The Apache Geode community is pleased to announce the availability of Apache Geode 2.0.2.
Geode is a data management platform that provides a database-like consistency model, reliable transaction processing and a shared-nothing architecture to maintain very low latency performance with high concurrency processing. Apache Geode 2.0.2 addresses security vulnerabilities across multiple dependencies, including Log4j, Jackson, and Bouncy Castle, and HttpCore5. Highlights -Log Injection Remediation: Remediated CVE-2026-34478 - Improper Output Neutralization for Logs in Log4j Rfc5424Layout via CRLF injection (GEODE-10579 #8005) -Denial of Service Remediation: Fixed Allocation of Resources Without Limits or Throttling in Jackson Core allowing oversized JSON documents to bypass document length limits (GEODE-10575 #8002, GEODE-10576 #8003) -Critical Security Patches: Remediated CVE-2026-0636, CVE-2026-5598, and CVE-2025-14813 in Bouncy Castle transitive dependency (GEODE-10583 #8008) -Denial-of-service (DoS) Fixes: Remediated CVE-2025-8671 in HttpCore5 and HttpCore5-H2 (GEODE-10577 #8004) Users are encouraged to upgrade to this latest release. For the full list of changes please review the release notes at: https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-2.0.2 Release artifacts and documentation can be found at the project website: https://geode.apache.org/releases/ https://geode.apache.org/docs/guide/20/about_geode.html We would like to thank all the contributors that made the release possible. Best regards, Jinwoo Hwang on behalf of the Apache Geode team SASĀ® Research and Development http://JinwooHwang.com<http://jinwoohwang.com/>
