VMware GemFire is based on Apache Geode, and they share a common set of documentation. Therefore, references to both VMware GemFire and Apache Geode appear throughout this documentation; consider them equivalents.
Released: May 23, 2023
VMware GemFire 9.15.6 includes fixes for the following security issues:
VMware GemFire 9.15.6 includes the following enhancement:
New log messages: Log messages have been added that warn when the system reaches the configured limits MAX_THREADS, MAX_PR_THREADS, and MAX_FE_THREADS.
See Issues Resolved in VMware GemFire 9.15.6 for details regarding issues addressed in this release.
Released: April 6, 2023
VMware GemFire 9.15.5 is a maintenance release which includes fixes for the following security issues:
See Issues Resolved in VMware GemFire 9.15.5 for details regarding issues addressed in this release.
Released: February 14, 2023
VMware GemFire 9.15.4 is a maintenance release. See Issues Resolved in VMware GemFire 9.15.4 for details regarding issues addressed in this release.
Released: November 9, 2022
VMware GemFire 9.15.3 is a maintenance release, which includes fixes for the following security issues:
See Issues Resolved in VMware GemFire 9.15.3 for details regarding issues addressed in this release.
Released: August 9, 2022
VMware GemFire 9.15.2 is a maintenance release, which includes fixes for the following security issues:
See Issues Resolved in VMware GemFire 9.15.2 for details regarding issues addressed in this release.
Released: July 27, 2022
VMware GemFire 9.15.1 is a maintenance release, which includes fixes for the following security issues:
See Issues Resolved in VMware GemFire 9.15.1 for details regarding issues addressed in this release.
Released: June 22, 2022
GemFire 9.15.0 is a new minor release that includes the following notable changes over its predecessor, GemFire v9.10:
conserve-sockets GemFire property’s default value has been changed from
true to
false.
See Issues Resolved in VMware GemFire 9.15.0 for details regarding issues addressed in this release.
This section describes issue resolutions that significantly affect VMware GemFire applications.
GEM-3686: Log messages have been added that warn when the system reaches the configured limits MAX_THREADS, MAX_PR_THREADS, and MAX_FE_THREADS.
GEM-5117, GEM-5347: Resolved issues in Pulse that could lead to wrong query results being displayed when results include null, duplicate Undefined values, or duplicate PdxInstance values.
GEM-5390, GEM-5406, GEM-5407: Updated Spring Framework from 5.3.26 to 5.3.27, Jetty libraries from 9.4.48.v20220622 to 9.4.51.v20230217, and Spring Security libraries from 5.8.1 to 5.8.3. These updates address the following CVEs:
GEM-5412: Fixed an issue in which some rare queries that use indexes could flip an OR clause to an AND clause.
GEM-5418: Fixed a serialization error that could occur when executing a query via gfsh that resulted in empty JSON objects being returned.
GEM-5022: Fixed an issue in which the server mistakenly determined that the specified maximum allotment of available client connections had been exhausted.
GEM-5117, GEM-5330: Resolved an issue affecting gfsh-initiated OQL queries in serializing POJOs for conversion to JSON strings.
GEM-5217: Improved serialization filter speed.
GEM-5253: Upgraded library commons-fileupload from version 1.4 to 1.5. This addresses CVE-2023-24998.
GEM-5262: Improved performance of readSerializable when serializable-object-filter is set.
GEM-5318: Upgraded library snakeyaml from version 1.31 to 2.0. This addresses CVE-2022-1471.
GEM-5327: Updated library json-smart from version 2.4.7 to 2.4.10 to address CVE-2023-20860.
GEM-5335: Updated several Spring Framework components from version 5.3.20 to 5.3.26 to address CVE-2023-20860.
GEM-1234: Resolves an issue where Durable client receives one fewer event than expected.
GEM-4096: Improves the accuracy of the aggregate Read/Sec rate displayed in Pulse.
GEM-4560: Upgrades ClassGraph to version 4.8.152 to address issues with required classes not being loaded correctly from Windows UNC locations.
GEM-4681: Resolves a race condition that can lead to the JMX Manager missing events during startup.
GEM-4800: Resolves NullPointerException using JTA transaction when server processes a failed commit due to HA after already processing the same commit earlier. Also resolves a stuck threads issue on servers when JTA failed with SynchronizationCommitConflictException.
GEM-4864: Allows gfsh connections between different major versions of GemFire.
GEM-4922: Improves clarity of the gfsh connect command listing of gfsh and server versions.
GEM-5107: Improves Partitioned Region rebalance efficiency by adding a MAX_PARALLEL_REBALANCE_OPERATIONS parameter, which controls how many buckets GemFire will move in parallel as part of a rebalance. For GemFire 9.15, the default is 1. See Rebalancing Partitioned Region Data for details.
GEM-5111: Improves security posture of web services.
GEM-5141: Fixes an issue that blocked recovering persistent file with old ordinals.
GEM-5142: Improves write times on disk stores by optimizing the request for file position to reduce the number of system calls.
GEM-5143: Improves persistent region performance by removing unneeded locking during creation of the oplog key file (.krf).
GEM-5144: Upgrades Apache Shiro from version 1.10.0 to 1.11.0.
GEM-5151: Improves redundancy recovery performance with the disk store by reducing the number of threads actively contending for the disk store.
GEM-5152: By default, GemFire cancels a long-running query 5 hours after it is invoked. The user can modify this timeout by specifying a MAX_QUERY_EXECUTION_TIME system property or by configuring a memory limit using critical-heap-percentage. This modification improves system response to a query that exceeds its specified limits by allowing it to be canceled during its compilation phase.
GEM-5177: The gfsh restore redundancy operation now reports success, rather than a “NO_REDUNDANT_COPIES” error, for regions that contain no buckets.
GF4TAS-181: Addresses NullPointerException thrown from gfsh when query results included null value.
GEM-4571: The Class-Path entry has been removed from the manifests of all jars except dependency jars.
GEM-4647: Updated FasterXML Jackson Databind to version 2.13.4.2. This addresses CVE-2022-42003.
GEM-4657: PDXToJson and JsonWriter can now generate JSON for POJOs.
GEM-4703: Updated Apache Shiro to version 1.10.0. This addresses CVE-2022-40664.
GEM-4710: Updated Apache commons-text to version 1.10.0. This addresses CVE-2022-42889.
GEM-4827: Updated spring-security to version 5.6.9. This addresses CVE-2022-31690 and CVE-2022-31692.
GEM-2230: Fixed a hang that occurred during initialization in fixed partitioning when the configured primary bucket is still being initialized.
GEM-3785: Restore the ability to add custom classLoaders at runtime. Usage:
ClassPathLoader.getLatest().addUserDefinedClassloader(newClassLoader);
This allows the addition of user defined ClassLoaders. It does not allow for the removal of ClassLoaders. Restart is required to remove the user-defined ClassLoaders.
GEM-4398: Fixed a problem in the TLS handshake logic that occurred when an IPv6 address was used in the locators configuration parameter. An exception is avoided by not sending an IPv6 address as the Server Name Indication (SNI) hostname in the TLS handshake.
GEM-4383: GemFire OCI and OVA images no longer include curl. This addresses CVE-2022-32207.
GEM-4436: Upgraded snakeyaml to v1.31. This addresses CVE-2022-25857.
GEM-3036, GEM-3507, GEM-3691: Fixed a performance issue caused by a memberId leak in non-persistent regions.
GEM-3214: Introduce a performance improvement by increasing the default BridgeServer.HANDSHAKE_POOL_SIZE from 4 to 50.
GEM-3433: Restored the visibility of processCpuTime statistics hidden by Java 11.
GEM-3684: Removed Server: header from all HTTP responses to mitigate a potential security risk in the REST API.
GEM-3749: Each GemfireHttpSession is now sized, instead of only the first instance being sized.
GEM-3766: Fixed a case in which findDistributedMembers() throws an unsupported operation exception.
GEM-3773: Upgraded shiro to v1.9.1 to address CVE-2022-32532.
GEM-3890: Upgraded jetty to v9.4.48 to address CVE-2022-2048.
GEODE-10301 Added the jackson-datatype-jsr310 and jackson-datatype-joda libraries to allows users with java.time types (such as LocalDateTime, LocalDate, and LocalTime) in their query result fields to have the formatting those libraries provide.
GEODE-9991, GEM-3361: Some upgrade paths to VMware GemFire 9.15 may result in members not restarting due to “SSLv2Hello is not enabled”. The upgrade instructions (Upgrading to v9.15) provide details on which applications might encounter this problem, and steps to take in order to prevent it from occurring.
GEODE-9451: Implemented authentication expiration.
GEODE-8778: Changed the default value of the conserve-sockets to “false” to conform with the majority of implementations. If your application relies on an unspecified “true” default, modify your code to specify the value explicitly.
GEM-3237: Addresses CVE-2021-29153, deserialization of untrusted data vulnerability in JMX over RMI and REST APIs, by configuring process-wide serialization filtering when the system property --J=-Dgeode.enableGlobalSerialFilter=true is supplied.
GemFire 9.15 has the following known issues:
GEM-5473: In a rare condition a deadlock and hung operations can occur during a server restart when two servers become primary for the same bucket. The cause can be verified by issuing the gfsh show metrics command and looking at the primaryBucketCount output and comparing it with the expected number of buckets. The workaround is to kill one of the affected nodes that is stuck waiting to acquire a lock on a class in org.apache.geode.internal.cache.entries.
General support includes security vulnerability resolutions and critical bug fixes in all supported minor versions, while other maintenance is applied only to the latest supported minor release.
New versions of VMware GemFire often include important security fixes, so VMware recommends you keep up to date with the latest releases.
For details about any security fixes in a particular release, see the Application Security Team page.
