VMware GemFire 9.15 Release Notes
This topic contains the release notes for VMware GemFire.
What’s New in VMware GemFire 9.15.12
Released: June 26, 2024
VMware GemFire 9.15.12 includes updates to spring and spring-security to address the following security issues:
- CVE-2024-22243
- CVE-2024-22257
- CVE‑2024‑22259
- CVE-2024-22262
See Issues Resolved in VMware GemFire 9.15.12 for details regarding issues addressed in this release.
What’s New in VMware GemFire 9.15.11
Released: February 26, 2024
VMware GemFire 9.15.11 includes an update to json-path that fixes the following security issues:
- CVE-2023-51074
See Issues Resolved in VMware GemFire 9.15.11 for details regarding issues addressed in this release.
What’s New in VMware GemFire 9.15.10
Released: January 5, 2024
VMware GemFire 9.15.10 includes an update to jetty-server that fixes the following security issues:
- CVE-2023-36478
- CVE-2023-34055
- CVE-2023-20873
- CVE-2023-46750
See Issues Resolved in VMware GemFire 9.15.10 for details regarding issues addressed in this release.
What’s New in VMware GemFire 9.15.9
Released: October 3, 2023
VMware GemFire 9.15.9 includes an update to jetty-server that fixes the following security issues:
- CVE-2023-36479
- CVE-2023-40167
- CVE-2023-41900
- BDSA-2023-2481
See Issues Resolved in VMware GemFire 9.15.9 for details regarding issues addressed in this release.
What’s New in VMware GemFire 9.15.8
Released: September 6, 2023
VMware GemFire 9.15.8 includes fixes for the following security issues:
- CVE‑2023‑34478 (Shiro)
- CVE‑2023‑34034 (Spring security)
- CVE‑2023‑34036 (Spring hateoas)
See Issues Resolved in VMware GemFire 9.15.8 for details regarding issues addressed in this release.
What’s New in VMware GemFire 9.15.7
Released: July 12, 2023
VMware GemFire 9.15.7 includes fixes for the following security issue:
- CVE-2023-20883
See Issues Resolved in VMware GemFire 9.15.7 for details regarding issues addressed in this release.
What’s New in VMware GemFire 9.15.6
Released: May 23, 2023
VMware GemFire 9.15.6 includes fixes for the following security issues:
- CVE-2023-20862
- CVE-2023-20863
- CVE-2023-26048
- CVE-2023-26049
VMware GemFire 9.15.6 includes the following enhancement:
New log messages: Log messages have been added that warn when the system reaches the configured limits MAX_THREADS, MAX_PR_THREADS, and MAX_FE_THREADS.
See Issues Resolved in VMware GemFire 9.15.6 for details regarding issues addressed in this release.
What’s New in VMware GemFire 9.15.5
Released: April 6, 2023
VMware GemFire 9.15.5 is a maintenance release which includes fixes for the following security issues:
- CVE-2022-1471
- CVE-2023-1370
- CVE-2023-24998
- CVE-2023-20860
See Issues Resolved in VMware GemFire 9.15.5 for details regarding issues addressed in this release.
What’s New in VMware GemFire 9.15.4
Released: February 14, 2023
VMware GemFire 9.15.4 is a maintenance release. See Issues Resolved in VMware GemFire 9.15.4 for details regarding issues addressed in this release.
What’s New in VMware GemFire 9.15.3
Released: November 9, 2022
VMware GemFire 9.15.3 is a maintenance release, which includes fixes for the following security issues:
- CVE-2022-23207
- CVE-2022-31690
- CVE-2022-31692
- CVE-2022-34870
- CVE-2022-40664
- CVE-2022-42003
- CVE-2022-42889
See Issues Resolved in VMware GemFire 9.15.3 for details regarding issues addressed in this release.
What’s New in VMware GemFire 9.15.2
Released: August 9, 2022
VMware GemFire 9.15.2 is a maintenance release, which includes fixes for the following security issues:
- CVE-2022-32207
- CVE-2022-25857
See Issues Resolved in VMware GemFire 9.15.2 for details regarding issues addressed in this release.
What’s New in VMware GemFire 9.15.1
Released: July 27, 2022
VMware GemFire 9.15.1 is a maintenance release, which includes fixes for the following security issues:
- CVE-2022-32532
- CVE-2022-2048
See Issues Resolved in VMware GemFire 9.15.1 for details regarding issues addressed in this release.
What’s New in VMware GemFire 9.15.0
Released: June 22, 2022
GemFire 9.15.0 is a new minor release that includes the following notable changes over its predecessor, GemFire v9.10:
- GemFire version numbering jumps in this release from v9.10 to v9.15 to reflect the GemFire/Geode realignment described below.
- There are no versions of GemFire numbered 9.11, 9.12, 9.13, or 9.14.
- GemFire/Geode Realignment
- The previous release of GemFire, v9.10, was based on Geode 1.12. With the GemFire 9.15 release, GemFire now incorporates all of the improvements introduced in Geode versions 1.13, 1.14, and 1.15 as well as many other important updates not present in Geode.
- Connection Reauthorization
- GemFire security has been improved by implemented authentication expiration. Authentication expiry makes it possible for cluster administrators to limit the life span of client and peer connections within the cluster. See Implementing Authentication Expiry for details.
- Default GemFire property value changed
-
The
conserve-socketsGemFire property’s default value has been changed fromtruetofalse. - GEODE-9982, GEM-3509: protocol alignment/client-server handshake fix
- GemFire Native Client applications must be upgraded to at least version 10.2.7 before upgrading the GemFire server to v9.15.
- Experimental Redis Adapter removed
- The experimental Redis Adapter was removed from the VMware GemFire release. It will be replaced by a stand-alone add-on.
- TLSv1.1 deprecated
- TLS 1.0 and 1.1 have been deprecated by the Internet Engineering Task Force (IETF) as of March 25,2021. GemFire utilizes the Java Runtime for TLS, so ensure your Java RunTime has been updated to ensure TLS 1.0 and 1.1 have been mitigated.
- CVE-2021-29153 addressed
- Addresses deserialization of untrusted data vulnerability in JMX over RMI and REST APIs by configuring process-wide serialization filtering.
See Issues Resolved in VMware GemFire 9.15.0 for details regarding issues addressed in this release.
Resolved Issues
This section describes issue resolutions that significantly affect VMware GemFire applications.
Issues Resolved in VMware GemFire 9.15.12
GEM-6664: Corrected an issue where client authorization exceptions could occur when integrated security caused the server’s ClientHealthMonitor to clear a client’s proxy information but the client continued to hold and try to use the uniqueId in later operations.
GEM-7052, GEM-7284, GEM-7399: Updated spring to 5.3.34 to address CVE-2024-22243, CVE‑2024‑22259, and CVE-2024-22262.
GEM-7310: Updated spring-security to 5.8.11 to address CVE-2024-22257.
GEM-7405: Fixed an issue where, in unusual circumstances, marker messages were not distributed to all members hosting a given queue.
GEM-7437: Fixed an issue where read locks would not be released for an extended period of time after corruption of an index.
GEM-7554: Fixed an issue that caused GemFire to shut down for StackOverErrors.
Issues Resolved in VMware GemFire 9.15.11
GEM‑5302: Improved log message if index population on a LocalRegion fails.
GEM‑6689, GEM‑6900: Fixed an issue where, in rare cases, a deserialization error is reported during a WAN gateway event retry.
GEM‑6693: Fixed an issue where an index might not be created after a restart.
GEM‑6713: Updated json-path to jason-path 2.9.0 to address CVE-2023-51074.
Issues Resolved in VMware GemFire 9.15.10
GEM-5395: GemfireHttpSession and DeltaQueuedSessionAttributes were replicating incorrectly, causing accesses in one container to overwrite changes made concurrently in another container.
GEM‑6289: Prevents concurrency issue when reconnecting with durable clients after server failure.
GEM‑6309: Resolved issue where GemFire Pulse did not work with Azure Active Directory because Spring OAuth security was incorrectly interpreting roles set by oAuth provider.
GEM‑6494: Fixed issue where threadStarts were reported as threadCreates.
GEM‑6495: Corrects descriptions in DistributionStats.
GEM‑6502: CacheClientProxy.waitRemoval now throws a TimeoutException after a configurable timeout period. Exceeding this timeout period results in a warning logged on the server and a response sent to the client that its request failed. By default, the timeout is 59,000 milliseconds. This timeout can be configured on a server by setting the gemfire.queueInitializationTimeoutMs system property.
GEM‑6575: Fixed a race condition that caused threads named “Client Queue Initialization Thread” to hang forever in CacheClientProxy.waitRemoval.
GEM‑6627: Prevents a race condition that can cause NullPointerException during cluster membership changes.
GEM‑6455: Updated Jetty from 9.4.52.v20230823 to 9.4.53.v20231009 to address CVE-2023-36478.
GEM‑6634: Updated springdoc-openapi-ui from 1.6.8 to 1.6.15 to address CVE-2023-34055.
GEM‑6646: Updated spring-boot from 2.6.15 to 2.7.18 to address CVE-2023-20873.
GEM‑6675: Updated shiro from 1.12.0 to 1.13.0 to address CVE-2023-46750.
Issues Resolved in VMware GemFire 9.15.9
GEM-6251: The result of COUNT in the projection of a SELECT expression is no longer limited by the LIMIT in an OQL query. This also applies to default limits imposed by JMX queries (e.g. Pulse) and queries in gfsh.
GEM-6268: When a client requests server details, the server presents a list of available locators to field the request. In prior releases, the locator list was sorted, so in practice clients often sent their requests to the same locator. To improve load-balancing, the list of available locators is now shuffled by default so such requests will be fielded by randomly chosen locators.
To restore the earlier behavior, set the property following property:
locator.gemfire.sort-locator-list=true
GEM-6265: Fixed an issue that resulted in loss of persistent data when a member was forced out of the cluster during persistent disk store recovery and the system property gemfire.disk.recoverValuesSync was set to true.
GEM-6314: Adds support for DNS reverse-lookup returning a hostname terminated by a trailing period.
GEM-6360: Improved locator statistics to reflect the types of requests the locator is receiving.
GEM-6362: Updated Jetty library from version 9.4.51 to 9.4.52 to address CVE-2023-36479, CVE-2023-40167, and CVE-2023-41900.
GEM-6366: Updated Spring-security library from version 5.8.5 to 5.8.7 to address BDSA-2023-2481.
Issues Resolved in VMware GemFire 9.15.8
GEM-6031: Presence or absence of an index no longer causes a query with trivially false conditions to behave differently.
GEM-6053: The first backup on a restarted member now performs an incremental backup, if appropriate, instead of defaulting to a full backup.
GEM-6113: Improved termination of ‘register interest’ subscriptions to avoid retaining unused threads.
GEM-6170: Ensures region metadata is updated correctly when destroying a colocated region.
GEM-6191: Ensures termination of a function thread left waiting after failing to contact a disconnected client.
GEM‑6232: GemFire statistics now reports the correct value for actualRedundantCopies in cases where the actual number is lower than the configured number.
Issues Resolved in VMware GemFire 9.15.7
GEM-4219: Repaired a memory leak in transaction memory lock lists that was triggered by a CommitConflictException from another node.
GEM-4717: Fixed an issue in which increases to custom entry-idle-time and entry-time-to-live settings were being ignored.
GEM-5586: Upgraded Spring Boot librararies from 2.6.7 to 2.6.15. This addresses CVE-2023-20883.
GEM-5773: Improved the gfsh create region command to identify a partitioned region using --local-max-memory=0 as a proxy region.
Issues Resolved in VMware GemFire 9.15.6
GEM-3686: Log messages have been added that warn when the system reaches the configured limits MAX_THREADS, MAX_PR_THREADS, and MAX_FE_THREADS.
GEM-5117, GEM-5347: Resolved issues in Pulse that could lead to wrong query results being displayed when results include null, duplicate Undefined values, or duplicate PdxInstance values.
GEM-5390, GEM-5406, GEM-5407: Updated Spring Framework from 5.3.26 to 5.3.27, Jetty libraries from 9.4.48.v20220622 to 9.4.51.v20230217, and Spring Security libraries from 5.8.1 to 5.8.3. These updates address the following CVEs:
- CVE-2023-20862
- CVE-2023-20863
- CVE-2023-26048
- CVE-2023-26049
GEM-5412: Fixed an issue in which some rare queries that use indexes could flip an OR clause to an AND clause.
GEM-5418: Fixed a serialization error that could occur when executing a query through gfsh that resulted in empty JSON objects being returned.
Issues Resolved in VMware GemFire 9.15.5
GEM-5022: Fixed an issue in which the server mistakenly determined that the specified maximum allotment of available client connections had been exhausted.
GEM-5117, GEM-5330: Resolved an issue affecting gfsh-initiated OQL queries in serializing POJOs for conversion to JSON strings.
GEM-5217: Improved serialization filter speed.
GEM-5253: Upgraded library commons-fileupload from version 1.4 to 1.5. This addresses CVE-2023-24998.
GEM-5262: Improved performance of readSerializable when serializable-object-filter is set.
GEM-5318: Upgraded library snakeyaml from version 1.31 to 2.0. This addresses CVE-2022-1471.
GEM-5327: Updated library json-smart from version 2.4.7 to 2.4.10 to address CVE-2023-20860.
GEM-5335: Updated several Spring Framework components from version 5.3.20 to 5.3.26 to address CVE-2023-20860.
Issues Resolved in VMware GemFire 9.15.4
GEM-1234: Resolves an issue where Durable client receives one fewer event than expected.
GEM-4096: Improves the accuracy of the aggregate Read/Sec rate displayed in Pulse.
GEM-4560: Upgrades ClassGraph to version 4.8.152 to address issues with required classes not being loaded correctly from Windows UNC locations.
GEM-4681: Resolves a race condition that can lead to the JMX Manager missing events during startup.
GEM-4800: Resolves NullPointerException using JTA transaction when server processes a failed commit due to HA after already processing the same commit earlier. Also resolves a stuck threads issue on servers when JTA failed with SynchronizationCommitConflictException.
GEM-4864: Allows gfsh connections between different major versions of GemFire.
GEM-4922: Improves clarity of the gfsh connect command listing of gfsh and server versions.
GEM-5107: Improves Partitioned Region rebalance efficiency by adding a MAX_PARALLEL_REBALANCE_OPERATIONS parameter, which controls how many buckets GemFire will move in parallel as part of a rebalance. For GemFire 9.15, the default is 1. See Rebalancing Partitioned Region Data for details.
GEM-5111: Improves security posture of web services.
GEM-5141: Fixes an issue that blocked recovering persistent file with old ordinals.
GEM-5142: Improves write times on disk stores by optimizing the request for file position to reduce the number of system calls.
GEM-5143: Improves persistent region performance by removing unneeded locking during creation of the oplog key file (.krf).
GEM-5144: Upgrades Apache Shiro from version 1.10.0 to 1.11.0.
GEM-5151: Improves redundancy recovery performance with the disk store by reducing the number of threads actively contending for the disk store.
GEM-5152: By default, GemFire cancels a long-running query 5 hours after it is invoked. The user can modify this timeout by specifying a MAX_QUERY_EXECUTION_TIME system property or by configuring a memory limit using critical-heap-percentage. This modification improves system response to a query that exceeds its specified limits by allowing it to be canceled during its compilation phase.
GEM-5177: The gfsh restore redundancy operation now reports success, rather than a “NO_REDUNDANT_COPIES” error, for regions that contain no buckets.
GF4TAS-181: Addresses NullPointerException thrown from gfsh when query results included null value.
Issues Resolved in VMware GemFire 9.15.3
GEM-4571: The Class-Path entry has been removed from the manifests of all jars except dependency jars.
GEM-4647: Updated FasterXML Jackson Databind to version 2.13.4.2. This addresses CVE-2022-42003.
GEM-4657: PDXToJson and JsonWriter can now generate JSON for POJOs.
GEM-4703: Updated Apache Shiro to version 1.10.0. This addresses CVE-2022-40664.
GEM-4710: Updated Apache commons-text to version 1.10.0. This addresses CVE-2022-42889.
GEM-4827: Updated spring-security to version 5.6.9. This addresses CVE-2022-31690 and CVE-2022-31692.
Issues Resolved in VMware GemFire 9.15.2
GEM-2230: Fixed a hang that occurred during initialization in fixed partitioning when the configured primary bucket is still being initialized.
GEM-3785: Restore the ability to add custom classLoaders at runtime. Usage:
ClassPathLoader.getLatest().addUserDefinedClassloader(newClassLoader);
This allows the addition of user defined ClassLoaders. It does not allow for the removal of ClassLoaders. Restart is required to remove the user-defined ClassLoaders.
GEM-4398: Fixed a problem in the TLS handshake logic that occurred when an IPv6 address was used in the locators configuration parameter. An exception is avoided by not sending an IPv6 address as the Server Name Indication (SNI) hostname in the TLS handshake.
GEM-4383: GemFire OCI and OVA images no longer include curl. This addresses CVE-2022-32207.
GEM-4436: Upgraded snakeyaml to v1.31. This addresses CVE-2022-25857.
Issues Resolved in VMware GemFire 9.15.1
GEM-3036, GEM-3507, GEM-3691: Fixed a performance issue caused by a memberId leak in non-persistent regions.
GEM-3214: Introduce a performance improvement by increasing the default BridgeServer.HANDSHAKE_POOL_SIZE from 4 to 50.
GEM-3433: Restored the visibility of processCpuTime statistics hidden by Java 11.
GEM-3684: Removed Server: header from all HTTP responses to mitigate a potential security risk in the REST API.
GEM-3749: Each GemfireHttpSession is now sized, instead of only the first instance being sized.
GEM-3766: Fixed a case in which findDistributedMembers() throws an unsupported operation exception.
GEM-3773: Upgraded shiro to v1.9.1 to address CVE-2022-32532.
GEM-3890: Upgraded jetty to v9.4.48 to address CVE-2022-2048.
Issues Resolved in VMware GemFire 9.15.0
GEODE-10301 Added the jackson-datatype-jsr310 and jackson-datatype-joda libraries to allows users with java.time types (such as LocalDateTime, LocalDate, and LocalTime) in their query result fields to have the formatting those libraries provide.
GEODE-9991, GEM-3361: Some upgrade paths to VMware GemFire 9.15 may result in members not restarting due to “SSLv2Hello is not enabled”. The upgrade instructions (Upgrading to v9.15) provide details on which applications might encounter this problem, and steps to take in order to prevent it from occurring.
GEODE-9451: Implemented authentication expiration.
GEODE-8778: Changed the default value of the conserve-sockets to “false” to conform with the majority of implementations. If your application relies on an unspecified “true” default, modify your code to specify the value explicitly.
GEM-3237: Addresses CVE-2021-29153, deserialization of untrusted data vulnerability in JMX over RMI and REST APIs, by configuring process-wide serialization filtering when the system property --J=-Dgeode.enableGlobalSerialFilter=true is supplied.
Known Issues
GemFire 9.15 has the following known issues:
GEM-5473: In a rare condition a deadlock and hung operations can occur during a server restart when two servers become primary for the same bucket. The cause can be verified by issuing the gfsh show metrics command and looking at the primaryBucketCount output and comparing it with the expected number of buckets. The workaround is to kill one of the affected nodes that is stuck waiting to acquire a lock on a class in org.apache.geode.internal.cache.entries.
Support
General support includes security vulnerability resolutions and critical bug fixes in all supported minor versions, while other maintenance is applied only to the latest supported minor release.
Obtaining and Installing Security Updates
New versions of VMware GemFire often include important security fixes, so VMware recommends that you keep up to date with the latest releases.
For details about any security fixes in a particular release, see the Application Security Team page.
