VMware GemFire 10.0 Release Notes

This topic contains the release notes for VMware Tanzu GemFire.

VMware GemFire 10.0 Release Notes

This topic contains the release notes for VMware GemFire.

VMware GemFire 10 has been designated the “Gideon” release in memory of our colleague, Gideon Low.

New in VMware GemFire 10.0.4

Released: April 17, 2024

VMware GemFire 10.0.4 includes updates to jackson, netty, spring, spring-security, and tomcat to address the following security issues:

  • CVE-2024-22029
  • CVE-2024-22243
  • CVE-2024-22257
  • CVE-2024-22259
  • CVE-2024-22262
  • CVE-2024-29025
  • BDSA-2022-4307

See Issues Resolved in VMware GemFire 10.0.4 for details regarding issues addressed in this release.

New in VMware GemFire 10.0.3

Released: February 8, 2024

VMware GemFire 10.0.3 includes fixes for the security issues listed below.

An update to json-path that fixes the following security issues:

  • CVE-2023-51074

An update to jetty-server that fixes the following security issues:

  • CVE-2023-36478
  • CVE-2023-34055
  • CVE-2023-20873
  • CVE-2023-46750

Updates to Tomcat that fix the following security issues:

  • CVE-2016-3092
  • CVE-2017-5650
  • CVE-2020-13943
  • CVE‑2023‑46589

See Issues Resolved in VMware GemFire 10.0.3 for details regarding issues addressed in this release.

New in VMware GemFire 10.0.2

Released: November 21, 2023

VMware GemFire 10.0.2 includes fixes for the following security issues:

  • CVE‑2023‑34478 (Shiro)
  • CVE‑2023‑34034 (Spring security)
  • CVE‑2023‑34036 (Spring hateoas)

VMware GemFire 10.0.2 includes updates to Jetty that fix the following security issues:

  • CVE-2023-36479
  • CVE-2023-40167
  • CVE-2023-41900
  • BDSA-2023-2481

VMware GemFire 10.0.2 includes updates to Tomcat that fix the following security issues:

  • CVE‑2023‑24998
  • CVE‑2023‑28709
  • CVE‑2023‑41080
  • CVE‑2023‑42794
  • CVE‑2023‑42795
  • CVE‑2023‑45648

See Issues Resolved in VMware GemFire 10.0.2 for details regarding issues addressed in this release.

New in VMware GemFire 10.0.1

Released: July 20, 2023

VMware GemFire 10.0.1 includes fixes for the following security issues:

  • CVE-2023-20862
  • CVE-2023-20863
  • CVE-2023-20883
  • CVE-2023-26048
  • CVE-2023-26049
  • CVE-2023-34462
  • CVE-2023-35116

New in VMware GemFire 10.0

VMware GemFire contains a number of new features and improvements, including:

VMware GemFire also includes functionalities that are implemented as separately-downloadable extensions, including:

For details regarding deprecated functionalities, see Upgrading GemFire from Version 9 to Version 10.

Secure Peer-to-Peer Communication

In version 10, all message traffic between GemFire servers uses TCP sockets for improved security, performance, and maintainability. In earlier versions, the UDP protocol and the JGroups library were used for some communications between cluster members, primarily for membership operations such as join/leave requests and heartbeats. Beginning with version 10, all member-to-member communications use TCP/IP. The JGroups library is distributed with VMware GemFire version 10 to support upgrades from earlier versions.

WAN Delta Replication

In version 10, WAN replication supports sending delta updates between distributed systems to improve the network speed and efficiency.

Improved JSON Support

The JsonDocumentFactory API replaces the JSONFormatter API. The JSONFormatter API has been deprecated in GemFire 10.

The JsonDocumentFactory API allows you to convert a JSON String into a binary form that can be stored in a GemFire region. GemFire accesses each field in the binary form without needing to re-parse JSON or deserialize the binary form. For information about using the JsonDocumentFactory API, see Adding JSON Documents to the GemFire Cache.

GemFire Search

VMware GemFire Search replaces Apache Lucene® in VMware GemFire version 10.

GemFire Search is a search engine that provides indexing and searching capabilities when used with VMware GemFire. GemFire Search is built using the widely-used Java full-text search engine Apache Lucene®. GemFire Search uses the Lucene name in syntax and APIs.

For more information about GemFire Search, see the VMware GemFire Search product documentation.

Product Default Changes

Default values for the following GemFire properties and class parameters have changed in GemFire version 10:

GemFire Property
or Parameter
Default Value Old default (v9 and earlier)
enable-time-statistics true false
socket-lease-time 1800000 milliseconds
(30 minutes)
60000 ms (1 min)
PoolFactory.DEFAULT_IDLE_TIMEOUT 120000 milliseconds
(2 minutes)
5000 milliseconds
(5 seconds)

Classloader Isolation

VMware GemFire deploys JAR files using a classloader isolation model. JAR files are loaded into their own classloaders which are isolated from the rest of the system and from each other. Deployments can access classes from other deployed JAR files and from the system, but will look inside their own classloaders first before looking externally.

Classloader isolation is the default setting and is recommended for all new implementations. Chained classloading was the GemFire version 9 default, and is provided in support of legacy applications. Classloader isolation can be disabled using the flag –disable-classloader-isolation=true when starting members through gfsh using the start command.

JDK Support

GemFire v10 is certified for use with JDK 8, JDK 11, and JDK 17. Starting with version 10.0, JDK 11 is the preferred JDK version.

JDK Recommended Version Minimum Version
8 latest u361
11 latest 11.0.18
17 latest 17.0.6

See Java Support for details.

Updated Tomcat Sessions Caching

GemFire v10 includes the following updates to Tomcat session management:

  • The Tomcat extension has been updated to support Tomcat Version 10. Tomcat 10 introduces support for Jakarta EE 9.
  • Support for Tomcat versions 8.5 and 9 has been retained.
  • Support for unsupported Tomcat versions 7 and 8 has been removed.
  • Support for TC Server has been removed.

New Environment Variable: GEMFIRE_HOME

In VMware GemFire version 10, the environment variable GEMFIRE_HOME replaces the GEODE_HOME variable. GEODE_HOME has been deprecated.

Resolved Issues

This section describes issue resolutions that significantly affect VMware GemFire applications.

Issues Resolved in GemFire 10.0.4

GEM-6318: Corrected an issue where GemFire Pulse (deprecated) queries when no server was selected returned empty results, and JMX query results were duplicated and showed an extra level of nesting in the JSON.

GEM-6664: Corrected an issue where client authorization exceptions could occur when integrated security caused the server’s ClientHealthMonitor to clear a client’s proxy information but the client continued to hold and try to use the uniqueId in later operations.

GEM-6689 (GEM-6900): Corrected an issue where the create bucket process could hang with a BufferUnderflowException due to a race condition.

GEM-6693: Corrected an issue where indexes could fail to populate on server restart due to the default RestrictedMethodAuthorizer being used instead of the configured method authorizer.

GEM-6885: Corrected an issue where multiple EvictionControllers and HeapLRUStatistics were being created for the same overflow region.

GEM-6892: Unnecessary ThreadMonitor logging messages have been eliminated.

GEM-6992: Updated jackson to 2.16.1 to address BDSA-2022-4307.

GEM-7018: Updated tomcat modules to 8.5.100 and 9.0.87 to address CVE-2024-22029.

GEM-7052, GEM-7284, GEM-7399: Updated spring to 5.3.34 to address CVE-2024-22243, CVE-2024-22259, and CVE-2024-22262.

GEM-7097: Corrected an issue where, when a PDX Serialization exception occurred from the GemFire client side, the GemFire client pool would be destroyed.

GEM-7101: Corrected an issue where the verbose option in the describe region command in gfsh could show an incorrect number of entries in the cache.

GEM-7310: Updated spring-security to 5.8.11 to address CVE-2024-22257.

GEM-7349: Updated netty to v4.1.108 to address CVE-2024-29025.

GEM-7392: Corrected an issue where the pulse updater could loop instead of stopping when credentials were expired.

Issues Resolved in GemFire 10.0.3

GEM‑6309: Resolved issue where GemFire Pulse did not work with Azure Active Directory because Spring OAuth security was incorrectly interpreting roles set by oAuth provider.

GEM-6459: Fixed Java NullPointerException related to Tomcat.

GEM‑6494: Fixed issue where threadStarts were reported as threadCreates.

GEM‑6495: Corrects descriptions in DistributionStats.

GEM‑6502: CacheClientProxy.waitRemoval now throws a TimeoutException after a configurable timeout period. Exceeding this timeout period results in a warning logged on the server and a response sent to the client that its request failed. By default, the timeout is 59,000 milliseconds. This timeout can be configured on a server by setting the gemfire.queueInitializationTimeoutMs system property.

GEM‑6575: Fixed a race condition that caused threads named “Client Queue Initialization Thread” to hang forever in CacheClientProxy.waitRemoval.

GEM‑6627: Prevents a race condition that can cause NullPointerException during cluster membership changes.

GEM‑6631: Updated Tomcat to address CVE‑2023‑46589.

GEM‑6634: Updated springdoc-openapi-ui from 1.6.8 to 1.6.15 to address CVE-2023-34055.

GEM‑6646: Updated spring-boot from 2.6.15 to 2.7.18 to address CVE-2023-20873.

GEM‑6675: Updated shiro from 1.12.0 to 1.13.0 to address CVE-2023-46750.

GEM‑6706: Fixed an issue where user classes deployed to a member, or added to the automatic module class path, cannot log. Regardless of logging facade, if the logging target was log4j then the log output was lost.

GEM‑6713: Updated json-path to jason-path 2.9.0 to address CVE-2023-51074.

GEM‑6730: Updated Tomcat to address CVE‑2016‑3092, CVE‑2017‑5650, and CVE‑2020‑13943.

Issues Resolved in GemFire 10.0.2

GEM-5485, GEM-5486, GEM-6253, GEM-6450: Updated Tomcat 8 from 8.5.87 to 8.5.95 and updated Tomcat 9 from 9.0.73 to 9.0.82, addressing CVE‑2023‑24998, CVE‑2023‑28709, CVE‑2023‑41080, CVE‑2023‑42794, CVE‑2023‑42795, and CVE‑2023‑45648.


Tomcat 10.0 is no longer supported, so no fix is available for this issue. This component is not enabled by default, and can be safely deleted from your GemFire distribution.

GEM-6314: Adds support for DNS reverse-lookup returning a hostname terminated by a trailing period.

GEM-6360: Improved locator statistics to reflect the types of requests the locator is receiving.

GEM-6362: Updated Jetty library from version 9.4.51 to 9.4.52 to address CVE-2023-36479, CVE-2023-40167, and CVE-2023-41900.

GEM-6366: Updated Spring-security library from version 5.8.5 to 5.8.7 to address BDSA-2023-2481.

GEM-6031: Presence or absence of an index no longer causes a query with trivially false conditions to behave differently.

GEM-6053: The first backup on a restarted member now performs an incremental backup, if appropriate, instead of defaulting to a full backup.

GEM-6113: Improved termination of ‘register interest’ subscriptions to avoid retaining unused threads.

GEM-6170: Ensures region metadata is updated correctly when destroying a colocated region.

GEM‑6232: GemFire statistics now reports the correct value for actualRedundantCopies in cases where the actual number is lower than the configured number.

GEM-6251: The result of COUNT in the projection of a SELECT expression is no longer limited by the LIMIT in an OQL query. This also applies to default limits imposed by JMX queries (e.g. Pulse) and queries in gfsh.

GEM-6268: When a client requests server details, the server presents a list of available locators to field the request. In prior releases, the locator list was sorted, so in practice clients often sent their requests to the same locator. To improve load-balancing, the list of available locators is now shuffled by default so that such requests are fielded by randomly chosen locators.

To restore the earlier behavior, set the property locator.gemfire.sort-locator-list=true.

GEM-6265: Fixed an issue that resulted in loss of persistent data when a member was forced out of the cluster during persistent disk store recovery and the system property gemfire.disk.recoverValuesSync was set to true.

GEM-6471: Correct credentials are used for authentication during TCP connection handshake.

Issues Resolved in GemFire 10.0.1

GEM-4717: Fixed an issue in which increases to custom entry-idle-time and entry-time-to-live settings were being ignored.

GEM-5117, GEM-5347: Resolved issues in Pulse that could lead to wrong query results being displayed when results include null, duplicate Undefined values, or duplicate PdxInstance values.

GEM-5280: Query execution supports region names containing “-” characters.

GEM-5301: Added checks to detect unexpected characters in region names.

GEM-5330: Fixed an issue in gfsh when converting LocalDate in PDX to JSON in query results.

GEM-5337: The gfsh deploy jar command throws an error when the jar name contains forbidden characters. Exclamation point (!) is now correctly detected as one of those characters.

GEM-5381: Large data inconsistency because queues are not drained.

GEM-5388: Fixed an issue with client connection getting hung in jdk17 when the client’s connection request was not being processed by the server as the server was closing its cache.

GEM-5390: Updated Spring Framework from 5.3.26 to 5.3.27. This addresses CVE-2023-20863.

GEM-5406: Updated Spring Security libraries from 5.8.1 to 5.8.3. This addresses CVE-2023-20862.

GEM-5407: Updated Jetty libraries from 9.4.48.v20220622 to 9.4.51.v20230217. This addresses CVE-2023-26048 and CVE-2023-26049.

GEM-5412: Fixed an issue in which some rare queries that use indexes could flip an OR clause to an AND clause.

GEM-5418: Fixed a serialization error that could occur when executing a query through gfsh that resulted in empty JSON objects being returned.

GEM-5586: Upgraded Spring Boot libraries from 2.6.7 to 2.6.15. This addresses CVE-2023-20883.

GEM-5736: Upgraded Jackson libraries from 2.14.1 to 2.15.2. This addresses CVE-2023-35116.

GEM-5773: Improved the gfsh create region command to identify a partitioned region using --local-max-memory=0 as a proxy region.

GEM-5855: Upgraded netty from 4.1.86 to 4.1.94. This addresses CVE-2023-34462.

Issues Resolved in VMware GemFire 10.0

GEM-3653: Improved deserialization safety. Addresses CVE-2022-23027.

GEM-4219: Fixed a memory leak that occurred following a Commit Conflict Exception from another node.

GEM-4297: Fixed a hang in gfsh that occurred when a CacheLoader threw an exception whose class is not available in the locator.

GEM-4425: Fixed a leak in the heap storage that occurred during the auto-reconnect process.

GEM-5320: Resolved an issue with WAN replication that could lead to excessive logging of the message, “Your SSL configuration disables hostname validation.”

Known Issues

GemFire 10.0 has the following known issues:

GEM-5193 Incomplete putIfAbsent results in redundant copies with entry. One copy does not have this entry

A rare case where replicated or redundant regions become unsynchronized can occur when a cache operation originates on the server side and the node is killed or crashes. The node that is killed may fail to alert other nodes. Mechanisms exist to detect a member being killed and triggering the data synchronization for missed data on surviving node, but in rare cases, depending on the timing of data sync, the data may become inconsistent across the surviving nodes. The nodes eventually are synchronized after any updates on those keys.

GEM-5312 Apparent distributed deadlock with serial gateway senders

A rare possibility of deadlock can occur with serial-gateways during cache operation. This happens when regions are configured with distributed-no-ack data policy.

To work around this issue, avoid defining serial-gateway on the region with distributed-no-ack data policy.

GEM-5352: Data inconsistency between region and wbclRegion reported when member initiating destroy closes its cache. The cache is updated, but AsyncEventQueue is not updated.

AsyncEventQueue can miss an event when the cache is closed on the data regions. This happens when the AsyncEventQueue exists on the nodes which do not host the data regions (primary and secondary bucket regions) and cache is closed on the data region right before the messages are getting sent to the nodes hosting AsyncEventQueue.

To work around this issue, close the cache after all the data is propagated.

Resolved Known Issues

The following GemFire 10.0 Known Issues have been resolved in subsequent patch releases.

GEM-5280 Query execution may not work with region names containing a “-” character. (Resolved, v10.0.1)

Query execution in Spring applications may not work properly when executed against region names containing a “-” character. The workaround is to avoid using “-” in the region name.

To resolve this issue, upgrade to version 10.0.1 or later.

GEM-5337 Deploy function does not work with jars containing a ‘!’ character. (Resolved, v10.0.1)

Using gfsh to deploy a jar with a “!” character in the jar name does not work properly.

To work around this issue, do not use a “!” character in the name of your jars.

To resolve this issue, upgrade to version 10.0.1 or later.

GEM-5347 Pulse Data Browse does not display null values and displays duplicate values as d. (Resolved, v10.0.1)

Pulse Data Browse does not display null in query results. Pulse Data Browse displays UNDEFINED values in query results as u, and multiple or duplicate instances that are UNDEFINED or PdxInstance in query results as d.

To resolve this issue, upgrade to version 10.0.1 or later.

GEM-5381 Large data inconsistency because queues are not drained. (Resolved, v10.0.1)

A rare possibility of deadlock can occur with a gateway sender when the remote site server that the sender is connected to is stopped. Two threads will attempt to create a new connection at the same time resulting in deadlock.

To resolve this issue, upgrade to version 10.0.1 or later.


General support includes security vulnerability resolutions and critical bug fixes in all supported minor versions, while other maintenance is applied only to the latest supported minor release.

Obtaining and Installing Security Updates

New versions of VMware GemFire often include important security fixes, so VMware recommends that you keep up-to-date with the latest releases.

For details about any security fixes in a particular release, see Notable vulnerabilities in Tanzu product dependencies.

check-circle-line exclamation-circle-line close-line
Scroll to top icon