers no longer affects system keyspaces. This fixes Known Issue 391861216. (Fixed in v1.14.1)
390258745, 388608440	Any left over Cassandra snapshots are automatically removed. This fixes known issue 388608440. (Fixed in v1.14.1)
384937220	Fixed `ApigeeRoute` name collision on internal chaining gateway for Enhanced Proxy Limits. (Fixed in v1.14.2)
383441226	Added the following `metrics` configuration properties: metrics.adapter.resources.limits.cpu metrics.adapter.resources.limits.memory metrics.adapter.resources.requests.cpu metrics.adapter.resources.requests.memory metrics.prometheus.resources.limits.cpu metrics.prometheus.resources.limits.memory metrics.prometheus.resources.requests.cpu metrics.prometheus.resources.requests.memory (Fixed in v1.14.1)
368155212	Auto Cassandra secret rotation could fail when Enhanced per-environment proxy limits are enabled. (Fixed in v1.14.2)
367681534	Tagging `apigee-stackdriver-prometheus-sidecar` to prevent removal from customer repos after 2 years due to infrequent updates. (Fixed in 1.14.0-hotfix.1)

Security

Fixed in this release

Bug ID	Description
N/A	Security fixes for `apigee-asm-ingress`. This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-asm-istiod`. This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-connect-agent`. This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-envoy`. This addresses the following vulnerabilities: CVE-2025-4802 CVE-2025-0395
N/A	Security fixes for `apigee-fluent-bit`. This addresses the following vulnerability: CVE-2025-4802
N/A	Security fixes for `apigee-hybrid-cassandra`. This addresses the following vulnerabilities: CVE-2025-23015 CVE-2025-22871
N/A	Security fixes for `apigee-hybrid-cassandra-client`. This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-kube-rbac-proxy`. This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-mart-server`. This addresses the following vulnerability: CVE-2022-3715
N/A	Security fixes for `apigee-operators`. This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-prom-prometheus`. This addresses the following vulnerabilities: CVE-2025-22871 CVE-2025-22869
N/A	Security fixes for `apigee-prometheus-adapter`. This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `apigee-redis`. This addresses the following vulnerabilities: CVE-2025-22871 CVE-2024-24791
N/A	Security fixes for `apigee-runtime`. This addresses the following vulnerabilities: CVE-2025-0725 CVE-2022-3715
N/A	Security fixes for `apigee-stackdriver-logging-agent`. This addresses the following vulnerabilities: CVE-2025-43857 CVE-2025-32415 CVE-2025-32414 CVE-2025-27788 CVE-2025-27113 CVE-2024-49761 CVE-2024-41946 CVE-2024-41123 CVE-2024-25062 CVE-2023-42915 CVE-2023-33953 CVE-2022-34169 CVE-2022-32511 CVE-2022-32207 CVE-2022-29181 CVE-2022-28739 CVE-2022-27782 CVE-2022-24839 CVE-2022-24836 CVE-2022-23308 CVE-2022-0759 CVE-2021-41819 CVE-2021-41817 CVE-2021-4044 CVE-2021-3518 CVE-2021-3517 CVE-2021-32740 CVE-2021-32066 CVE-2021-31799 CVE-2021-30560 CVE-2021-28966 CVE-2021-28965 CVE-2021-23214 CVE-2021-22926 CVE-2020-7595 CVE-2020-25695 CVE-2020-25694 CVE-2020-25613 CVE-2019-9193 CVE-2019-3881 CVE-2019-20388 CVE-2019-10211 CVE-2019-10210 CVE-2019-10128 CVE-2019-10127 CVE-2018-25032 CVE-2018-1115 CVE-2018-10915 CVE-2018-1058 CVE-2018-1053 CVE-2017-7546 CVE-2017-7486 CVE-2017-7484 CVE-2017-17405 CVE-2017-15098 CVE-2017-14798 CVE-2016-7954 CVE-2016-7048 CVE-2016-5424 CVE-2016-5423 CVE-2016-0766 CVE-2015-3167 CVE-2015-3166 CVE-2015-0244 CVE-2015-0243 CVE-2015-0242 CVE-2015-0241
N/A	Security fixes for `apigee-synchronizer`. This addresses the following vulnerabilities: CVE-2025-0725 CVE-2022-3715
N/A	Security fixes for `apigee-watcher`. This addresses the following vulnerability: CVE-2025-22871
N/A	Security fixes for `cert-manager-cainjector`. This addresses the following vulnerabilities: CVE-2023-45287 CVE-2023-45285 CVE-2023-44487 CVE-2023-39325 CVE-2023-39323 CVE-2023-29405 CVE-2023-29404 CVE-2023-29403 CVE-2023-29402 CVE-2023-29400 CVE-2023-24540 CVE-2023-24539 CVE-2023-24538 CVE-2023-24537 CVE-2023-24536 CVE-2023-24534 CVE-2022-41725 CVE-2022-41724 CVE-2022-41723 CVE-2022-41715 CVE-2022-32189 CVE-2022-30635 CVE-2022-30633 CVE-2022-30632 CVE-2022-30631 CVE-2022-30630 CVE-2022-30580 CVE-2022-2880 CVE-2022-2879 CVE-2022-28327 CVE-2022-28131 CVE-2022-27664 CVE-2022-24921 CVE-2022-24675 CVE-2022-23806 CVE-2022-23773 CVE-2022-23772 CVE-2021-44716 CVE-2021-41772 CVE-2021-41771 CVE-2021-39293 CVE-2021-38297 CVE-2021-33198 CVE-2021-33196 CVE-2021-33195 CVE-2021-33194 CVE-2021-29923 CVE-2021-27918 CVE-2020-28367 CVE-2020-28366 CVE-2020-28362 CVE-2020-16845
N/A	Security fixes for `cert-manager-controller`. This addresses the following vulnerabilities: CVE-2023-45287 CVE-2023-45285 CVE-2023-44487 CVE-2023-39325 CVE-2023-39323 CVE-2023-29405 CVE-2023-29404 CVE-2023-29403 CVE-2023-29402 CVE-2023-29400 CVE-2023-24540 CVE-2023-24539 CVE-2023-24538 CVE-2023-24537 CVE-2023-24536 CVE-2023-24534 CVE-2022-41725 CVE-2022-41724 CVE-2022-41723 CVE-2022-41715 CVE-2022-32189 CVE-2022-30635 CVE-2022-30633 CVE-2022-30632 CVE-2022-30631 CVE-2022-30630 CVE-2022-30580 CVE-2022-2880 CVE-2022-2879 CVE-2022-28327 CVE-2022-28131 CVE-2022-27664 CVE-2022-24921 CVE-2022-24675 CVE-2022-23806 CVE-2022-23773 CVE-2022-23772 CVE-2021-44716 CVE-2021-41772 CVE-2021-41771 CVE-2021-39293 CVE-2021-38297 CVE-2021-33198 CVE-2021-33196 CVE-2021-33195 CVE-2021-33194 CVE-2021-29923 CVE-2021-27918 CVE-2020-28367 CVE-2020-28366 CVE-2020-28362 CVE-2020-16845
N/A	Security fixes for `cert-manager-webhook`. This addresses the following vulnerabilities: CVE-2023-45287 CVE-2023-45285 CVE-2023-44487 CVE-2023-39325 CVE-2023-39323 CVE-2023-29405 CVE-2023-29404 CVE-2023-29403 CVE-2023-29402 CVE-2023-29400 CVE-2023-24540 CVE-2023-24539 CVE-2023-24538 CVE-2023-24537 CVE-2023-24536 CVE-2023-24534 CVE-2022-41725 CVE-2022-41724 CVE-2022-41723 CVE-2022-41715 CVE-2022-32189 CVE-2022-30635 CVE-2022-30633 CVE-2022-30632 CVE-2022-30631 CVE-2022-30630 CVE-2022-30580 CVE-2022-2880 CVE-2022-2879 CVE-2022-28327 CVE-2022-28131 CVE-2022-27664 CVE-2022-24921 CVE-2022-24675 CVE-2022-23806 CVE-2022-23773 CVE-2022-23772 CVE-2021-44716 CVE-2021-41772 CVE-2021-41771 CVE-2021-39293 CVE-2021-38297 CVE-2021-33198 CVE-2021-33196 CVE-2021-33195 CVE-2021-33194 CVE-2021-29923 CVE-2021-27918 CVE-2020-28367 CVE-2020-28366 CVE-2020-28362 CVE-2020-16845
N/A	Security fixes for `vault`. This addresses the following vulnerability: CVE-2025-0377

Security

Fixed since last minor release

Bug ID	Description
391923260	Security fixes for `apigee-watcher`. (Fixed in v1.14.1) This addresses the following vulnerabilities: CVE-2024-24789 CVE-2024-45337 CVE-2024-45338 CVE-2024-24790 CVE-2022-23635 CVE-2022-31045 CVE-2021-39156 CVE-2021-39155 CVE-2019-14993
391923260	Security fixes for `apigee-udca`. (Fixed in v1.14.2) This addresses the following vulnerabilities: CVE-2025-27788 CVE-2025-22869 CVE-2025-22868 CVE-2024-45337 CVE-2024-34158 CVE-2024-34156 CVE-2023-6481
385394193, 383850393, 383778273	Security fixes for `apigee-cassandra-backup-utility`, `apigee-cassandra-client`, and `apigee-hybrid-cassandra`. (Fixed in v1.14.1) This addresses the following vulnerabilities: CVE-2024-0727 CVE-2023-5678 CVE-2022-3715
385394193, 383850393, 383778273	Security fixes for `apigee-cassandra-backup-utility`, `apigee-cassandra-client`, and `apigee-hybrid-cassandra`. (Fixed in v1.13.3) This addresses the following vulnerabilities: CVE-2022-3715 CVE-2024-0727 CVE-2023-5678
383113773, 382967738	Fixed a vulnerability in PythonScript policy. (Fixed in v1.14.1)
365178914	Security fixes for `apigee-cassandra-backup-utility` and `apigee-hybrid-cassandra`. (Fixed in v1.14.1) This addresses the following vulnerability: CVE-2023-37920
N/A	Security fixes for `apigee-watcher`. (Fixed in v1.14.2) This addresses the following vulnerabilities: CVE-2025-22869 CVE-2025-22868
N/A	Security fixes for `apigee-udca`. (Fixed in v1.13.3) This addresses the following vulnerability: CVE-2024-24790
N/A	Security fixes for `apigee-stackdriver-logging-agent`. (Fixed in v1.14.2) This addresses the following vulnerabilities: CVE-2025-24928 CVE-2025-24855 CVE-2025-0306 CVE-2024-56171 CVE-2024-55549
N/A	Security fixes for `apigee-redis`. (Fixed in v1.14.2) This addresses the following vulnerabilities: CVE-2025-22869 CVE-2024-56171 CVE-2024-24791
N/A	Security fixes for `apigee-prometheus-adapter`. (Fixed in v1.14.2) This addresses the following vulnerability: CVE-2025-22868
N/A	Security fixes for `apigee-prometheus-adapter`. (Fixed in v1.14.1) This addresses the following vulnerabilities: CVE-2024-45338 CVE-2024-45337
N/A	Security fixes for `apigee-operators`. (Fixed in v1.14.2) This addresses the following vulnerabilities: CVE-2025-22869 CVE-2025-22868
N/A	Security fixes for `apigee-open-telemetry-collector`. (Fixed in v1.14.2) This addresses the following vulnerabilities: CVE-2025-29786 CVE-2025-22869 CVE-2025-22868
N/A	Security fixes for `apigee-open-telemetry-collector`. (Fixed in v1.14.1) This addresses the following vulnerability: CVE-2024-45338
N/A	Security fixes for `apigee-mint-task-scheduler`. (Fixed in v1.14.2) This addresses the following vulnerability: CVE-2025-21587
N/A	Security fixes for `apigee-mint-task-scheduler`. (Fixed in v1.14.1) This addresses the following vulnerabilities: CVE-2025-24970 CVE-2024-47535
N/A	Security fixes for `apigee-mint-task-scheduler`. (Fixed in v1.13.3) This addresses the following vulnerability: CVE-2024-47535
N/A	Security fixes for `apigee-kube-rbac-proxy`. (Fixed in v1.13.3) This addresses the following vulnerabilities: CVE-2024-24790 CVE-2019-9192 CVE-2019-1010023 CVE-2019-1010022 CVE-2018-20796
N/A	Security fixes for `apigee-hybrid-cassandra`. (Fixed in v1.14.2) This addresses the following vulnerability: CVE-2025-23015
N/A	Security fixes for `apigee-hybrid-cassandra`. (Fixed in v1.14.1) This addresses the following vulnerability: CVE-2023-37920
N/A	Security fixes for `apigee-hybrid-cassandra`. (Fixed in v1.13.3) This addresses the following vulnerability: CVE-2024-9287
N/A	Security fixes for `apigee-hybrid-cassandra-client`. (Fixed in v1.14.2) This addresses the following vulnerability: CVE-2025-22868
N/A	Security fixes for `apigee-fluent-bit`. (Fixed in v1.14.2) This addresses the following vulnerabilities: CVE-2025-1094 CVE-2025-0395
N/A	Security fixes for `apigee-fluent-bit`. (Fixed in v1.13.3) This addresses the following vulnerability: CVE-2024-10979
N/A	Security fixes for `apigee-asm-istiod`. (Fixed in v1.14.1) This addresses the following vulnerability: CVE-2024-45338

May 29, 2025

2025-05-29T00:00:00-07:00

v1.14.2

Announcement

On May 29, 2025 we announced the shutdown schedule for the Apigee Classic UI.

Deprecated

The Apigee Classic UI will be shutdown as of August 29, 2025.

This is the final phase of moving Apigee to the Google Cloud console. Apigee in the Google Cloud console gives you the ability to manage all of your Apigee functionality in one place.

To prepare for the shutdown of the Apigee Classic UI, familiarize yourself with the new Apigee UI in Google Cloud console by reviewing UI overview.

See Apigee Classic UI shutdown for details on shutdown dates and exception request.

May 16, 2025

2025-05-16T00:00:00-07:00

1.14.2-hotfix.1

Announcement

hybrid 1.14.2-hotfix.1

On May 16, 2025 we released an updated version of the Apigee hybrid software, 1.14.2-hotfix.1.

Apply this hotfix with the following steps:

Download the apigee-org and apigee-env charts with the 1.14.2-hotfix.1 version tag:

export CHART_REPO=oci://us-docker.pkg.dev/apigee-release/apigee-hybrid-helm-charts
export CHART_VERSION=1.14.2-hotfix.1
helm pull $CHART_REPO/apigee-env --version $CHART_VERSION --untar
helm pull $CHART_REPO/apigee-org --version $CHART_VERSION --untar

Optional: Perform this step if you need to allow use of the allOf combinator along with setting additionalProperties: true in your OAS spec. See fixed bug 393615439.

Add the following stanza to your overrides.yaml:
```
runtime:
  cwcAppend:
    conf_message-processor-communication_oas.disable.resolve.combinator: true
```
Install the hotfix release:
1. Update the apigee-env chart with the helm upgrade command and your current overrides file for each environment in your Apigee org:
  
  Dry run:
```
helm upgrade ENV_RELEASE_NAME apigee-env/ \
--namespace APIGEE_NAMESPACE \
--set env=ENV_NAME \
--atomic \
-f OVERRIDES_FILE \
--dry-run=server
```
  - ENV_RELEASE_NAME is a name used to keep track of installation and upgrades of the apigee-env chart. This name must be unique from the other Helm release names in your installation. Usually this is the same as ENV_NAME. However, if your environment has the same name as your environment group, you must use different release names for the environment and environment group, for example dev-env-release and dev-envgroup-release. For more information on releases in Helm, see Three big concepts in the Helm documentation.
  - APIGEE_NAMESPACE is your installation's namespace. The default is apigee.
  - ENV_NAME is the name of the environment you are upgrading.
  - OVERRIDES_FILE is your edited overrides file.
  Install the changes:
```
helm upgrade ENV_RELEASE_NAME apigee-env/ \
--namespace APIGEE_NAMESPACE \
--set env=ENV_NAME \
--atomic \
-f OVERRIDES_FILE
```
2. Update the apigee-org chart:
  
  Dry run:
```
helm upgrade ORG_NAME apigee-org/ \
--namespace APIGEE_NAMESPACE \
-f OVERRIDES_FILE \
--dry-run=server
```
  Install the changes:
```
helm upgrade ORG_NAME apigee-org/ \
--namespace APIGEE_NAMESPACE \
-f OVERRIDES_FILE
```

Verify the installation:

Ensure runtime and udca pods are up and running by checking their state:

kubectl -n APIGEE_NAMESPACE get pods -l app=apigee-runtime

kubectl -n APIGEE_NAMESPACE get pods -l app=apigee-udca

For information on upgrading, see Upgrading Apigee hybrid to version 1.14.
For information on new installations, see The big picture.

Fixed

Bug ID Description

Bug ID	Description
393615439	OASValidation behavior for `allOf` with `additionalProperties: true`. Issue The OASValidation policy in Apigee Hybrid versions 1.12 and later may incorrectly reject requests when validating against an OpenAPI Specification (OAS) that uses combinator keywords (`allOf`, `oneOf`, `anyOf`) and allows additional properties (`additionalProperties: true`) within the combined schema. This occurs because the default behavior resolves combinators into an aggregated schema before validation, but an underlying issue in the parser library can cause the `additionalProperties` definition to be handled incorrectly during this resolution. This behavior differs from Apigee Edge and older Apigee Hybrid versions. Resolution A configuration flag has been introduced to control this behavior. By setting this flag, you can disable the pre-validation combinator resolution step, reverting to the behavior consistent with Apigee Edge and older Hybrid versions. Validation errors in Apigee hybrid If you encounter the validation errors described above, particularly for specs that worked correctly in Apigee Edge or Hybrid versions prior to 1.12, you can revert to the previous validation behavior by setting the following flag for the apigee-runtime container: conf_message-processor-communication_oas.disable.resolve.combinator = true Note: Reverting to the older behavior (by setting the flag to true) reintroduces the older limitation: When using `allOf`, the `additionalProperties` keyword must be explicitly set to true if you intend to make the inheritance work correctly. The older behavior does not correctly handle schema validation with `allOf` when `additionalProperties` is set to false or is undefined. Customers migrating from Edge/OPDK or older hybrid versions should already be working around this limitation.

393615439

OASValidation behavior for allOf with additionalProperties: true.

Issue

The OASValidation policy in Apigee Hybrid versions 1.12 and later may incorrectly reject requests when validating against an OpenAPI Specification (OAS) that uses combinator keywords (allOf, oneOf, anyOf) and allows additional properties (additionalProperties: true) within the combined schema. This occurs because the default behavior resolves combinators into an aggregated schema before validation, but an underlying issue in the parser library can cause the additionalProperties definition to be handled incorrectly during this resolution. This behavior differs from Apigee Edge and older Apigee Hybrid versions.

Resolution

A configuration flag has been introduced to control this behavior. By setting this flag, you can disable the pre-validation combinator resolution step, reverting to the behavior consistent with Apigee Edge and older Hybrid versions.

Validation errors in Apigee hybrid

If you encounter the validation errors described above, particularly for specs that worked correctly in Apigee Edge or Hybrid versions prior to 1.12, you can revert to the previous validation behavior by setting the following flag for the apigee-runtime container:

conf_message-processor-communication_oas.disable.resolve.combinator = true

Note: Reverting to the older behavior (by setting the flag to true) reintroduces the older limitation: When using allOf, the additionalProperties keyword must be explicitly set to true if you intend to make the inheritance work correctly. The older behavior does not correctly handle schema validation with allOf when additionalProperties is set to false or is undefined. Customers migrating from Edge/OPDK or older hybrid versions should already be working around this limitation.

Security

Bug ID	Description
N/A	Incorporated an updated base image for `stackdriver-logging-agent`, improving the overall security of the service. This addresses the following vulnerabilities (among others and not limited to): CVE-2022-32221 GHSA-jvgm-pfqv-887x

May 02, 2025

2025-05-02T00:00:00-07:00

v1.14.2

Announcement

hybrid v1.14.2

On May 2, 2025 we released an updated version of the Apigee hybrid software, 1.14.2.

For information on upgrading, see Upgrading Apigee hybrid to version 1.14.
For information on new installations, see The big picture.

Feature

Large message payload support in Apigee hybrid

Apigee now supports message payloads up to 30MB. For information see:

Message payload size
runtime.resources.limits.memory in the Configuration property reference.
runtime.resources.requests.memory in the Configuration property reference.

Change

Starting with v1.14.2, third-party container images will be labeled with a version tag that matches the Apigee hybrid image tag. This affects the image tags returned by the apigee-pull-push command line tool. For more information, see:

Fixed

Bug ID	Description
412324617	Fixed issue where Runtime container could spin at 100% cpu limit.
401746333	Fixed a `java.lang.ClassCircularityError` that could occur in Java Callouts due to an issue with the class loading mechanism.
399447688	API proxy deployment could become stuck in `PROGRESSING` state.
397693324	ESS and non-ESS Multi-region Cassandra credential rotation could fail in every region except the first.
396571537	Rotating Cassandra credentials in Kubernetes secrets fixed for Multi-region deployments.
384937220	Fixed `ApigeeRoute` name collision on internal chaining gateway for Enhanced Proxy Limits.
368155212	Auto Cassandra secret rotation could fail when Enhanced per-environment proxy limits are enabled.

Security

Bug ID	Description
391923260	Security fixes for `apigee-udca`. This addresses the following vulnerabilities: CVE-2025-27788 CVE-2025-22869 CVE-2025-22868 CVE-2024-45337 CVE-2024-34158 CVE-2024-34156 CVE-2023-6481
N/A	Security fixes for `apigee-fluent-bit`. This addresses the following vulnerabilities: CVE-2025-1094 CVE-2025-0395
N/A	Security fixes for `apigee-hybrid-cassandra`. This addresses the following vulnerability: CVE-2025-23015
N/A	Security fixes for `apigee-hybrid-cassandra-client`. This addresses the following vulnerability: CVE-2025-22868
N/A	Security fixes for `apigee-mint-task-scheduler`. This addresses the following vulnerability: CVE-2025-21587
N/A	Security fixes for `apigee-open-telemetry-collector`. This addresses the following vulnerabilities: CVE-2025-29786 CVE-2025-22869 CVE-2025-22868
N/A	Security fixes for `apigee-operators`. This addresses the following vulnerabilities: CVE-2025-22869 CVE-2025-22868
N/A	Security fixes for `apigee-prometheus-adapter`. This addresses the following vulnerability: CVE-2025-22868
N/A	Security fixes for `apigee-redis`. This addresses the following vulnerabilities: CVE-2025-22869 CVE-2024-56171 CVE-2024-24791
N/A	Security fixes for `apigee-stackdriver-logging-agent`. This addresses the following vulnerabilities: CVE-2025-24928 CVE-2025-24855 CVE-2025-0306 CVE-2024-56171 CVE-2024-55549
N/A	Security fixes for `apigee-watcher`. This addresses the following vulnerabilities: CVE-2025-22869 CVE-2025-22868

April 14, 2025

2025-04-14T00:00:00-07:00

v1.14.0

Announcement

On April 14, 2025 we released an updated version of Apigee.

Feature

Announcing data collectors data residency (DRZ) compliance for Apigee and Apigee hybrid.

Data collectors can be used with data residency for Subscription and Pay-as-you-go organizations and hybrid versions 1.14.0 and later.

See Data residency compatibility for information.

1.11.2-hotfix.3

Announcement

hybrid 1.11.2-hotfix.3

On April 14, 2025 we released an updated version of the Apigee hybrid software, 1.11.2-hotfix.3.

Apply this hotfix with the following steps:

In your overrides file, update the image.url and image.tag properties of ao and runtime:

runtime:
  image:
    url: "gcr.io/apigee-release/hybrid/apigee-runtime"
    tag: "1.11.2-hotfix.3"

Install the hotfix release:
- For Helm-managed releases, update the apigee-env chart with the helm upgrade command and your current overrides files:
  
  For each environment in your Apigee org:
```
helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --namespace APIGEE_NAMESPACE \
  --set env=ENV_NAME \
  --atomic \
  -f OVERRIDES_FILE
```
  - ENV_RELEASE_NAME is a name used to keep track of installation and upgrades of the apigee-env chart. This name must be unique from the other Helm release names in your installation. Usually this is the same as ENV_NAME. However, if your environment has the same name as your environment group, you must use different release names for the environment and environment group, for example dev-env-release and dev-envgroup-release. For more information on releases in Helm, see Three big concepts in the Helm documentation.
  - APIGEE_NAMESPACE is your installation's namespace. The default is apigee.
  - ENV_NAME is the name of the environment you are upgrading.
  - OVERRIDES_FILE is your edited overrides file.
- For apigeectl-managed releases:
  1. Install the hotfix release with apigeectl init using your updated overrides file:
```
${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILE --dry-run=client
```
    Followed by:
```
${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILE
```
  2. Apply the hotfix release with apigeectl apply:
```
${APIGEECTL_HOME}/apigeectl apply -f OVERRIDES_FILE --all-envs --dry-run=client
```
    Followed by:
```
${APIGEECTL_HOME}/apigeectl apply -f OVERRIDES_FILE --all-envs
```

For information on upgrading, see Upgrading Apigee hybrid to version 1.11.
For information on new installations, see The big picture.
For recommended actions after upgrading, see Validate policies after upgrade to 1.12-hotfix.3.

Security

Stricter class instantiation checks included in this release.

JavaCallout policy now includes additional security during Java class instantiation. The enhanced security measure prevents the deployment of policies that directly or indirectly attempt actions that require permissions that are not allowed.

In most cases, existing policies will continue to function as expected without any issues. However, there is a possibility that policies relying on third-party libraries, or those with custom code that indirectly triggers operations requiring elevated permissions, could be affected.

To test your installation, follow the procedure in Validate policies after upgrade to 1.11.2-hotfix.3 to validate policy behavior.

Bug ID	Description
382967738	Fixed a vulnerability in PythonScript policy.

March 27, 2025

2025-03-27T00:00:00-07:00

v1.14.0

Announcement

On March 27, 2025, we released an updated version of Apigee.

Feature

Availability of client IP resolution functionality with Apigee hybrid.

Client IP resolution functonality is now available with Apigee hybrid versions 1.14.0 and later.

See Client IP resolution for information.

March 25, 2025

2025-03-25T00:00:00-07:00

v1.14.0

Announcement

On March 25, 2025 we released an updated version of Advanced API Security.

Change

New Advanced API Security support when using data residency (DRZ) with Apigee hybrid

Advanced API Security is now available for Apigee hybrid orgs using DRZ, for hybrid versions 1.14.0 and later. See Using data residency with Apigee hybrid.

See Introduction to data residency for information on DRZ and Advanced API Security support across organization types.

March 12, 2025

2025-03-12T00:00:00-07:00

v1.13.3 & v1.12.4 & v1.14.1

Issue

v1.13.3 , v1.14.1, v1.12.4

The Nimbus JOSE + JWT library may cause a java.lang.ClassCircularityError when using a JavaCallout policy.

For more information, see Apigee known issues.

March 01, 2025

2025-03-01T00:00:00-08:00

v1.14.1

Fixed

Bug ID	Description
396886110	Fixed a bug where the HPA max replicas could be lower than min.
392547038	Add Helm chart template checks for non-existent environments and virtualhosts.
391861216	Restore for Google Cloud Platform and HYBRID Cloud Providers no longer affects system keyspaces. This fixes Known Issue 391861216.
390019667	Fixed bug where the daemonsets had an invalid pod disruption budget which prevented downscaling.
383441226	Added the following `metrics` configuration properties: metrics.adapter.resources.limits.cpu metrics.adapter.resources.limits.memory metrics.adapter.resources.requests.cpu metrics.adapter.resources.requests.memory metrics.prometheus.resources.limits.cpu metrics.prometheus.resources.limits.memory metrics.prometheus.resources.requests.cpu metrics.prometheus.resources.requests.memory
382565315	LogTimer usage in SecurityPolicy could cause a memory leak.

Announcement

Manage process ID limits

The procedure to manage the process ID limits in your clusters has been added to the documentation.

A Process ID limit is a Kubernetes resource constraint on nodes and pods to prevent excessive process creation, which can impact node stability. Setting process ID limits in Kubernetes can improve system stability, security, and resource management. This is also consistent with Kubernetes best practices. Apigee Hybrid supports the Kubernetes feature to set process ID limits.

See: Manage process ID limits.

Announcement

hybrid v1.14.1

On March 1, 2025 we released an updated version of the Apigee hybrid software, 1.14.1.

This release enhances the security posture within the JavaCallout and PythonScript policies. This release does not include any new features or general bug fixes.

For information on upgrading, see Upgrading Apigee hybrid to version 1.14.
For information on new installations, see The big picture.
For recommended actions after upgrading, see Validate policies after upgrade to 1.14.1.

Security

Stricter class instantiation checks included in this release.

To test your installation, follow the procedure in Validate policies after upgrade to 1.14.1 to validate policy behavior.

Bug ID	Description
385394193, 383850393, 383778273	Security fixes for `apigee-cassandra-backup-utility`, `apigee-cassandra-client`, and `apigee-hybrid-cassandra`. This addresses the following vulnerabilities: CVE-2024-0727 CVE-2023-5678 CVE-2022-3715
383113773, 382967738	Fixed a vulnerability in PythonScript policy.
365178914	Security fixes for `apigee-cassandra-backup-utility` and `apigee-hybrid-cassandra`. This addresses the following vulnerability: CVE-2023-37920
N/A	Security fixes for `apigee-asm-istiod`. This addresses the following vulnerability: CVE-2024-45338
N/A	Security fixes for `apigee-hybrid-cassandra`. This addresses the following vulnerability: CVE-2023-37920
N/A	Security fixes for `apigee-mint-task-scheduler`. This addresses the following vulnerabilities: CVE-2025-24970 CVE-2024-47535
N/A	Security fixes for `apigee-open-telemetry-collector`. This addresses the following vulnerability: CVE-2024-45338
392174215	Security fixes for `apigee-operator`. This addresses the following vulnerabilities: CVE-2024-45337 CVE-2024-45338
N/A	Security fixes for `apigee-prometheus-adapter`. This addresses the following vulnerabilities: CVE-2024-45338 CVE-2024-45337
391786033	Security fixes for `apigee-watcher`. This addresses the following vulnerability: CVE-2024-45338
388271708	Security fix for Apigee infrastructure This addresses the following vulnerability: CVE-2025-13426 Fixed an issue with the JavaCallout policy that could result in remote code execution.

v1.13.3

Security

Stricter class instantiation checks included in this release.

To test your installation, follow the procedure in Validate policies after upgrade to 1.13.3 to validate policy behavior.

Bug ID	Description
Bug ID	Description
385394193, 383850393, 383778273	Security fixes for `apigee-cassandra-backup-utility`, `apigee-cassandra-client`, and `apigee-hybrid-cassandra`. This addresses the following vulnerabilities: CVE-2024-0727 CVE-2023-5678 CVE-2022-3715
382967738	Fixed a vulnerability in PythonScript policy.
N/A	Security fixes for `apigee-envoy`. This addresses the following vulnerability: CVE-2019-1010024
N/A	Security fixes for `apigee-fluent-bit`. This addresses the following vulnerability: CVE-2024-10979
N/A	Security fixes for `apigee-mint-task-scheduler`. This addresses the following vulnerabilities: CVE-2025-24970 CVE-2024-47535
N/A	Security fixes for `apigee-open-telemetry-collector`. This addresses the following vulnerability: CVE-2024-45338
392174215	Security fixes for `apigee-operator`. This addresses the following vulnerabilities: CVE-2024-45337 CVE-2024-45338
N/A	Security fixes for `apigee-redis`. This addresses the following vulnerabilities: CVE-2022-24834 CVE-2022-24735
391786033	Security fixes for `apigee-watcher`. This addresses the following vulnerability: CVE-2024-45338
N/A	Security fixes for `livenessprobe`. This addresses the following vulnerability: CVE-2023-45288
388271708	Security fix for Apigee infrastructure This addresses the following vulnerability: CVE-2025-13426 Fixed an issue with the JavaCallout policy that could result in remote code execution.

Announcement

hybrid v1.13.3

On March 1, 2025 we released an updated version of the Apigee hybrid software, 1.13.3.

This release enhances the security posture within the JavaCallout and PythonScript policies. This release does not include any new features or general bug fixes.

For information on upgrading, see Upgrading Apigee hybrid to version 1.13.
For information on new installations, see The big picture.
For recommended actions after upgrading, see Validate policies after upgrade to 1.13.3.

Announcement

Manage process ID limits

The procedure to manage the process ID limits in your clusters has been added to the documentation.

See: Manage process ID limits.

Fixed

Bug ID	Description
396886110	Fixed a bug where the HPA max replicas could be lower than min.
391861216	Restore for Google Cloud Platform and HYBRID Cloud Providers no longer affects system keyspaces. This fixes Known Issue 391861216.
390258745, 388608440	Any left over Cassandra snapshots are automatically removed. This fixes known issue 388608440.
390019667	Fixed bug where the daemonsets had an invalid pod disruption budget which prevented downscaling.
383441226	Added the following `metrics` configuration properties: metrics.adapter.resources.limits.cpu metrics.adapter.resources.limits.memory metrics.adapter.resources.requests.cpu metrics.adapter.resources.requests.memory metrics.prometheus.resources.limits.cpu metrics.prometheus.resources.limits.memory metrics.prometheus.resources.requests.cpu metrics.prometheus.resources.requests.memory
382565315	LogTimer usage in SecurityPolicy could cause a memory leak.

v1.12.4

Announcement

hybrid v1.12.4

On March 1, 2025 we released an updated version of the Apigee hybrid software, 1.12.4.

This release enhances the security posture within the JavaCallout and PythonScript policies. This release does not include any new features or general bug fixes.

For information on upgrading, see Upgrading Apigee hybrid to version 1.12.
For information on new installations, see The big picture.
For recommended actions after upgrading, see Validate policies after upgrade to 1.12.4.

Security

Stricter class instantiation checks included in this release.

To test your installation, follow the procedure in Validate policies after upgrade to 1.12.4 to validate policy behavior.

Bug ID	Description
391923260	Security fixes for `apigee-watcher`. This addresses the following vulnerabilities: CVE-2024-24789 CVE-2024-45337 CVE-2024-45338 CVE-2024-24790 CVE-2022-23635 CVE-2022-31045 CVE-2021-39156 CVE-2021-39155 CVE-2019-14993
385394193, 383850393, 383778273	Security fixes for `apigee-cassandra-backup-utility`, `apigee-cassandra-client`, and `apigee-hybrid-cassandra`. This addresses the following vulnerabilities: CVE-2024-0727 CVE-2023-5678 CVE-2022-3715
382967738	Fixed a vulnerability in PythonScript policy.
365178914	Security fixes for `apigee-cassandra-backup-utility` and `apigee-hybrid-cassandra`. This addresses the following vulnerability: CVE-2023-37920
N/A	Security fixes for `apigee-fluent-bit`. This addresses the following vulnerability: CVE-2024-10979
N/A	Security fixes for `apigee-kube-rbac-proxy`. This addresses the following vulnerabilities: CVE-2024-24790 CVE-2019-9192 CVE-2019-1010023 CVE-2019-1010022 CVE-2018-20796
N/A	Security fixes for `apigee-fluent-bit`. This addresses the following vulnerability: CVE-2024-10979
N/A	Security fixes for `apigee-kube-rbac-proxy`. This addresses the following vulnerabilities: CVE-2024-24790 CVE-2019-9192 CVE-2019-1010023 CVE-2019-1010022 CVE-2018-20796
N/A	Security fixes for `apigee-mint-task-scheduler`. This addresses the following vulnerability: CVE-2024-47535
N/A	Security fixes for `apigee-open-telemetry-collector`. This addresses the following vulnerability: CVE-2024-36129
N/A	Security fixes for `apigee-udca`. This addresses the following vulnerability: CVE-2024-24790
388271708	Security fix for Apigee infrastructure This addresses the following vulnerability: CVE-2025-13426 Fixed an issue with the JavaCallout policy that could result in remote code execution.

Fixed

Bug ID	Description
390258745, 388608440	Any left over Cassandra snapshots are automatically removed. This fixes known issue 388608440.

January 09, 2025

2025-01-09T00:00:00-08:00

1.14.0-hotfix.1

Announcement

hybrid 1.14.0-hotfix.1

On January 9, 2025 we released an updated version of the Apigee hybrid software, 1.14.0-hotfix.1.

For information on upgrading, see Upgrading Apigee hybrid to version v1.14.
For information on new installations, see The big picture.

Instructions:

To install 1.14.0-hotfix.1:

In your overrides.yaml file update the value of metrics.sdSidecar.image.tag to 0.10.0. Add the following stanza:

metrics:
  sdSidecar:
    image:
      url: "gcr.io/apigee-release/hybrid/apigee-stackdriver-prometheus-sidecar"
      tag: "0.10.0"

Apply the changes to the apigee-telemetry chart:

Dry run:

helm upgrade telemetry apigee-telemetry/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml \
  --dry-run=server

Install the chart:

helm upgrade telemetry apigee-telemetry/ \
  --install \
  --namespace APIGEE_NAMESPACE \
  --atomic \
  -f overrides.yaml

Verify the change by checking its state:

kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry

Fixed

Bug ID	Description
367681534	Tagging `apigee-stackdriver-prometheus-sidecar` to prevent removal from customer repos after 2 years due to infrequent updates.

December 16, 2024

2024-12-16T00:00:00-08:00

v1.14.0

Announcement

hybrid v1.14.0

On December 16, 2024 we released an updated version of the Apigee hybrid software, v1.14.0.

For information on upgrading, see Upgrading Apigee hybrid to version v1.14.
For information on new installations, see The big picture.

Feature

Enhanced Per-environment Proxy Limits in Apigee Hybrid

Starting in version v1.14, new Apigee hybrid organizations can be provisioned with the ability to deploy more than 50 proxies per environment enabled. This feature is already available for Apigee X.

Starting with Apigee hybrid version 1.14, the limits for Apigee hybrid organizations have increased:

The maximum number of deployed API proxies and shared flows per organization is 6000.
The maximum number of proxy deployment units per Apigee instance is 6000.
The maximum number of API base paths per Apigee organization is 3000.

When more than 50 proxies are deployed in an environment, Apigee will automatically partition the environment into several distinct replica sets, each containing a subset of proxies deployed in the environment. These replica subsets are equivalent in behavior and infrastructure resource usage to a single environment in the way it loads and runs a set of proxies and other environment resources. This will be transparent to the user, and you can continue to use the environment as you would a single environment.

See:

Feature

Forward Proxy allowlist access

Starting in version v1.14, forward proxies pass through access to allowlisted URLs. Therefore you only need to configure allowlists to googleapis.com URLs on the server on which the forward proxy is configured. See:

Feature

Guardrails checks to ensure backups before upgrade

Starting in version 1.14 new guardrails checks have been added to ensure a backup is enabled and has been made before proceeding with an upgrade. See:

Feature

Enable and disable metrics-based scaling with customAutoscaling.enabled

Starting in version v1.14, you can enable and disable metrics-based auto-scaling with the customAutoscaling.enabled configuration property. See:

Feature

Cassandra credential rotation

Starting in version v1.14, you can rotate Cassandra credentials in Kubernetes secrets. In addition, you can now roll back credential rotation before the cleanup job is initiated in both Vault and Kubernetes secrets. See:

Feature

New analytics and debug data pipeline for hybrid orgs

Starting with version 1.14, Apigee hybrid orgs can use a new data pipeline to collect analytics and debug data and allow various runtime components to write data directly to our control plane. Control plane access is required to enable the new data pipeline.

See:

Fixed

Bug ID	Description
382323427	Added a guardrails check that requires backup to be enabled for Apigee Hybrid upgrades. Backups are required prior to upgrading to support restoring to the previous version, if necessary.
380346557	Added a guardrails check that requires the backup within the last 24 hours to be present if the CSI backup is enabled. This will minimize potential data loss if a restore to the previous version is needed.
377573589	Fix a bug where manually created rollbacks would interfere with existing rotations instead of cancelling them.
362305438	Users can now add additional env variables to the runtime component. See `runtime.envVars`
319152386	Fix `AccessTokenGenerationFailure` in runtime when using a forward proxy.
335357961	Fixed an issue where Apigee hybrid could claim uploads of backups with the Cloud provider when no bucket had been configured
290183372	The need to allowlist oauth2 and iamcredentials.googleapis.com directly from MP in fwd proxy setup is removed.
237656263	Resolved issue with ServiceCallout policy not working in async mode as expected.
373722434	Fixed support for backups to Google Cloud Storage buckets with retention policies. (Fixed in v1.13.2)
368646378	Fixed an issue affecting control Plane connectivity testing in Guardrails. (Fixed in v1.12.3)
364282883	Remove check for dc-expansion flag and add timeout to multi-region seed host connection test. (Fixed in v1.13.1)
362979563	Fix for Ingress Health Check failure `/healthz/ingress - route_not_found`. (Fixed in 1.13.0-hotfix.1)
362690729	Fix for aggressive scaling of runtime pods & cpu spike. (Fixed in 1.13.0-hotfix.1)
362305438	You can now add additional env variables to the runtime component. (Fixed in v1.13.1)
361044374	Fixes assign message not correctly highlighting the set payload action in the debug trace. (Fixed in v1.13.2)
355122464	This release contains a few error-handling fixes for CSI backup and restore. (Fixed in v1.13.2)
353527851	WebSocket connection drops when using `VerifyJwt` or `OAuthV2 VerifyJWTAccessToken` operations. (Fixed in v1.13.1)
351440306	An issue was fixed where trace could not be viewed in the UI for orgs with DRZ enabled. (Fixed in v1.13.1)
347798999	You can now configure forward proxy for opentelemetry pods in Apigee hybrid. (Fixed in v1.12.2)
338638343	An ID is now added at the end of `apigee-env` and `virtualhost` guardrails pods to make the pod names unique. (Fixed in v1.13.1)
237656263	Fix added to make use of asynchronous ServiceCallout execution when the ServiceCallout policy element is not present (Fixed in v1.13.2)
181569113	Fixed an issue in new debug session creation. (Fixed in v1.12.3)

Security

Bug ID	Description
N/A	Security fixes for `apigee-redis`. This addresses the following vulnerabilities: CVE-2022-24834 CVE-2022-24735
N/A	Security fixes for `livenessprobe`. This addresses the following vulnerability: CVE-2023-45288
376104926	Security fixes for `apigee-kube-rbac-proxy`. (Fixed in v1.12.3) This addresses the following vulnerabilities: CVE-2024-41110 CVE-2024-28180 CVE-2024-24790 CVE-2024-24789 CVE-2023-4039 CVE-2022-27943 CVE-2019-1010025 CVE-2019-1010024 CVE-2019-1010023 CVE-2019-1010022 CVE-2019-9192 CVE-2018-20796 CVE-2012-2663 CVE-2010-4756
N/A	Security fixes for `apigee-redis`. (Fixed in v1.13.2) This addresses the following vulnerabilities: CVE-2022-24834 CVE-2022-24735
N/A	Security fixes for `apigee-open-telemetry-collector`. (Fixed in v1.13.1) This addresses the following vulnerability: CVE-2024-36129
N/A	Security fixes for `apigee-open-telemetry-collector`. (Fixed in v1.12.3) This addresses the following vulnerability: CVE-2024-36129
N/A	Security fixes for `apigee-cassandra-backup-utility` and `apigee-hybrid-cassandra`. (Fixed in v1.12.2) This addresses the following vulnerability: CVE-2023-37920

November 12, 2024

2024-11-12T00:00:00-08:00

v1.13.2

Announcement

hybrid v1.13.2

On November 12, 2024 we released an updated version of the Apigee hybrid software, 1.13.2.

For information on upgrading, see Upgrading Apigee hybrid to version 1.13.2.
For information on new installations, see The big picture.

Security

Bug ID	Description
N/A	Security fixes for `apigee-redis`. This addresses the following vulnerabilities: CVE-2022-24834 CVE-2022-24735

Fixed

Bug ID	Description
373722434	Fixed support for backups to GCS buckets with retention policies.
361044374	Fixes assign message not correctly highlighting the set payload action in the debug trace.
355122464	This release contains a few error-handling fixes for CSI backup and restore.
237656263	Fix added to make use of asynchronous ServiceCallout execution when the ServiceCallout policy element is not present. Procedure: In the `apigee-env/values.yaml` file set `conf_system_servicecallout.expects.response` to `false` under `runtime:cwcAppend:`. For example: # Apigee Runtime. runtime: cwcAppend: conf_system_servicecallout.expects.response: false Upgrade the `apigee-env` chart for each environment to apply the change. For example: helm upgrade `ENV_RELEASE_NAME` apigee-env/ \ --install \ --namespace `APIGEE_NAMESPACE` \ --set env=`ENV_NAME` \ -f `OVERRIDES_FILE`

November 01, 2024

2024-11-01T00:00:00-07:00

v1.12.3

Announcement

hybrid v1.12.3

On November 1, 2024 we released an updated version of the Apigee hybrid software, 1.12.3.

For information on upgrading, see Upgrading Apigee hybrid to version 1.12.3.
For information on new installations, see The big picture.

Fixed

Bug ID	Description
368646378	Fixed an issue affecting control Plane connectivity testing in Guardrails.
361044374	Fixes assign message not correctly highlighting the set payload action in the debug trace.
335357961	Fixed an issue where Apigee hybrid could claim uploads of backups with the Cloud provider when no bucket had been configured
181569113	Fixed an issue in new debug session creation.

Security

Bug ID	Description
376104926	Security fixes for `apigee-kube-rbac-proxy`. This addresses the following vulnerabilities: CVE-2024-41110 CVE-2024-28180 CVE-2024-24790 CVE-2024-24789 CVE-2023-4039 CVE-2022-27943 CVE-2019-1010025 CVE-2019-1010024 CVE-2019-1010023 CVE-2019-1010022 CVE-2019-9192 CVE-2018-20796 CVE-2012-2663 CVE-2010-4756
N/A	Security fixes for `apigee-open-telemetry-collector`. This addresses the following vulnerability: CVE-2024-36129

October 04, 2024

2024-10-04T00:00:00-07:00

v1.13.1

Announcement

hybrid v1.13.1

On October 4, 2024 we released an updated version of the Apigee hybrid software, 1.13.1.

For information on upgrading, see Upgrading Apigee hybrid to version 1.13.1.
For information on new installations, see The big picture.

Feature

New analytics and debug data pipeline for data residency-enabled orgs

Starting in v1.13.1 hybrid organizations created with data residency enabled must use the new data pipeline to collect analytics and debug data and allow various runtime components to write data directly to our control plane. Changes to overrides file and control plane access are required to enable the new data pipeline.

For details, see:

Feature

Cassandra credential rotation in Vault

Starting in version v1.3.1, You can set up automatic Cassandra credential rotation when your credentials are stored in Hashicorp Vault. See Rotating Cassandra credentials in Hashicorp Vault.

Fixed

Bug ID	Description
364282883	Remove check for dc-expansion flag and add timeout to multi-region seed host connection test.
362305438	You can now add additional env variables to the runtime component.
353527851	WebSocket connection drops when using `VerifyJwt` or `OAuthV2 VerifyJWTAccessToken` operations.
351440306	An issue was fixed where trace could not be viewed in the UI for orgs with DRZ enabled.
338638343	An ID is now added at the end of `apigee-env` and `virtualhost` guardrails pods to make the pod names unique.

Security

Bug ID	Description
N/A	Security fixes for `apigee-open-telemetry-collector`. This addresses the following vulnerability: CVE-2024-36129

September 13, 2024

2024-09-13T00:00:00-07:00

v1.12.2

Announcement

hybrid v1.12.2

On September 13, 2024 we released an updated version of the Apigee hybrid software, 1.12.2.

For information on upgrading, see Upgrading Apigee hybrid to version 1.12.2.
For information on new installations, see The big picture.

Fixed

Bug ID	Description
362305438	You can now add additional env variables to the runtime component.
347798999	You can now configure forward proxy for opentelemetry pods in Apigee hybrid.

Security

Bug ID	Description
N/A	Security fixes for `apigee-cassandra-backup-utility` and `apigee-hybrid-cassandra`. This addresses the following vulnerability: CVE-2023-37920

September 05, 2024

2024-09-05T00:00:00-07:00

1.13.0-hotfix.1

Announcement

hybrid 1.13.0-hotfix.1

On September 5, 2024 we released an updated version of the Apigee hybrid software, 1.13.0-hotfix.1.

Apply this hotfix following the steps in Upgrading Apigee hybrid to version 1.13:

For information on upgrading, see Upgrading Apigee hybrid to version 1.13.
For information on new installations, see The big picture.

Fixed

Bug ID	Description
362690729	Fix for aggressive scaling of runtime pods & cpu spike.
362979563	Fix for Ingress Health Check failure `/healthz/ingress - route_not_found`.

August 23, 2024

2024-08-23T00:00:00-07:00

v1.13.0

Announcement

hybrid v1.13.0

On August 23, 2024 we released an updated version of the Apigee hybrid software, v1.13.0.

For information on upgrading, see Upgrading Apigee hybrid to version v1.13.0.
For information on new installations, see The big picture.

Feature

Storing additional secrets in an external secret store

Starting in version v1.13, You can now store AX Hash Salt, Redis password, and Encryption keys in an external secret store like Hashicorp Vault. See Storing Secrets in Vault.

Feature

Apigee Operator now runs in the Apigee Kubernetes namespace

Starting in version v1.13, apigee-operator runs in the same name space as the other Apigee hybrid components instead of the apigee-system namespace. You can use apigee or your own custom Apigee namespace. See Upgrading Apigee hybrid to version v1.13.0 and Step 3: Create the apigee namespace.

Feature

Leader election enabled for apigee-watcher component

Starting in version v1.13.0, leader election is enabled for the apigee-watcher component. For proper functioning of the leader election, make sure that the apigee-watcher component uses only one replica set.

Feature

Improved backup and restore

Starting in version v1.13.0, Apigee hybrid introduces a new backup and restore system. The new system removes the need for pod exec permission and use of a Kubernetes ClusterRole, and requires fewer Kubernetes Service Accounts when using Workload Identity. The new system replaces use of the apigee-cassandra-backup-utility image by using the apigee-hybrid-cassandra-client image. The apigee-cassandra-backup-utility image will no longer be provided starting with this release.

To use the new functionality if you are overriding the image used, update your overrides.yaml file.

Replace:

repo.sample.com/gcr-docker/apigee-release/hybrid/apigee-cassandra-backup-utility

with

repo.sample.com/gcr-docker/apigee-release/hybrid/apigee-hybrid-cassandra-client

under cassandra.backup.image.url and cassandra.restore.image.url.

See Scheduling backups in a remote server for more information.

Fixed

Bug ID	Description
352070616	Update Go language version.
351868444	Tolerations are now working for Redis's Envoy pod. (Fixed in 1.12.1-hotfix.1)
347997965	Upgrading to Apigee Hybrid 1.11.2 and 1.10.5 can cause missing metrics. (Fixed in 1.11.2-hotfix.1)
347798999	Fixed issue preventing configuration of forward proxy for `opentelemetry` pods. (Fixed in Apigee hybrid v 1.12.1)
346589998	Check Cassandra DNS hostname resolution during Hybrid region expansion.
345501069	Fixed issue with Hybrid Guardrails resource configuration preventing the Guardails pod from starting. (Fixed in Apigee hybrid v 1.12.1)
341797795	Autofill the Hybrid Guardrails checkpoint value if a checkpoint is not provided. (Fixed in Apigee hybrid v 1.12.1)
340889560	Added `csi` to the `apigee-logger` SCC. (Fixed in Apigee hybrid v 1.12.0-hotfix.1)
340248314	Added support for `targetCPUUtilizationPercentage` to `apigeeIngressGateway` and `ingressGateways`. The default value is 75. (Fixed in Apigee hybrid v 1.12.1)
339849002	Hashicorp Vault integration issues fixed for Google Service Account for Cassandra Backup/Restore. (Fixed in Apigee hybrid v 1.12.0-hotfix.1)
324779388	Improved error handling for backup and restore. (Fixed in Apigee hybrid v 1.12.1)
311489774	Removed inclusion of Java in Cassandra client image.. (Fixed in Apigee hybrid v 1.12.1)
310338146	Fixed invalid download directory output from the `create-service-account` tool. (Fixed in Apigee hybrid v 1.12.1)
300135626	Removed inclusion of Java in Cassandra Backup Utility image. (Fixed in Apigee hybrid v 1.12.1)
297539870	`HTTPTargetConnection` property `io.timeout.millis` is now honored correctly when using websockets. (Fixed in 1.11.2-hotfix.2)
239523766	*Remove "Unable to evaluate jsonVariable, returning null" logging string from ExtractVariables* Policy** (Fixed in Apigee hybrid v 1.12.1)
181569113	Fixed an issue in new debug session creation. (Fixed in Apigee hybrid v 1.11.2)

Security

Bug ID	Description
N/A	Security fixes for `apigee-asm-istiod`. This addresses the following vulnerability: CVE-2024-26147
N/A	Security fixes for `apigee-cassandra-backup-utility`. This addresses the following vulnerability: CVE-2023-37920
N/A	Security fixes for `apigee-connect-agent`. This addresses the following vulnerabilities: CVE-2023-45285 CVE-2023-39323
N/A	Security fixes for `apigee-envoy`. This addresses the following vulnerability: CVE-2023-4911
N/A	Security fixes for `apigee-fluent-bit`. This addresses the following vulnerability: CVE-2023-50387
N/A	Security fixes for `apigee-hybrid-cassandra`. This addresses the following vulnerabilities: CVE-2023-37920 CVE-2023-21930
N/A	Security fixes for `apigee-hybrid-cassandra-client`. This addresses the following vulnerability: CVE-2024-24790
N/A	Security fixes for `apigee-mart-server`. This addresses the following vulnerabilities: CVE-2024-22201 CVE-2023-44487 CVE-2023-36478
N/A	Security fixes for `apigee-mint-task-scheduler`. This addresses the following vulnerabilities: CVE-2024-22201 CVE-2023-44487 CVE-2023-36478
N/A	Security fixes for `apigee-operators`. This addresses the following vulnerabilities: CVE-2022-30123 CVE-2020-8165 CVE-2020-14001 CVE-2019-5477 CVE-2019-11068
N/A	Security fixes for `apigee-prom-prometheus`. This addresses the following vulnerability: CVE-2024-24790
N/A	Security fixes for `apigee-prometheus-adapter`. This addresses the following vulnerability: CVE-2024-24790
N/A	Security fixes for `apigee-redis`. This addresses the following vulnerabilities: CVE-2023-45285 CVE-2023-44487 CVE-2023-39325 CVE-2023-39323
N/A	Security fixes for `apigee-udca`. This addresses the following vulnerability: CVE-2024-24790
N/A	Security fixes for `apigee-watcher`. This addresses the following vulnerability: CVE-2024-24790
N/A	Security fixes for `cassandra-backup-utility`. This addresses the following vulnerability: CVE-2024-24790

July 31, 2024

2024-07-31T00:00:00-07:00

1.11.2-hotfix.2

Announcement

hybrid 1.11.2-hotfix.2

On July 31, 2024 we released an updated version of the Apigee hybrid software, 1.11.2-hotfix.2.

Note: This release reflects a change to the component images and not the Helm chart templates. If your hybrid installation is currently on Apigee hybrid v1.11.2, Apply this hotfix with the following steps:

In your overrides file, update the image.url and image.tag properties of ao and runtime:

ao:
  image:
    url: "gcr.io/apigee-release/hybrid/apigee-operators"
    tag: "1.11.2-hotfix.2"

runtime:
  image:
    url: "gcr.io/apigee-release/hybrid/apigee-runtime"
    tag: "1.11.2-hotfix.2"

Install the hotfix release:
- For Helm-managed releases, update the apigee-operator with the helm upgrade command and your current overrides files:
```
helm upgrade operator apigee-operator/ \
  --namespace apigee-system \
  --atomic \
  -f overrides.yaml 
```
  For each environment in your Apigee org:
```
helm upgrade ENV_RELEASE_NAME apigee-env/ \
  --namespace APIGEE_NAMESPACE \
  --set env=ENV_NAME \
  --atomic \
  -f overrides.yaml 
```
  - ENV_RELEASE_NAME is a name used to keep track of installation and upgrades of the apigee-env chart. This name must be unique from the other Helm release names in your installation. Usually this is the same as ENV_NAME. However, if your environment has the same name as your environment group, you must use different release names for the environment and environment group, for example dev-env-release and dev-envgroup-release. For more information on releases in Helm, see Three big concepts in the Helm documentation.
  - APIGEE_NAMESPACE is your installation's namespace. The default is apigee.
  - ENV_NAME is the name of the environment you are upgrading.
- For apigeectl-managed releases:
  1. install the hotfix release with apigeectl init using your updated overrides file:
```
${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILE --dry-run=client 
```
    Followed by:
```
${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILE 
```
  2. Apply the hotfix release with apigeectl apply:
```
${APIGEECTL_HOME}/apigeectl apply -f OVERRIDES_FILE --all-envs --dry-run=client 
```
    Followed by:
```
${APIGEECTL_HOME}/apigeectl apply -f OVERRIDES_FILE --all-envs
```

For information on upgrading, see Upgrading Apigee hybrid to version 1.11.
For information on new installations, see The big picture.

Fixed

Bug ID	Description
351868444	Tolerations are now working for Redis's Envoy pod.
297539870	`HTTPTargetConnection` property `io.timeout.millis` is now honored correctly when using websockets.

July 30, 2024

2024-07-30T00:00:00-07:00

1.12.1-hotfix.1

Announcement

hybrid 1.12.1-hotfix.1

On July 30, 2024 we released an updated version of the Apigee hybrid software, 1.12.1-hotfix.1.

Note: This release reflects a change to the component images and not the Helm chart templates. If your hybrid installation is currently on Apigee hybrid v1.12.1, Apply this hotfix with the following steps:

In your overrides file, update the ao.image.url and ao.image.tag properties:

ao:
  image:
    url: "gcr.io/apigee-release/hybrid/apigee-operators"
    tag: "1.12.1-hotfix.1"

Install the hotfix release. Update the apigee-operator component with the helm upgrade command and your current overrides files:
```
   helm upgrade operator apigee-operator/ \
     --namespace apigee-system \
     --atomic \
     -f overrides.yaml 
```

For information on upgrading, see Upgrading Apigee hybrid to version 1.12.
For information on new installations, see The big picture.

Fixed

Bug ID	Description
351868444	Tolerations are now working for Redis's Envoy pod.

June 28, 2024

2024-06-28T00:00:00-07:00

v1.12.1

Announcement

hybrid v1.12.1

On June 28, 2024 we released an updated version of the Apigee hybrid software, 1.12.1.

For information on upgrading, see Upgrading Apigee hybrid to version 1.12.1.
For information on new installations, see The big picture.

Fixed

Bug ID	Description
347798999	Fixed an issue preventing configuration of forward proxies for OpenTelemetry collector pods.
345501069	Fixed issue with Hybrid Guardrails resource configuration preventing the Guardails pod from starting.
341797795	Autofill the Hybrid Guardrails checkpoint value if a checkpoint is not provided.
340248314	Added support for `targetCPUUtilizationPercentage` to `apigeeIngressGateway` and `ingressGateways`. The default value is 75.
324779388	Improved error handling for backup and restore.
311489774	Removed inclusion of Java in Cassandra client image..
310338146	Fixed invalid download directory output from the `create-service-account` tool.
300135626	Removed inclusion of Java in Cassandra Backup Utility image.
239523766	*Remove "Unable to evaluate jsonVariable, returning null" logging string from ExtractVariables* Policy**

Security

Bug ID	Description
345791712	Security fix for `fluent-bit`. This addresses the following vulnerability: CVE-2024-4323
335910066	Security fixes for `apigee-kube-rbac-proxy`. This addresses the following vulnerability: CVE-2023-47108
335909737	Security fixes for `apigee-asm-ingress`. This addresses the following vulnerabilities: CVE-2024-24557 CVE-2024-21664 CVE-2023-6779 CVE-2023-6246
335909397	Security fixes for `apigee-open-telemetry-collector`. This addresses the following vulnerability: CVE-2023-47108
335908990	Security fixes for `apigee-asm-istiod`. This addresses the following vulnerabilities: CVE-2024-24557 CVE-2024-21664
335908985	Security fix for `apigee-prometheus-adapter`. This addresses the following vulnerabilities: CVE-2023-47108 CVE-2023-45285 CVE-2023-45142 CVE-2023-44487 CVE-2023-39325 .
335908657	Security fixes for `apigee-prom-prometheus`. This addresses the following vulnerabilities: CVE-2024-24557 CVE-2023-45285
335908139	Security fix for `fluent-bit`. This addresses the following vulnerability: CVE-2024-0985
332821083	Security fix for `apigee-operators`. This addresses the following vulnerability: CVE-2024-24786
317528509	Security fixes for `apigee-synchronizer`. This addresses the following vulnerabilities: CVE-2023-34462 CVE-2023-32732 CVE-2023-32731 CVE-2023-1428
308835165	Security fix for `apigee-synchronizer`. This addresses the following vulnerability: CVE-2023-34462
N/A	Security fixes for `apigee-asm-ingress`. This addresses the following vulnerabilities: CVE-2023-6779 CVE-2023-6246
N/A	Security fixes for `apigee-asm-istiod`. This addresses the following vulnerabilities: CVE-2024-21664
N/A	Security fixes for `apigee-cassandra-backup-utility`. This addresses the following vulnerabilities: CVE-2023-50782
N/A	Security fixes for `apigee-fluent-bit`. This addresses the following vulnerabilities: CVE-2022-4899
N/A	Security fixes for `apigee-hybrid-cassandra`. This addresses the following vulnerabilities: CVE-2023-50782
N/A	Security fixes for `apigee-kube-rbac-proxy`. This addresses the following vulnerabilities: CVE-2023-47108
N/A	Security fixes for `apigee-prometheus-adapter`. This addresses the following vulnerabilities: CVE-2023-47108 CVE-2023-45142 CVE-2023-44487 CVE-2023-39325
N/A	Security fixes for `apigee-stackdriver-prometheus-sidecar`. This addresses the following vulnerabilities: CVE-2023-45287 CVE-2023-45285 CVE-2023-45283 CVE-2023-44487 CVE-2023-39325 CVE-2023-39323 CVE-2023-29405 CVE-2023-29404 CVE-2023-29403 CVE-2023-29402 CVE-2023-29400 CVE-2023-24540 CVE-2023-24539 CVE-2023-24538 CVE-2023-24537 CVE-2023-24536 CVE-2023-24534 CVE-2022-41725 CVE-2022-41724 CVE-2022-41723 CVE-2022-41722 CVE-2022-41720 CVE-2022-41716 CVE-2022-41715 CVE-2022-32189 CVE-2022-30635 CVE-2022-30633 CVE-2022-30632 CVE-2022-30631 CVE-2022-30630 CVE-2022-30580 CVE-2022-29804 CVE-2022-2880 CVE-2022-2879 CVE-2022-28327 CVE-2022-28131 CVE-2022-27664 CVE-2022-27536 CVE-2022-27191 CVE-2022-24921 CVE-2022-24675 CVE-2022-23806 CVE-2022-23773 CVE-2022-23772 CVE-2022-21698 CVE-2021-44716 CVE-2021-43565 CVE-2021-41772 CVE-2021-41771 CVE-2021-39293 CVE-2021-38297 CVE-2021-37219 CVE-2021-33198 CVE-2021-33196 CVE-2021-33195 CVE-2021-33194 CVE-2021-3121 CVE-2021-3115 CVE-2021-27918 CVE-2020-7919 CVE-2020-29652 CVE-2020-28852 CVE-2020-28367 CVE-2020-28366 CVE-2020-26160 CVE-2020-16845 CVE-2020-14040 CVE-2019-9634 CVE-2019-17596 CVE-2019-14809 CVE-2019-11888

1.10.5-hotfix.1

Announcement

hybrid 1.10.5-hotfix.1

On June 28, 2024 we released an updated version of the Apigee hybrid software, 1.10.5-hotfix.1.

Note: This release reflects a change to the Helm chart templates and not a change to the images. If your hybrid installation is currently on Apigee hybrid v1.10.5, Apply this hotfix with the following steps:

In your overrides file, update the ao.image url and tag:

ao:
  image:
    url: "gcr.io/apigee-release/hybrid/apigee-operators"
    tag: "1.10.5-hotfix.1"

Install the hotfix release with apigeectl init using your updated overrides files:

${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILE --dry-run=client

Followed by:

${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILE

For information on upgrading, see Upgrading Apigee hybrid to version 1.10.5-hotfix.1.
For information on new installations, see The big picture.

Fixed

Bug ID	Description
347997965	Upgrading to Apigee Hybrid 1.11.2 and 1.10.5 can cause missing metrics.

1.11.2-hotfix.1

Announcement

hybrid 1.11.2-hotfix.1

On June 28, 2024 we released an updated version of the Apigee hybrid software, 1.11.2-hotfix.1.

Note: This release reflects a change to the Helm chart templates and not a change to the images. If your hybrid installation is currently on Apigee hybrid v1.11.2, Apply this hotfix with the following steps:

In your overrides file, update the ao.image url and tag:

ao:
  image:
    url: "gcr.io/apigee-release/hybrid/apigee-operators"
    tag: "1.11.2-hotfix.1"

Install the hotfix release:
- For Helm-managed releases, update the apigee-operator with the helm upgrade command and your current overrides files:
```
helm upgrade operator apigee-operator/ \
  --namespace apigee-system \
  --atomic \
  -f overrides.yaml 
```
- For apigeectl-managed releases, install the hotfix release with apigeectl init using your updated overrides files:
```
${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILE --dry-run=client 
```
  Followed by:
```
${APIGEECTL_HOME}/apigeectl init -f OVERRIDES_FILE 
```

For information on upgrading, see Upgrading Apigee hybrid to version 1.11.2-hotfix.1.
For information on new installations, see The big picture.

June 17, 2024

2024-06-17T00:00:00-07:00

v1.10.5

Announcement

hybrid v1.10.5

On June 17, 2024 we released an updated version of the Apigee hybrid software, 1.10.5.

For information on upgrading, see Upgrading Apigee hybrid to version 1.10.5.
For information on new installations, see The big picture.

Security

Bug ID	Description
329540114	Security fix for `apigee-installer`. This addresses the following vulnerability: CVE-2024-24786
317528509	Security fix for `apigee-synchronizer`. This addresses the following vulnerabilities: CVE-2023-34462 CVE-2023-32732 CVE-2023-32731 CVE-2023-1428
N/A	Security fixes for `apigee-synchronizer`. This addresses the following vulnerability: CVE-2023-44487
N/A	Security fixes for `apigee-asm-ingress` and `apigee-asm-istiod`. This addresses the following vulnerability: CVE-2023-45285
N/A	Security fixes for `apigee-cassandra-backup-utility`. This addresses the following vulnerabilities: CVE-2023-6378 CVE-2023-45285 CVE-2023-44487 CVE-2023-43642 CVE-2023-39325 CVE-2023-34455 CVE-2023-34454 CVE-2023-34453 CVE-2023-30601 CVE-2023-2976 CVE-2022-42004 CVE-2022-42003 CVE-2022-25857 CVE-2022-1471 CVE-2021-44521 CVE-2021-20190 CVE-2020-36518 CVE-2020-36189 CVE-2020-36188 CVE-2020-36187 CVE-2020-36186 CVE-2020-36185 CVE-2020-36184 CVE-2020-36183 CVE-2020-36182 CVE-2020-36181 CVE-2020-36180 CVE-2020-36179 CVE-2020-35728 CVE-2020-35491 CVE-2020-35490 CVE-2020-25649 CVE-2020-24750 CVE-2020-24616 CVE-2020-17516 CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 CVE-2019-16869 CVE-2017-18640
N/A	Security fixes for `apigee-connect-agent`. This addresses the following vulnerability: CVE-2023-45283
N/A	Security fixes for `apigee-diagnostics-collector`. This addresses the following vulnerabilities: CVE-2023-44487 CVE-2023-36478 CVE-2023-32731 CVE-2023-21930 CVE-2023-1428
N/A	Security fixes for `apigee-fluent-bit`. This addresses the following vulnerabilities: CVE-2023-5869 CVE-2023-39417
N/A	Security fixes for `apigee-hybrid-cassandra`. This addresses the following vulnerabilities: CVE-2023-49083 CVE-2023-45285 CVE-2023-45283 CVE-2023-44487 CVE-2023-36632 CVE-2023-30601 CVE-2023-24329 CVE-2022-48565 CVE-2022-48560 CVE-2022-45061 CVE-2022-41881 CVE-2022-34169 CVE-2022-26488 CVE-2022-21476 CVE-2022-0391 CVE-2021-44521 CVE-2021-37137 CVE-2021-37136 CVE-2021-28667 CVE-2021-20190 CVE-2020-36518 CVE-2020-36189 CVE-2020-36188 CVE-2020-36187 CVE-2020-36186 CVE-2020-36185 CVE-2020-36184 CVE-2020-36183 CVE-2020-36182 CVE-2020-36181 CVE-2020-36180 CVE-2020-36179 CVE-2020-35728 CVE-2020-35491 CVE-2020-35490 CVE-2020-25649 CVE-2020-24750 CVE-2020-24616 CVE-2020-17516 CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 CVE-2020-10650 CVE-2019-9674 CVE-2019-20445 CVE-2019-20444 CVE-2019-0205 CVE-2018-1320 CVE-2017-5929 CVE-2017-17522 CVE-2016-5397 CVE-2015-5652
N/A	Security fixes for `apigee-hybrid-cassandra-client`. This addresses the following vulnerabilities: CVE-2023-6378 CVE-2023-44487 CVE-2023-43642 CVE-2023-36632 CVE-2023-34455 CVE-2023-34454 CVE-2023-34453 CVE-2023-30601 CVE-2023-2976 CVE-2023-24329 CVE-2022-48565 CVE-2022-48560 CVE-2022-45061 CVE-2022-42004 CVE-2022-42003 CVE-2022-41881 CVE-2022-34169 CVE-2022-26488 CVE-2022-25857 CVE-2022-21476 CVE-2022-1471 CVE-2022-0391 CVE-2021-44521 CVE-2021-37137 CVE-2021-37136 CVE-2021-28667 CVE-2021-20190 CVE-2020-36518 CVE-2020-36189 CVE-2020-36188 CVE-2020-36187 CVE-2020-36186 CVE-2020-36185 CVE-2020-36184 CVE-2020-36183 CVE-2020-36182 CVE-2020-36181 CVE-2020-36180 CVE-2020-36179 CVE-2020-35728 CVE-2020-35491 CVE-2020-35490 CVE-2020-25649 CVE-2020-24750 CVE-2020-24616 CVE-2020-17516 CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 CVE-2020-10650 CVE-2019-9674 CVE-2019-20445 CVE-2019-20444 CVE-2019-16869 CVE-2019-0205 CVE-2018-1320 CVE-2017-5929 CVE-2017-18640 CVE-2017-17522 CVE-2016-5397 CVE-2015-5652
N/A	Security fixes for `apigee-kube-rbac-proxy`. This addresses the following vulnerabilities: CVE-2023-47108 CVE-2023-45285 CVE-2023-45142 CVE-2023-44487
N/A	Security fixes for `apigee-mart-server`. This addresses the following vulnerabilities: CVE-2023-32731 CVE-2023-1428
N/A	Security fixes for `apigee-mint-task-scheduler`. This addresses the following vulnerabilities: CVE-2023-32731 CVE-2023-1428
N/A	Security fixes for `apigee-prom-prometheus`. This addresses the following vulnerabilities: CVE-2023-45285 CVE-2023-45142 CVE-2023-44487 CVE-2023-39325
N/A	Security fixes for `apigee-prometheus-adapter`. This addresses the following vulnerabilities: CVE-2023-47108 CVE-2023-45285 CVE-2023-45283 CVE-2023-45142 CVE-2023-44487 CVE-2023-39325
N/A	Security fixes for `apigee-runtime`. This addresses the following vulnerabilities: CVE-2023-44487 CVE-2023-32731 CVE-2023-1428
N/A	Security fixes for `apigee-udca`. This addresses the following vulnerabilities: CVE-2023-45285 CVE-2023-45283 CVE-2023-44487 CVE-2023-39325 CVE-2023-39323

June 10, 2024

2024-06-10T00:00:00-07:00

v1.11.2

Announcement

hybrid v1.11.2

On June 10, 2024 we released an updated version of the Apigee hybrid software, 1.11.2.

For information on upgrading, see Upgrading Apigee hybrid to version 1.11.2.
For information on new installations, see The big picture.

Fixed

Bug ID	Description
340248314	Added support for `targetCPUUtilizationPercentage` to `apigeeIngressGateway` and `ingressGateways` for hybrid installations managed with Helm. The default value is 75. Note: `targetCPUUtilizationPercentage` is not supported for `apigeectl`.
324779388	Improved error handling for backup and restore.
311489774	Removed inclusion of Java and Python installations in Cassandra client image.
300135626	Removed inclusion of Java and Python installations in Cassandra Backup Utility image.
181569113	Fixed an issue in new debug session creation.

Security

Bug ID	Description
345520525	Security fixes for `apigee-asm-ingress.` and `apigee-asm-istiod`. This addresses the following vulnerabilities: CVE-2024-24557 CVE-2024-21664 CVE-2023-6779 CVE-2023-6246 CVE-2018-20796
335908139	Security fixes for `apigee-fluent-bit`. This addresses the following vulnerability: CVE-2024-0985
333121802	Security fixes for `apigee-cassandra-backup-utility.` and `apigee-hybrid-cassandra`. This addresses the following vulnerability: CVE-2023-50782
317528509	Security fix for `apigee-synchronizer`. This addresses the following vulnerabilities: CVE-2023-34462 CVE-2023-32732 CVE-2023-32731 CVE-2023-1428
317447390	Security fix for `apigee-operators`. This addresses the following vulnerability: CVE-2023-48795
329762216	Security fix for `apigee-installer`. This addresses the following vulnerability: CVE-2024-24786
308835165	Security fixes for `apigee-synchronizer`. This addresses the following vulnerability: CVE-2023-34462
308926079	Security fixes for `apigee-kube-rbac-proxy`. This addresses the following vulnerabilities: CVE-2023-45142 CVE-2023-44487
300091388	Security fixes for Apigee Connect Agent. This addresses the following vulnerability: CVE-2023-39323
N/A	Security fixes for `apigee-cassandra-backup-utility`. This addresses the following vulnerability: CVE-2023-6378 CVE-2023-49083 CVE-2023-45285 CVE-2023-45283 CVE-2023-44487 CVE-2023-43642 CVE-2023-39325 CVE-2023-36632 CVE-2023-34455 CVE-2023-34454 CVE-2023-34453 CVE-2023-30601 CVE-2023-2976 CVE-2023-24329 CVE-2023-2253 CVE-2022-48565 CVE-2022-48560 CVE-2022-45061 CVE-2022-42004 CVE-2022-42003 CVE-2022-41881 CVE-2022-34169 CVE-2022-26488 CVE-2022-25857 CVE-2022-21476 CVE-2022-1471 CVE-2022-0391 CVE-2021-44521 CVE-2021-37137 CVE-2021-37136 CVE-2021-28667 CVE-2021-20190 CVE-2020-36518 CVE-2020-36189 CVE-2020-36188 CVE-2020-36187 CVE-2020-36186 CVE-2020-36185 CVE-2020-36184 CVE-2020-36183 CVE-2020-36182 CVE-2020-36181 CVE-2020-36180 CVE-2020-36179 CVE-2020-35728 CVE-2020-35491 CVE-2020-35490 CVE-2020-25649 CVE-2020-24750 CVE-2020-24616 CVE-2020-17516 CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 CVE-2020-10650 CVE-2019-9674 CVE-2019-20445 CVE-2019-20444 CVE-2019-16869 CVE-2019-0205 CVE-2018-1320 CVE-2017-5929 CVE-2017-18640 CVE-2017-17522 CVE-2016-5397 CVE-2015-5652
N/A	Security fixes for `apigee-diagnostics-collector`. This addresses the following vulnerabilities: CVE-2023-36478 CVE-2023-32731 CVE-2023-1428
N/A	Security fixes for `apigee-fluent-bit`. This addresses the following vulnerabilities: CVE-2023-5869 CVE-2023-39417
N/A	Security fixes for `apigee-hybrid-cassandra-client`. This addresses the following vulnerabilities: CVE-2023-6378 CVE-2023-44487 CVE-2023-43642 CVE-2023-36632 CVE-2023-34455 CVE-2023-34454 CVE-2023-34453 CVE-2023-30601 CVE-2023-2976 CVE-2023-24329 CVE-2022-48565 CVE-2022-48560 CVE-2022-45061 CVE-2022-42004 CVE-2022-42003 CVE-2022-41881 CVE-2022-34169 CVE-2022-26488 CVE-2022-25857 CVE-2022-21476 CVE-2022-1471 CVE-2022-0391 CVE-2021-44521 CVE-2021-37137 CVE-2021-37136 CVE-2021-28667 CVE-2021-20190 CVE-2020-36518 CVE-2020-36189 CVE-2020-36188 CVE-2020-36187 CVE-2020-36186 CVE-2020-36185 CVE-2020-36184 CVE-2020-36183 CVE-2020-36182 CVE-2020-36181 CVE-2020-36180 CVE-2020-36179 CVE-2020-35728 CVE-2020-35491 CVE-2020-35490 CVE-2020-25649 CVE-2020-24750 CVE-2020-24616 CVE-2020-17516 CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 CVE-2020-10650 CVE-2019-9674 CVE-2019-20445 CVE-2019-20444 CVE-2019-16869 CVE-2019-0205 CVE-2018-1320 CVE-2017-5929 CVE-2017-18640 CVE-2017-17522 CVE-2016-5397 CVE-2015-5652
N/A	Security fixes for `apigee-hybrid-cassandra`. This addresses the following vulnerabilities: CVE-2023-49083 CVE-2023-45285 CVE-2023-45283 CVE-2023-44487 CVE-2023-36632 CVE-2023-30601 CVE-2023-24329 CVE-2022-48565 CVE-2022-48560 CVE-2022-45061 CVE-2022-41881 CVE-2022-34169 CVE-2022-26488 CVE-2022-21476 CVE-2022-0391 CVE-2021-44521 CVE-2021-37137 CVE-2021-37136 CVE-2021-28667 CVE-2021-20190 CVE-2020-36518 CVE-2020-36189 CVE-2020-36188 CVE-2020-36187 CVE-2020-36186 CVE-2020-36185 CVE-2020-36184 CVE-2020-36183 CVE-2020-36182 CVE-2020-36181 CVE-2020-36180 CVE-2020-36179 CVE-2020-35728 CVE-2020-35491 CVE-2020-35490 CVE-2020-25649 CVE-2020-24750 CVE-2020-24616 CVE-2020-17516 CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 CVE-2020-10650 CVE-2019-20445 CVE-2019-20444 CVE-2019-9674 CVE-2019-0205 CVE-2018-1320 CVE-2017-17522 CVE-2017-5929 CVE-2016-5397 CVE-2015-5652
N/A	Security fixes for `apigee-kube-rbac-proxy`. This addresses the following vulnerabilities: CVE-2023-45285 CVE-2023-45283 CVE-2023-45142 CVE-2023-44487
N/A	Security fixes for `apigee-mart-server`. This addresses the following vulnerabilities: CVE-2023-32731 CVE-2023-1428
N/A	Security fixes for `apigee-mint-task-scheduler`. This addresses the following vulnerabilities: CVE-2023-32731 CVE-2023-1428
N/A	Security fixes for `apigee-prom-prometheus`. This addresses the following vulnerabilities: CVE-2023-45285 CVE-2023-45142 CVE-2023-44487 CVE-2023-39325
N/A	Security fixes for `apigee-prometheus-adapter`. This addresses the following vulnerabilities: CVE-2023-47108 CVE-2023-45285 CVE-2023-45283 CVE-2023-45142 CVE-2023-44487 CVE-2023-39325
N/A	Security fixes for `apigee-redis`. This addresses the following vulnerabilities: CVE-2023-45283 CVE-2022-24834 CVE-2022-24735
N/A	Security fixes for `apigee-runtime`. This addresses the following vulnerabilities: CVE-2023-44487 CVE-2023-32731 CVE-2023-1428
N/A	Security fixes for `apigee-synchronizer`. This addresses the following vulnerabilities: CVE-2023-44487 CVE-2023-32731 CVE-2023-1428
N/A	Security fixes for `apigee-udca`. This addresses the following vulnerabilities: CVE-2023-45285 CVE-2023-45283 CVE-2023-44487 CVE-2023-39325 CVE-2023-39323
N/A	Security fixes for `apigee-watcher`. This addresses the following vulnerabilities: CVE-2023-45285 CVE-2023-44487 CVE-2023-39325 CVE-2023-39323

May 28, 2024

2024-05-28T00:00:00-07:00

1.12.0-hotfix.1

Announcement

ANNOUNCEMENT

hybrid 1.12.0-hotfix.1

On May 28, 2024 we released an updated version of the Apigee hybrid software, 1.12.0-hotfix.1.

Note: This release reflects a change to the Helm chart templates and not a change to the images. If your hybrid installation is currently on Apigee hybrid v1.12.0, you can install this hotfix release by downloading the charts with the version tag 1.12.0-hotfix.1 and updating the apigee-operator and apigee-datastore charts with the helm upgrade command and your current overrides files.

For example:

export CHART_REPO=oci://us-docker.pkg.dev/apigee-release/apigee-hybrid-helm-charts
export CHART_VERSION=1.12.0-hotfix.1
helm pull $CHART_REPO/apigee-operator --version $CHART_VERSION --untar
helm pull $CHART_REPO/apigee-datastore --version $CHART_VERSION --untar

helm upgrade operator apigee-operator/ \
  --namespace apigee-system \
  --atomic \
  -f overrides.yaml 

helm upgrade datastore apigee-datastore/ \
  --namespace apigee \
  --atomic \
  -f overrides.yaml

For information on upgrading, see Upgrading Apigee hybrid to version 1.12.0-hotfix.1.
For information on new installations, see The big picture.

Fixed

Bug ID	Description
340889560	Added `csi` to the `apigee-logger` SCC.
339849002	Hashicorp Vault integration issues fixed for Google Service Account for Cassandra Backup/Restore.

Apigee hybrid - Release notes

February 06, 2026

Announcement

hybrid 1.16.0-hotfix.1

Apply this hotfix with the following steps:

Fixed

Fixed in this release

December 19, 2025

Change

Feature

Change

Fixed

Fixed in this release

Announcement

hybrid v1.16.0

Security

Fixed in this release

Feature

Security

Fixed since last minor release

Fixed

Fixed since last minor release

October 12, 2025

Feature

Announcement

hybrid v1.15.1

Feature

Fixed

Security

Change

October 07, 2025

Announcement

hybrid v1.14.3

Feature

Fixed

September 29, 2025

Announcement

hybrid v1.14.3

Fixed

Security

September 24, 2025

Announcement

Apigee Operator for Kubernetes for Apigee Hybrid (Preview)

July 09, 2025

Announcement

hybrid v1.13.4

Fixed

Security

June 04, 2025

Announcement

hybrid v1.15.0

Feature

Fixed

Security

Security

May 29, 2025

Announcement

Deprecated

May 16, 2025

Announcement

hybrid 1.14.2-hotfix.1

Apply this hotfix with the following steps:

Dry run:

Install the changes:

Dry run:

Install the changes:

Fixed

Issue

Resolution

Validation errors in Apigee hybrid

Security

May 02, 2025

Announcement

hybrid v1.14.2

Feature

Change

Fixed

Security

April 14, 2025

Announcement