edgemicro gateway security risk issue

kianting-1
Participant II

We have tested the new fix for the security issue of the /product endpoint and have upgraded the edgemicro_auth proxy, https enpoint browsing to the /product endpoint is secured after the upgrade, but we are still able to browse to the product enpoint with "http".

1) Tested with the same curl command before the patch .

curl https://<yourcompay domain address>.apigee.net/edgemicro-auth/products

We now see the following output

{"error":"unauthorized", "error_description": "authentication failed"}

2) but if we test with http the same security risk is still there.

{
       …
      "createdAt": 1537751495917,
      "createdBy": "johndow@google.co.nz",
      "description": "no one ever fills this out",
      "displayName": "helloworld-product",
      "environments": [],
      "lastModifiedAt": 1537751495917,
      "lastModifiedBy": "john.doe@google.co.nz",
      "name": "helloworld-product",
       …
    },
    {
         ….
        {
          "name": "access",
          "value": "public"
        }
      ],
      "createdAt": 1534804700365,
      "createdBy": "Jane.doe@google.co.nz",
      "description": "",
      "displayName": "microgateway-kian-test-product",
      "environments": [
        "prod",
0 5 440
5 REPLIES 5

kianting-1
Participant II

@srinandans is there any plans to fix this? the http enpoint is still exposing the security vonerability, so it wouldnt matt er if we go with the suggestion of setting up 2 way ssl , cause exploits via http is still available. Any ideas on when will the fix be in ?

Former Community Member
Not applicable

That is a strange behavior for two reasons:

1) A change to a revision applies to all virtual hosts in that revision (http and https). So I find this behavior odd. It may be possible that you have different revisions deployed to different environments.

2) We no longer return email addresses in the response. The edgemicro upgrade should have deployed a version that no longer returns email addresses.

We should investigate what is happening with both cases. Please open a support case and we'd have happy to investigate further.

ps: please do not deploy any proxies to the default virtual host.

@srinandans

nope the behaviour you raised is incorrect, 1) we only have one upgraded revision running 2) yes the https no longer returns email but the http still does return the email,

and to add on top of all this the deployment of edgemicro_auth is done automatically by the edgemicro npm cli command we don't even need to do anything to deploy it or set it up. If there is anything wrong with the configuration it should be when the edgemicro nodejs command is deploying it to edge, could you please check and revert back to us.

We tested this in our apigee edge environment and there is only one environment with the edgemicro_auth. You will need to check on your end on what is being done when we run the following command.

edgemicro upgradeauth -o <your edge org name> -e <your edge environment> -u <your edge username> 

When we run the upgradeauth command the edgemicro will deploy a new revision automatically, we dont do anything on apigeed edge at all.

Former Community Member
Not applicable

Please open a support ticket so we can investigate what is happening.