This release addresses security vulnerabilities in Log4j and Jackson dependencies.
Highlights
- Log Injection Remediation: Remediated CVE-2026-34478 — Improper Output Neutralization for Logs in Log4j Rfc5424Layout via CRLF injection. Log4j Core versions 2.21.0 through 2.25.3 are vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes (CWE-117, CWE-684), affecting users of stream-based syslog services. Upgraded Log4j from 2.25.3 to 2.25.4 (GEODE-10580 #8006)
- Denial of Service Remediation: Fixed Allocation of Resources Without Limits or Throttling in Jackson Core allowing oversized JSON documents to bypass document length limits (SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551). Upgraded Jackson from 2.18.6 to 2.21.2, annotations to 2.21 (GEODE-10576 #8003)
Full Changelog: rel/v1.15.3...rel/v1.15.4