5.8.0 Release notes
These release notes list any new features, enhancements, fixes, and breaking changes implemented between version 5.7.1 and version 5.8.0 of Hazelcast Management Center (MC).
For help downloading Hazelcast Management Center, see Installing and Starting Management Center.
New features
-
Console support: If you are experiencing any issues using the Command Line Client (CLC) in Management Center, there is a new option to switch from the CLC-based console to the original console. You can enable this by setting the environment variable
HAZELCAST_MC_ORIGINAL_CONSOLE_ENABLED
totrue
.For more information, see Executing console commands.
Security
-
Security Fix for CVE-2024-47554 – Uncontrolled resource consumption vulnerability in Apache Commons IO: We have resolved CVE-2024-47554, a high-severity vulnerability in Apache Commons IO where the
XmlStreamReader
class could excessively consume CPU resources when processing maliciously crafted input. This issue affected versions 2.0 up to but not including 2.14.0. The vulnerability has been mitigated by upgrading to a version that includes Apache Commons IO 2.14.0 or later. -
Security Fix for CVE-2025-22235 – Improper input validation vulnerability in Spring Boot: We have resolved CVE-2025-22235, a medium-severity vulnerability in Spring Boot where
EndpointRequest.to()
could create a matcher fornull/**
if the targeted actuator endpoint was disabled or not exposed. This misconfiguration could unintentionally leave the/null
path unprotected if it was handled by the application and expected to be secured. The issue has been addressed by upgrading to Spring Boot version 3.4.5. -
Security Fix for CVE-2025-22228 – Authentication bypass vulnerability in Spring Security Crypto: We have resolved CVE-2025-22228, a high-severity vulnerability in Spring Security’s
BCryptPasswordEncoder
where thematches()
function would incorrectly return true for passwords longer than 72 characters, provided the first 72 characters matched. This flaw could allow attackers to bypass authentication checks by exploiting password truncation. The vulnerability has been mitigated by upgrading to spring-security-crypto version 6.4.5.
Breaking changes
-
Changes to Prometheus Exporter metrics v2 (BETA): The following changes have been implemented to Prometheus Exporter metrics v2, which are currently in BETA:
Note: There are no changes to the format of v1 metrics. All v1 metrics start with
hz_
and all v2 metrics start withhazelcast_
. For more information, see Prometheus metrics.
The following Prometheus Exporter metrics v2 have been renamed:
Version 5.7.x | Version 5.8.0 |
---|---|
hazelcast_map_backups |
hazelcast_map_backups_total |
hazelcast_map_entries_backup |
hazelcast_map_backup_entries_total |
hazelcast_map_entries_backup_memory_cost |
hazelcast_map_backup_entries_memory_cost_bytes |
hazelcast_map_entries_dirty |
hazelcast_map_dirty_entries_total |
hazelcast_map_evictions |
hazelcast_map_evictions_total |
hazelcast_map_expirations |
hazelcast_map_expirations_total |
hazelcast_map_queries_indexed |
hazelcast_map_indexed_queries_total |
hazelcast_map_entries_locked |
hazelcast_map_locked_entries_total |
hazelcast_map_events |
hazelcast_map_events_total |
hazelcast_map_entries_owned |
hazelcast_map_owned_entries_total |
hazelcast_map_entries_owned_memory_cost |
hazelcast_map_owned_entry_memory_cost_bytes |
hazelcast_map_queries |
hazelcast_map_queries_total |
hazelcast_map_hits |
hazelcast_map_hits_total |
hazelcast_map_latency_total_seconds |
hazelcast_map_latency_seconds_total |
hazelcast_map_index_hits |
hazelcast_map_index_hits_total |
hazelcast_map_index_inserts |
hazelcast_map_index_inserts_total |
hazelcast_map_index_memory_cost |
hazelcast_map_index_memory_cost_bytes |
hazelcast_map_index_queries |
hazelcast_map_index_queries_total |
hazelcast_map_index_removes |
hazelcast_map_index_removes_total |
hazelcast_map_index_latency_total_seconds |
hazelcast_map_index_latency_seconds_total |
hazelcast_map_index_updates |
hazelcast_map_index_updates_total |
hazelcast_set_creation_timestamp |
hazelcast_set_creation_timestamp_seconds |