Google Apigee Java Callout Policy Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Google Apigee's Java Callout policy. This issue allows users to create a Java Callout that injects a malicious object into the MessageContext, enabling the execution of arbitrary Java code and system commands at runtime. The vulnerability could lead to unauthorized access to data, lateral movement within the network, and access to backend systems. Affected Apigee hybrid versions include those prior to 1.11.2, 1.12.4, 1.13.3, 1.14.1, as well as OPDK versions prior to 5202 and 5300.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Apigee is running, potentially leading to unauthorized access to data and backend systems, as well as allowing lateral movement within the network.

Remediation

Users can upgrade to Apigee hybrid versions 1.11.2, 1.12.4, 1.13.3, 1.14.1 or OPDK versions 5202 and 5300 to address this vulnerability.