geode

vrel/v1.15.4 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 4d Caching

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

apache datagrid geode

Affected surfaces

deps

ReleasePort's take

Moderate signal

editorial:auto 4d

The release upgrades Log4j to 2.25.4 and Jackson Core/Annotations to 2.21.2, fixing CVE‑2026‑34478 (CRLF log injection) and a denial‑of‑service flaw.

Why it matters: CVE‑2026‑34478 is critical; upgrading Log4j ≥2.25.4 eliminates the CRLF injection risk. Jackson upgrades to 2.21.2 resolve a denial‑of‑service vulnerability (SNYK‑JAVA‑COMFASTERXMLJACKSONCORE‑15907551).

Summary

AI summary

Upgraded Log4j and Jackson dependencies to fix CVE-2026-34478 log injection and a denial‑of‑service vulnerability.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Upgraded Log4j from 2.25.3 to 2.25.4, fixing CVE-2026-34478 CRLF log injection vulnerability. Upgraded Log4j from 2.25.3 to 2.25.4, fixing CVE-2026-34478 CRLF log injection vulnerability. Source: llm_adapter@2026-05-30 Confidence: high	—
Security	High	Upgraded Jackson Core and Annotations from 2.18.6/2.21 to 2.21.2, fixing SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551 denial-of-service vulnerability. Upgraded Jackson Core and Annotations from 2.18.6/2.21 to 2.21.2, fixing SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551 denial-of-service vulnerability. Source: llm_adapter@2026-05-30 Confidence: high	—

Full changelog

This release addresses security vulnerabilities in Log4j and Jackson dependencies.

Highlights

Log Injection Remediation: Remediated CVE-2026-34478 — Improper Output Neutralization for Logs in Log4j Rfc5424Layout via CRLF injection. Log4j Core versions 2.21.0 through 2.25.3 are vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes (CWE-117, CWE-684), affecting users of stream-based syslog services. Upgraded Log4j from 2.25.3 to 2.25.4 (GEODE-10580 #8006)
Denial of Service Remediation: Fixed Allocation of Resources Without Limits or Throttling in Jackson Core allowing oversized JSON documents to bypass document length limits (SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551). Upgraded Jackson from 2.18.6 to 2.21.2, annotations to 2.21 (GEODE-10576 #8003)

Full Changelog: https://github.com/apache/geode/compare/rel/v1.15.3...rel/v1.15.4

Security Fixes

CVE-2026-34478 — Fixed Log4j Rfc5424Layout CRLF injection vulnerability by upgrading Log4j from 2.25.3 to 2.25.4
SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551 — Fixed denial‑of‑service via unbounded JSON document size by upgrading Jackson Core from 2.18.6 to 2.21.2 and annotations to 2.21

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track geode

Get notified when new releases ship.

About geode

Apache Geode

All releases →