The Apache Geode community is pleased to announce the availability of Apache Geode 1.15.4.
Geode is a data management platform that provides a database-like consistency model, reliable transaction processing and a shared-nothing architecture to maintain very low latency performance with high concurrency processing. Apache Geode 1.15.4 contains security vulnerabilities in Log4j and Jackson dependencies. Highlights -Log Injection Remediation: Remediated CVE-2026-34478 — Improper Output Neutralization for Logs in Log4j Rfc5424Layout via CRLF injection. Log4j Core versions 2.21.0 through 2.25.3 are vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes (CWE-117, CWE-684), affecting users of stream-based syslog services. Upgraded Log4j from 2.25.3 to 2.25.4 (GEODE-10580 #8006) -Denial of Service Remediation: Fixed Allocation of Resources Without Limits or Throttling in Jackson Core allowing oversized JSON documents to bypass document length limits (SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551). Upgraded Jackson from 2.18.6 to 2.21.2, annotations to 2.21 (GEODE-10576 #8003) Users are encouraged to upgrade to the latest 2.0.x release (currently 2.0.2). For the full list of changes please review the release notes at: https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-1.15.4 Release artifacts and documentation can be found at the project website: https://geode.apache.org/releases/ https://geode.apache.org/docs/guide/115/about_geode.html We would like to thank all the contributors that made the release possible. Best regards, Jinwoo Hwang on behalf of the Apache Geode team SAS® Research and Development http://JinwooHwang.com<http://jinwoohwang.com/>
