5.5.6 Release Notes

Updated exception handling for non-existent JAAS classes: Resolved an issue where specifying a non-existent class for JAAS configuration did not result in an appropriate exception being logged. Previously, this caused a lack of visibility into configuration errors, making it harder to diagnose issues. The fix ensures that when a non-existent class is specified for JAAS, an InvalidConfigurationException is properly logged in the server logs, replacing the incorrect reference to ClassNotFoundException.

Security Fix for CVE-2025-31651 - Improper neutralization of escape, meta, or control sequences vulnerability in Apache Tomcat: We have resolved CVE-2025-31651, a critical vulnerability in Apache Tomcat where for a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules.

Security Fix for CVE-2025-24813 - Remote code execution and/or information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat: We have resolved CVE-2025-24813, a critical vulnerability in Apache Tomcat where in some circumstances a malicious user was able to view security sensitive files and/or inject content into those files.

Security Fix for CVE-2025-31650 - Improper input validation vulnerability in Apache Tomcat: We have resolved CVE-2025-31650, a high vulnerability in Apache Tomcat where incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak.

Security Fix for CVE-2024-38286 - Allocation of resources without limits or throttling vulnerability in Apache Tomcat: We have resolved CVE-2024-38286, a high vulnerability in Apache Tomcat where under certain configurations on any platform, it allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Fixed TTL eviction issue for entries loaded from MapLoader: Resolved an issue where entries loaded from a MapLoader into an IMap with TTL-based eviction enabled were not evicted after the configured TTL. This caused entries to persist indefinitely, contrary to the expected behavior where such entries should expire after the TTL. The fix restores the correct behavior, ensuring that entries loaded from a MapLoader respect the configured TTL and are evicted as expected.

Fixed inconsistency between map.size() and map.keySet().size() when ExpirationPolicy throws an exception: Resolved an issue where a discrepancy could occur between map.size() and map.keySet().size() when an ExpirationPolicy threw an exception. This issue was triggered in scenarios where an index was defined for a non-existing field, causing an error during indexing without affecting the storage of entries. The fix ensures that map.size() and map.keySet().size() remain consistent, even in cases where exceptions are thrown during expiration or indexing.

Fixed exception when using CREATE MAPPING with SQL statement-timeout-millis configured: Resolved an issue where setting a non-zero value for statement-timeout-millis in the SQL configuration caused exceptions for statements that do not support timeouts, such as CREATE MAPPING. Previously, executing such statements would result in a descriptive but unnecessary exception (CREATE MAPPING does not support timeout), which could prevent client applications from starting if CREATE MAPPING was part of the initialization process. The fix ensures that non-timeout-supported statements like CREATE MAPPING succeed as expected, regardless of the statement-timeout-millis configuration.

Fixed issue with hot backup failing after changing the backup folder during a rolling restart: Resolved an issue where hot backups would fail if the underlying backup folder was changed during a rolling restart and a hot backup was subsequently initiated from Management Center (MC). This fix ensures that hot backups function correctly even after the backup folder is updated during a rolling restart.

Fixed server exception caused by clients connecting to non-CP clusters with cp-direct-to-leader-routing enabled: Resolved an issue where a client connecting to a non-CP cluster with cp-direct-to-leader-routing: true would trigger an exception in the server logs after 60 seconds. The exception (HazelcastException: CP Subsystem is not enabled!) caused unnecessary confusion for users. This fix ensures that clients with cp-direct-to-leader-routing enabled no longer trigger server exceptions when connected to non-CP clusters.

Improved client error message for unsupported CP subsystem in Community Edition clients: Resolved an issue where a Community Edition client attempting to interact with an Enterprise Edition cluster using the CP subsystem would produce a misleading error message: "CP subsystem is a licensed feature. Please ensure you have an Enterprise license that enables CP." The error incorrectly suggested a licensing issue with the cluster, rather than indicating the actual problem with the client. The fix updates the error message to clearly indicate that the issue lies with the client, helping users identify and resolve the problem of using an incompatible client package more easily.

Fixed misleading warning about enabling Merkle trees when already enabled: Resolved an issue where a warning was logged suggesting that Merkle trees should be enabled, even when they were already enabled. This issue caused unnecessary and confusing log messages. The fix ensures that the warning is not produced when Merkle trees are already enabled, improving clarity in the logs.

Fixed performance degradation for large input lengths in ByteArrayObjectDataOutput: Resolved an issue where providing an input length greater than Integer.MAX_VALUE / 2 caused significant performance degradation (up to 100x). This was due to the buffer resizing in small increments instead of a single large increment, as the doubling strategy would overflow and result in a negative value. The fix ensures that in cases of overflow, the buffer length is set to MAX_ARRAY_SIZE, which is approximately the largest supported array size in the JVM.

Fixed issue with SSL property configuration using environment variables: Resolved an issue where SSL properties could not be configured through environment variables (e.g., in Docker) because all property keys were converted to lowercase during processing. This behavior, while appropriate for most configuration options, broke SSL functionality. The fix ensures that SSL properties are handled correctly, enabling proper SSL configuration through environment variables.

Fixed handling of DestroyQueryCacheOperation after cache configuration removal: Resolved an issue where calling DestroyQueryCacheOperation after a cache configuration was removed resulted in a NullPointerException. The fix ensures that a NullPointerException is no longer thrown in this scenario. Instead, the operation now handles the exception gracefully and logs a finest-level entry, improving robustness and debuggability of cache operations.

Improved latency distribution tracking for InvocationProfiler and OperationProfiler: Enhanced the InvocationProfiler and OperationProfiler DiagnosticPlugins to record latency distributions with finer granularity by distinguishing operations wrapped in the OperationFactoryWrapper class. This improvement provides better visibility into cluster activity and helps diagnose performance issues more effectively.

Fixed handling of expired entries when depopulating global indexes: Resolved an issue where expired entries were skipped during the cleanup of global indexes on migration source nodes. This caused query threads to encounter dangling pointers in the index, leading to JVM crashes. The fix ensures that expired entries are included when depopulating global indexes, preventing such crashes and improving system stability.