GCP Release Notes: December 19, 2025
Posted inGoogle Cloud Platform

GCP Release Notes: December 19, 2025

No CommentsPosted inGoogle Cloud Platform

Apigee Monetization

Announcement

On December 19, 2025, we released an updated version of Apigee Monetization.

Feature

Monetization now supports AppGroups. Use AppGroups to manage API product subscriptions for all app developers in the AppGroup at the same time.

For more information, see Use AppGroups to manage API product subscriptions.

Apigee UI

Announcement

On December 19, 2025, we released an updated version of Apigee Monetization.

Feature

Monetization now supports AppGroups. Use AppGroups to manage API product subscriptions for all app developers in the AppGroup at the same time.

For more information, see Use AppGroups to manage API product subscriptions.

Apigee hybrid

Change

UDCA component removed

In Apigee hybrid v1.16, the Unified Data Collection Agent (UDCA) component has been removed. The responsibilities of sending analytics, trace, and deployment status data to the Apigee control plane are now handled using a Google Cloud Pub/Sub based data pipeline. Using the Pub/Sub based data pipeline has been the default data collection mechanism since Apigee hybrid v1.14.0.

Feature

apigee-guardrails service account

In v1.16.0, Apigee Hybrid introduces an apigee-guardrails Google IAM service account. This is used by the apigee-operator chart during initial installation to check that all needed APIs are enabled in your project.

See:

Change

Support for cert-manager release 1.18 and 1.19

Apigee hybrid v1.16 supports cert-manager release 1.18 and 1.19.

Fixed

Fixed in this release

Bug ID Description
448647917 Fixed a issue where non-SSL connections through a forward proxy could be improperly shared. (also fixed in Apigee 1-16-0-apigee-4)
442501403 Fixed an issue that caused incorrect target latency metrics in Apigee Analytics when a TargetEndpoint is configured with a <LoadBalancer>. (also fixed in Apigee 1-16-0-apigee-3)
438192028 Updated the geolocation database to mitigate stale IP-to-location mappings. (also fixed in Apigee 1-16-0-apigee-3)
437999897 Reduced the log level for failed geo IP lookups to address excessive log messages for private IP addresses. (also fixed in Apigee 1-16-0-apigee-3)
436323210 Fixed ingress cert keys to allow both tls.key/key and tls.crt/cert.
N/A Updates to security, infrastructure, and libraries. (also fixed in Apigee 1-16-0-apigee-4)

Announcement

hybrid v1.16.0

On December 19, 2025 we released an updated version of the Apigee hybrid software, 1.16.0.

Security

Fixed in this release

Bug ID Description
452621774, 452381632, 441266643, 448498138 Security fix for Apigee infrastructure. (also fixed in Apigee 1-16-0-apigee-4)
This addresses the following vulnerabilities:
440419558, 433759657 Security fix for Apigee infrastructure. (also fixed in Apigee 1-16-0-apigee-3)

This addresses the following vulnerabilities:

  • CVE-2025-22868
  • CVE-2025-48924
443902061 Security fix for Apigee infrastructure (also fixed in Apigee 1-16-0-apigee-3)

This addresses the following vulnerability:

  • CVE-2025-13292

    Fixed an issue with improper access control that resulted in cross-tenant analytics modification and access to log data.
N/A Security fixes for apigee-asm-ingress.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-asm-istiod.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-connect-agent.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-fluent-bit.
This addresses the following vulnerability:
N/A Security fixes for apigee-hybrid-cassandra.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-hybrid-cassandra-client.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-kube-rbac-proxy.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-mart-server.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-open-telemetry-collector.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-operators.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-prom-prometheus.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-prometheus-adapter.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-redis.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-runtime.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-stackdriver-logging-agent.
This addresses the following vulnerability:
N/A Security fixes for apigee-synchronizer.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-udca.
This addresses the following vulnerabilities:
N/A Security fixes for apigee-watcher.
This addresses the following vulnerabilities:

Security

Fixed since last minor release

Bug ID Description
448498138 Security fixes for apigee-runtime. (Fixed in v1.15.1)
This addresses the following vulnerability:
447367372 Security fixes for apigee-runtime. (Fixed in v1.15.1)
This addresses the following vulnerability:
433952146 Security fix. (Fixed in v1.14.3)
This addresses the following vulnerability:
433951774 Security fix. (Fixed in v1.14.3)
This addresses the following vulnerability:
433950558 Security fix. (Fixed in v1.14.3)
This addresses the following vulnerability:
433950370 Security fix. (Fixed in v1.14.3)
This addresses the following vulnerability:
418557195 Security fixes for apigee-fluent-bit. (Fixed in v1.15.1)
This addresses the following vulnerabilities:
396944778 Security fixes for apigee-synchronizer. (Fixed in v1.13.4)
This addresses the following vulnerabilities:
392934392 Security fixes for apigee-logger.
N/A Incorporated an updated base image for stackdriver-logging-agent, improving the overall security of the service. (Fixed in 1.14.2-hotfix.1)
This addresses the following vulnerabilities (among others and not limited to):
N/A Security fixes for apigee-asm-ingress. (Fixed in v1.14.3)
This addresses the following vulnerability:
N/A Security fixes for apigee-asm-istiod. (Fixed in v1.14.3)
This addresses the following vulnerability:
N/A Security fixes for apigee-envoy. (Fixed in v1.14.3)
This addresses the following vulnerability:
N/A Security fixes for apigee-fluent-bit. (Fixed in v1.14.3 & v1.15.1)
This addresses the following vulnerabilities:
N/A Security fixes for apigee-hybrid-cassandra-client. (Fixed in v1.14.3)
This addresses the following vulnerability:
N/A Security fixes for apigee-hybrid-cassandra. (Fixed in v1.14.3)
This addresses the following vulnerabilities:
N/A Security fixes for apigee-hybrid-cassandra. (Fixed in v1.15.1)
This addresses the following vulnerability:
N/A Security fixes for apigee-kube-rbac-proxy. (Fixed in v1.14.3)
This addresses the following vulnerability:
N/A Security fixes for apigee-mart-server. (Fixed in v1.13.4)
This addresses the following vulnerability:
N/A Security fixes for apigee-mart-server. (Fixed in v1.14.3)
This addresses the following vulnerabilities:

Fixed

Fixed since last minor release

Bug ID Description
451841788 Apigee hybrid required the mintTaskScheduler.serviceAccountPath property even when Monetization was not enabled. (Fixed in v1.15.1 & v1.14.3)
451375397 The apigee-pull-push.sh script could return a No such image error message. (Fixed in v1.15.1 & v1.14.3)
445912919 Unused files and folders have been removed from the Apigee hybrid Helm charts to prevent potential security exposure and streamline the product installation and upgrade process. (Fixed in v1.15.1)
442501403 Fixed an issue that caused incorrect target latency metrics in Apigee Analytics when a TargetEndpoint is configured with a <LoadBalancer>. (Fixed in v1.15.1)
437999897 Reduced the log level for failed geo IP lookups to address excessive log messages for private IP addresses. (Fixed in v1.15.1)
431930277, 395272878 When the configuration property envs.managementCallsSkipProxy is set to true via helm for environment-level forward proxy, trace and analytics (which use googleapis.com) will skip forward proxy. (Fixed in v1.15.1)
423597917 Post of an AppGroupAppKey scopes should result in insert operation instead of update. (Fixed in v1.15.1 & v1.14.3)
420675540 Fixed Cassandra based replication for runtime contracts in synchronizer. (Fixed in v1.15.1, v1.14.3 & v1.13.4)
419578402 Mint-Mart forward proxy compatible. (Fixed in v1.15.1 & v1.14.3)
416634326 Presence of istio.io Custom Resource Definitions (CRDs) in an Apigee hybrid cluster could cause failure in apigee-ingressgateway-manager pods. (Fixed in v1.15.1, v1.14.3 & v1.13.4)
414499328 ApigeeTelemetry could become stuck in creating state (Fixed in v1.14.3 & v1.13.4)
412740465 Fixed issue where zipkin headers were not generated by Apigee Ingress Gateway. (Fixed in v1.15.1 & v1.14.3)
409048431 Fixes a vulnerability which could allow a SAML signature verification to be bypassed. (Fixed in v1.15.1 & v1.14.3)
401746333 Fixed a java.lang.ClassCircularityError that could occur in Java Callouts due to an issue with the class loading mechanism.(Fixed in v1.15.1 & v1.14.3)
395272878 Separate Forward proxy support for googleapis.com and non-googleapis.com runtime traffic. (Fixed in v1.14.3)
393615439 OASValidation behavior for allOf with additionalProperties: true. (Fixed in 1.14.2-hotfix.1)
382565315 A memory leak within the Security Policy has been addressed, improving system stability. (Fixed in v1.13.4)
378686709 The use of wildcards (*) in Apigee proxy basepaths would conflict with other explicit basepaths, resulting in a 404 error. To apply this fix, follow the procedure in Known issue 378686709. (Fixed in v1.15.1 & v1.14.3)
375360455 Updated apigee-runtime drain timeout to 300s to fix connection termination issue during pod termination. (Fixed in v1.13.4)
367815792 Two new Flow Variables: app_group_app and app_group_name have been added to VerifyApiKey and Access Token policy. (Fixed in v1.15.1 & v1.14.3)

Feature

Seccomp Profiles

Apigee Hybrid now offers the capability to apply Seccomp Profiles to your runtime components, significantly enhancing the security posture of your deployment.

This feature allows Apigee administrators and security teams to restrict the system calls (syscalls) a containerized process can make to the host’s kernel. By limiting a container to only the necessary syscalls, you can:

  • Enhance Security: Mitigate the risk of container breakouts and privilege escalation.
  • Enforce Least Privilege: Ensure components only have access to the exact system calls required for their operation.
  • Meet Compliance: Provide a critical control for meeting stringent security compliance requirements.

Seccomp profiles are not enabled by default. To enable the feature, see Configure Seccomp profiles for pod security.

App Engine flexible environment Python

Feature

Support for Python 3.14 runtime is in General Availability.

App Engine standard environment Python

Feature

Support for Python 3.14 runtime is in General Availability.

BigQuery

Feature

The BigQuery Data Transfer Service can now transfer data from Microsoft SQL Server to BigQuery. This feature is in Preview.

Feature

The BigQuery Data Transfer Service can now transfer data from MySQL to BigQuery. This feature is generally available (GA).

Buildpacks

Feature

The Python buildpack supports default entrypoint detection for the Agent Development Kit (ADK) framework (Preview). For more information, see Build a Python application.

Feature

Cloud Run and Cloud Run functions source deployments support pyproject.toml file for managing dependencies. This feature is in General Availability for Python version 3.13 and later, and is in Preview for Python version 3.12 and earlier. For more information, see Deploy Python applications with a pyproject.toml file.

Cloud Run

Feature

The Python buildpack supports default entrypoint detection for the Agent Development Kit (ADK) framework (Preview). For more information, see Build a Python application.

Feature

Cloud Run and Cloud Run functions source deployments support pyproject.toml file for managing dependencies. This feature is in General Availability for Python version 3.13 and later, and is in Preview for Python version 3.12 and earlier. For more information, see Deploy Python applications with a pyproject.toml file.

Feature

Support for Python 3.14 runtime is in General Availability. Starting from Python version 3.14 and later, the Python buildpack uses the uv package manager as the default installer for the dependencies you specify in your requirements.txt file. You can also use pip as the default installer for these versions by setting the GOOGLE_PYTHON_PACKAGE_MANAGER environment variable to pip. For more information, see Specify dependencies in Python.

Cloud Run functions

Feature

Support for Python 3.14 runtime is in General Availability. Starting from Python version 3.14 and later, the Python Buildpack uses the uv package manager as the default installer for the dependencies you specify in your requirements.txt file. You can also use pip as the default installer for these versions by setting the GOOGLE_PYTHON_PACKAGE_MANAGER environment variable to pip. For more information, see Specify dependencies in Python.

Compute Engine

Feature

Generally available: The G4 accelerator-optimized machine series supports the flex-start provisioning model. When you specify the flex-start provisioning model for your G4 virtual machine (VM) instances, you receive a discount up to 50% for vCPUs, memory, and GPUs. Flex-start is ideal for fault-tolerant or temporary workloads that can benefit from lower costs by having a flexible start time. For more information, see About Flex-start VMs.

Feature

Public Preview: The C4A VM family now offers a c4a-highmem-96-metal bare metal instance. This machine type has 96 vCPUs and 768 GB of DDR5 memory, Titanium I/O offload processing, and supports Hyperdisk Balanced, Hyperdisk Extreme, and Hyperdisk ML storage volumes. This bare metal instance is offered in select regions and zones. For more information, see C4A machine series.

Gemini Enterprise

Feature

Gemini Enterprise: Schedule agent executions for custom agents in Agent Designer (Preview)

You can configure your custom agents, created using the Agent Designer, to execute predefined instructions and prompts on a set schedule.

Scheduled executions run automatically for personal tasks, but any action involving other people will be paused for your review and approval.

For more information, see Schedule agent executions.

Google Kubernetes Engine

Feature

Rollout sequencing with custom stages is now available in Preview. This feature offers granular control over upgrading groups of clusters within a fleet, allowing you to progressively roll out GKE versions across environments. For more information see About rollout sequencing with custom stages.

NetApp Volumes

Feature

Google Cloud NetApp Volumes supports Customer Managed Encryption Keys (CMEK) for backup in allow-listed General Availability (GA). This feature is available for Standard, Premium, and Extreme service levels. For more information, see Backup encryption with CMEK.

SAP on Google Cloud

Announcement

Introducing emergent host maintenance events for X4 instances running SAP HANA

To perform non-critical hardware repairs that help in preventing host errors on X4 instances, we’ve introduced emergent maintenance – a new type of host maintenance event.

While this is a type of unplanned maintenance, it’s similar in nature to a planned host maintenance event because of the following features:

  • It has a 14-day advance notification period.
  • You can manually trigger it, or let Google trigger it for you at the planned start date and time.

For more information, see Manage host maintenance events for X4 instances running SAP HANA.

Vertex AI Agent Builder

Feature

Vertex AI Agent Builder

Agent Designer, a low-code visual designer that lets you design and test your agent, is now available in the Google Cloud console in Preview.

Source: Google Cloud Platform

Latest Posts

Pass It On
Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply