This topic contains the release notes for VMware GemFire.
Released: January 5, 2024
VMware GemFire 9.15.10 includes an update to jetty-server that fixes the following security issues:
See Issues Resolved in VMware GemFire 9.15.10 for details regarding issues addressed in this release.
Released: October 3, 2023
VMware GemFire 9.15.9 includes an update to jetty-server that fixes the following security issues:
See Issues Resolved in VMware GemFire 9.15.9 for details regarding issues addressed in this release.
Released: September 6, 2023
VMware GemFire 9.15.8 includes fixes for the following security issues:
See Issues Resolved in VMware GemFire 9.15.8 for details regarding issues addressed in this release.
Released: July 12, 2023
VMware GemFire 9.15.7 includes fixes for the following security issue:
See Issues Resolved in VMware GemFire 9.15.7 for details regarding issues addressed in this release.
Released: May 23, 2023
VMware GemFire 9.15.6 includes fixes for the following security issues:
VMware GemFire 9.15.6 includes the following enhancement:
New log messages: Log messages have been added that warn when the system reaches the configured limits
See Issues Resolved in VMware GemFire 9.15.6 for details regarding issues addressed in this release.
Released: April 6, 2023
VMware GemFire 9.15.5 is a maintenance release which includes fixes for the following security issues:
See Issues Resolved in VMware GemFire 9.15.5 for details regarding issues addressed in this release.
Released: February 14, 2023
VMware GemFire 9.15.4 is a maintenance release. See Issues Resolved in VMware GemFire 9.15.4 for details regarding issues addressed in this release.
Released: November 9, 2022
VMware GemFire 9.15.3 is a maintenance release, which includes fixes for the following security issues:
See Issues Resolved in VMware GemFire 9.15.3 for details regarding issues addressed in this release.
Released: August 9, 2022
VMware GemFire 9.15.2 is a maintenance release, which includes fixes for the following security issues:
See Issues Resolved in VMware GemFire 9.15.2 for details regarding issues addressed in this release.
Released: July 27, 2022
VMware GemFire 9.15.1 is a maintenance release, which includes fixes for the following security issues:
See Issues Resolved in VMware GemFire 9.15.1 for details regarding issues addressed in this release.
Released: June 22, 2022
GemFire 9.15.0 is a new minor release that includes the following notable changes over its predecessor, GemFire v9.10:
conserve-sockets GemFire property’s default value has been changed from
See Issues Resolved in VMware GemFire 9.15.0 for details regarding issues addressed in this release.
This section describes issue resolutions that significantly affect VMware GemFire applications.
DeltaQueuedSessionAttributes were replicating incorrectly, causing accesses in one container to overwrite changes made concurrently in another container.
GEM‑6289: Prevents concurrency issue when reconnecting with durable clients after server failure.
GEM‑6309: Resolved issue where GemFire Pulse did not work with Azure Active Directory because Spring OAuth security was incorrectly interpreting roles set by oAuth provider.
GEM‑6494: Fixed issue where
threadStarts were reported as
GEM‑6495: Corrects descriptions in
CacheClientProxy.waitRemoval now throws a
TimeoutException after a configurable timeout period. Exceeding this timeout period results in a warning logged on the server and a response sent to the client that its request failed. By default, the timeout is 59,000 milliseconds. This timeout can be configured on a server by setting the
gemfire.queueInitializationTimeoutMs system property.
GEM‑6575: Fixed a race condition that caused threads named “Client Queue Initialization Thread” to hang forever in
GEM‑6627: Prevents a race condition that can cause
NullPointerException during cluster membership changes.
GEM‑6455: Updated Jetty from 9.4.52.v20230823 to 9.4.53.v20231009 to address CVE-2023-36478.
GEM‑6634: Updated springdoc-openapi-ui from 1.6.8 to 1.6.15 to address CVE-2023-34055.
GEM‑6646: Updated spring-boot from 2.6.15 to 2.7.18 to address CVE-2023-20873.
GEM‑6675: Updated shiro from 1.12.0 to 1.13.0 to address CVE-2023-46750.
GEM-6251: The result of COUNT in the projection of a SELECT expression is no longer limited by the LIMIT in an OQL query. This also applies to default limits imposed by JMX queries (e.g. Pulse) and queries in gfsh.
GEM-6268: When a client requests server details, the server presents a list of available locators to field the request. In prior releases, the locator list was sorted, so in practice clients often sent their requests to the same locator. To improve load-balancing, the list of available locators is now shuffled by default so such requests will be fielded by randomly chosen locators.
To restore the earlier behavior, set the property following property:
GEM-6265: Fixed an issue that resulted in loss of persistent data when a member was forced out of the cluster during persistent disk store recovery and the system property
gemfire.disk.recoverValuesSync was set to
GEM-6314: Adds support for DNS reverse-lookup returning a hostname terminated by a trailing period.
GEM-6360: Improved locator statistics to reflect the types of requests the locator is receiving.
GEM-6362: Updated Jetty library from version 9.4.51 to 9.4.52 to address CVE-2023-36479, CVE-2023-40167, and CVE-2023-41900.
GEM-6366: Updated Spring-security library from version 5.8.5 to 5.8.7 to address BDSA-2023-2481.
GEM-6031: Presence or absence of an index no longer causes a query with trivially false conditions to behave differently.
GEM-6053: The first backup on a restarted member now performs an incremental backup, if appropriate, instead of defaulting to a full backup.
GEM-6113: Improved termination of ‘register interest’ subscriptions to avoid retaining unused threads.
GEM-6170: Ensures region metadata is updated correctly when destroying a colocated region.
GEM-6191: Ensures termination of a function thread left waiting after failing to contact a disconnected client.
GEM‑6232: GemFire statistics now reports the correct value for
actualRedundantCopies in cases where the actual number is lower than the configured number.
GEM-4219: Repaired a memory leak in transaction memory lock lists that was triggered by a CommitConflictException from another node.
GEM-4717: Fixed an issue in which increases to custom
entry-time-to-live settings were being ignored.
GEM-5586: Upgraded Spring Boot librararies from 2.6.7 to 2.6.15. This addresses CVE-2023-20883.
GEM-5773: Improved the gfsh
create region command to identify a partitioned region using
--local-max-memory=0 as a proxy region.
GEM-3686: Log messages have been added that warn when the system reaches the configured limits
GEM-5117, GEM-5347: Resolved issues in Pulse that could lead to wrong query results being displayed when results include null, duplicate Undefined values, or duplicate PdxInstance values.
GEM-5390, GEM-5406, GEM-5407: Updated Spring Framework from 5.3.26 to 5.3.27, Jetty libraries from 9.4.48.v20220622 to 9.4.51.v20230217, and Spring Security libraries from 5.8.1 to 5.8.3. These updates address the following CVEs:
GEM-5412: Fixed an issue in which some rare queries that use indexes could flip an OR clause to an AND clause.
GEM-5418: Fixed a serialization error that could occur when executing a query through
gfsh that resulted in empty JSON objects being returned.
GEM-5022: Fixed an issue in which the server mistakenly determined that the specified maximum allotment of available client connections had been exhausted.
GEM-5117, GEM-5330: Resolved an issue affecting gfsh-initiated OQL queries in serializing POJOs for conversion to JSON strings.
GEM-5217: Improved serialization filter speed.
GEM-5253: Upgraded library commons-fileupload from version 1.4 to 1.5. This addresses CVE-2023-24998.
GEM-5262: Improved performance of readSerializable when serializable-object-filter is set.
GEM-5318: Upgraded library snakeyaml from version 1.31 to 2.0. This addresses CVE-2022-1471.
GEM-5327: Updated library json-smart from version 2.4.7 to 2.4.10 to address CVE-2023-20860.
GEM-5335: Updated several Spring Framework components from version 5.3.20 to 5.3.26 to address CVE-2023-20860.
GEM-1234: Resolves an issue where Durable client receives one fewer event than expected.
GEM-4096: Improves the accuracy of the aggregate Read/Sec rate displayed in Pulse.
GEM-4560: Upgrades ClassGraph to version 4.8.152 to address issues with required classes not being loaded correctly from Windows UNC locations.
GEM-4681: Resolves a race condition that can lead to the JMX Manager missing events during startup.
NullPointerException using JTA transaction when server processes a failed commit due to HA after already processing the same commit earlier. Also resolves a stuck threads issue on servers when JTA failed with
gfsh connections between different major versions of GemFire.
GEM-4922: Improves clarity of the
gfsh connect command listing of
gfsh and server versions.
GEM-5107: Improves Partitioned Region rebalance efficiency by adding a MAX_PARALLEL_REBALANCE_OPERATIONS parameter, which controls how many buckets GemFire will move in parallel as part of a rebalance. For GemFire 9.15, the default is 1. See Rebalancing Partitioned Region Data for details.
GEM-5111: Improves security posture of web services.
GEM-5141: Fixes an issue that blocked recovering persistent file with old ordinals.
GEM-5142: Improves write times on disk stores by optimizing the request for file position to reduce the number of system calls.
GEM-5143: Improves persistent region performance by removing unneeded locking during creation of the oplog key file (.krf).
GEM-5144: Upgrades Apache Shiro from version 1.10.0 to 1.11.0.
GEM-5151: Improves redundancy recovery performance with the disk store by reducing the number of threads actively contending for the disk store.
GEM-5152: By default, GemFire cancels a long-running query 5 hours after it is invoked. The user can modify this timeout by specifying a
MAX_QUERY_EXECUTION_TIME system property or by configuring a memory limit using
critical-heap-percentage. This modification improves system response to a query that exceeds its specified limits by allowing it to be canceled during its compilation phase.
GEM-5177: The gfsh
restore redundancy operation now reports success, rather than a “NO_REDUNDANT_COPIES” error, for regions that contain no buckets.
NullPointerException thrown from
gfsh when query results included null value.
Class-Path entry has been removed from the manifests of all jars except dependency jars.
GEM-4647: Updated FasterXML Jackson Databind to version 184.108.40.206. This addresses CVE-2022-42003.
JsonWriter can now generate JSON for POJOs.
GEM-4703: Updated Apache Shiro to version 1.10.0. This addresses CVE-2022-40664.
GEM-4710: Updated Apache commons-text to version 1.10.0. This addresses CVE-2022-42889.
GEM-4827: Updated spring-security to version 5.6.9. This addresses CVE-2022-31690 and CVE-2022-31692.
GEM-2230: Fixed a hang that occurred during initialization in fixed partitioning when the configured primary bucket is still being initialized.
GEM-3785: Restore the ability to add custom classLoaders at runtime. Usage:
This allows the addition of user defined ClassLoaders. It does not allow for the removal of ClassLoaders. Restart is required to remove the user-defined ClassLoaders.
GEM-4398: Fixed a problem in the TLS handshake logic that occurred when an IPv6 address was used in the locators configuration parameter. An exception is avoided by not sending an IPv6 address as the Server Name Indication (SNI) hostname in the TLS handshake.
GEM-4383: GemFire OCI and OVA images no longer include
curl. This addresses CVE-2022-32207.
snakeyaml to v1.31. This addresses CVE-2022-25857.
GEM-3036, GEM-3507, GEM-3691: Fixed a performance issue caused by a memberId leak in non-persistent regions.
GEM-3214: Introduce a performance improvement by increasing the default BridgeServer.HANDSHAKE_POOL_SIZE from 4 to 50.
GEM-3433: Restored the visibility of processCpuTime statistics hidden by Java 11.
GEM-3684: Removed Server: header from all HTTP responses to mitigate a potential security risk in the REST API.
GEM-3749: Each GemfireHttpSession is now sized, instead of only the first instance being sized.
GEM-3766: Fixed a case in which findDistributedMembers() throws an unsupported operation exception.
GEM-3773: Upgraded shiro to v1.9.1 to address CVE-2022-32532.
GEM-3890: Upgraded jetty to v9.4.48 to address CVE-2022-2048.
GEODE-10301 Added the jackson-datatype-jsr310 and jackson-datatype-joda libraries to allows users with
java.time types (such as LocalDateTime, LocalDate, and LocalTime) in their query result fields to have the formatting those libraries provide.
GEODE-9991, GEM-3361: Some upgrade paths to VMware GemFire 9.15 may result in members not restarting due to “SSLv2Hello is not enabled”. The upgrade instructions (Upgrading to v9.15) provide details on which applications might encounter this problem, and steps to take in order to prevent it from occurring.
GEODE-9451: Implemented authentication expiration.
GEODE-8778: Changed the default value of the
conserve-sockets to “false” to conform with the majority of implementations. If your application relies on an unspecified “true” default, modify your code to specify the value explicitly.
GEM-3237: Addresses CVE-2021-29153, deserialization of untrusted data vulnerability in JMX over RMI and REST APIs, by configuring process-wide serialization filtering when the system property
--J=-Dgeode.enableGlobalSerialFilter=true is supplied.
GemFire 9.15 has the following known issues:
GEM-5473: In a rare condition a deadlock and hung operations can occur during a server restart when two servers become primary for the same bucket. The cause can be verified by issuing the gfsh
show metrics command and looking at the
primaryBucketCount output and comparing it with the expected number of buckets. The workaround is to kill one of the affected nodes that is stuck waiting to acquire a lock on a class in
General support includes security vulnerability resolutions and critical bug fixes in all supported minor versions, while other maintenance is applied only to the latest supported minor release.
New versions of VMware GemFire often include important security fixes, so VMware recommends that you keep up to date with the latest releases.
For details about any security fixes in a particular release, see the Application Security Team page.