OSSEVA FOR GEMFIRE / GEODE

GemFire — patched, protected, operated.

Broadcom's GemFire pricing and support uncertainty has enterprise teams evaluating Apache Geode as the exit path. OSSeva provides CVE coverage for both GemFire 9.x/10.x and Geode 1.x/2.x, plus migration services to move from commercial GemFire to OSSeva-supported Geode.

Book a GemFire / Geode DiscoverySee version coverage ↓

Why now

Broadcom GemFire: escalating costs and roadmap uncertainty

Following VMware's acquisition by Broadcom, GemFire customers face the same pricing restructuring that drove RabbitMQ and Spring customers to alternatives. GemFire support costs have increased significantly, and the roadmap for the commercial product is unclear.

Apache Geode is the open-source foundation — but needs enterprise support

Apache Geode is the upstream open-source project that GemFire is built on. Running Geode community without CVE patching and compliance documentation creates the same audit exposure as any other EOL open-source component.

In-memory data grids hold session state and sensitive data

GemFire and Geode deployments frequently store session tokens, financial data, and healthcare records. CVEs in the serialization layer, security manager, or network topology represent direct data exposure risks with immediate compliance implications.

Versions covered

All versions below receive active CVE patches from OSSeva. Version numbers in monospace are exact release identifiers.

VersionStatusActive CVEs
GemFire 9.x(Full CVE coverage)ExtendedClean
GemFire 10.x(Full CVE coverage)ExtendedClean
Geode 1.14.x(Full CVE coverage)ExtendedClean
Geode 1.15.xExtendedClean
Geode 2.xCurrentClean

What you get

Three tiers — pick the level of engagement that matches your team's operational needs and compliance requirements.

OSSeva Patch

CVE patches for GemFire and Geode. Covers both commercial and community builds.

  • Quarterly CVE patches for GemFire 9.x–10.x and Geode 1.x–2.x
  • Serialization and deserialization CVE priority coverage
  • Maven / Docker delivery
  • Signed artifacts (GPG)
  • CVE disclosure notifications
  • Architecture review
  • 24/7 managed operations
Get started →
Most popular

OSSeva Assure

Patch plus cluster security audit and GemFire → Geode migration planning.

  • Everything in Patch
  • Cluster topology and security configuration audit
  • Region security and access control review
  • SOC 2 / HIPAA attestation package
  • GemFire → Geode migration assessment
  • WAN replication security review
  • 24/7 managed operations
Get started →

OSSeva Operate

Full MSP: 24/7 cluster monitoring, 15-min SLA, named Geode engineers.

  • Everything in Assure
  • 24/7 cluster health and memory monitoring
  • 15-minute P1 incident response SLA
  • Named senior Geode/GemFire engineer
  • Region eviction and overflow management
  • GemFire → Geode migration execution
  • Quarterly capacity planning reviews
Get started →

All tiers priced per cluster/application — not per core. Contact for pricing →

How it installs

OSSeva artifacts arrive via your existing package infrastructure. Pull the patched version the same way you pull upstream today — just from the OSSeva registry.

Maven — OSSeva Geode clientxml
<dependency>
  <groupId>io.osseva.geode</groupId>
  <artifactId>geode-core</artifactId>
  <version>1.15.1-osseva-1</version>
</dependency>
<dependency>
  <groupId>io.osseva.geode</groupId>
  <artifactId>geode-cq</artifactId>
  <version>1.15.1-osseva-1</version>
</dependency>
Docker — OSSeva Geode locator and serverbash
# Start locator
docker run -d --name geode-locator \
  -p 10334:10334 \
  -p 1099:1099 \
  artifacts.osseva.io/apache-geode:1.15.1-osseva-1 \
  gfsh start locator --name=locator1

# Start cache server
docker run -d --name geode-server \
  -p 40404:40404 \
  artifacts.osseva.io/apache-geode:1.15.1-osseva-1 \
  gfsh start server --name=server1 --locators=geode-locator[10334]

Migrate from VMware / Broadcom GemFire

Broadcom GemFire customers seeking an exit path can migrate to OSSeva-supported Apache Geode — the open-source foundation GemFire is built on. OSSeva provides migration assessment, data migration tooling, and cluster validation to move from commercial GemFire to community Geode under enterprise support.

Pricing model

OSSeva for GemFire/Geode is priced per cluster — not per node or per stored GB. Contact for scoping.

Start migration scoping

Compliance library

📄SOC 2 Type II Attestation
Request →
📄Sample Audit Narrative
Request →
📄Pen-Test Report Summary
Request →
📄HIPAA Technical Safeguard Matrix
Request →

Frequently asked questions

Which versions of RabbitMQ are past community end-of-life?

RabbitMQ 3.8.x, 3.9.x, 3.10.x, 3.11.x, and 3.12.x have all reached community EOL — meaning no further security patches or CVE fixes are released by the RabbitMQ maintainers for those versions. RabbitMQ 3.13.x reached EOL in late 2024. OSSeva delivers backported CVE patches for 3.11 through 3.13.

Which PostgreSQL versions are no longer receiving community security patches?

PostgreSQL 9.6 through 13 have all reached community EOL. PostgreSQL 11 reached EOL November 2023, PostgreSQL 12 reached EOL November 2024, and PostgreSQL 13 reaches EOL November 2025. OSSeva provides extended security patching for PostgreSQL 11, 12, and 13 for teams that cannot immediately migrate to PG 14 or later.

Is Spring Framework 5.3.x still supported?

Spring Framework 5.3.x reached its community OSS EOL on December 31, 2024. Broadcom's commercial support for Spring 5.3.x is also no longer available under standard terms. OSSeva delivers backported CVE patches for Spring Framework 5.3.x and Spring Boot 2.7.x under our extended lifecycle support program.

Which versions of Apache Kafka are EOL?

Apache Kafka versions 2.x and 3.0 through 3.4 are past their community supported window, meaning no further patch releases. Kafka 3.5 and 3.6 have reached or are approaching EOL. OSSeva supports Kafka 2.8 through 3.5 with backported security patches and compliance documentation.

What happened to Redis licensing? Can I still use Redis for free?

In March 2024, Redis Ltd. changed the Redis license from BSD-3-Clause to the Business Source License (BSL 1.1), which restricts use in competing database products. The Valkey project (a Linux Foundation fork) continues under BSD-3-Clause. OSSeva maintains BSD-licensed, CVE-patched builds of Redis 6.2 and 7.0 for enterprises that need verifiable open-source licensing alongside security coverage.

Is Node.js 18 still receiving security patches?

Node.js 18 (LTS 'Hydrogen') reached its end-of-life date in April 2025 and no longer receives security releases from the Node.js project. OSSeva delivers CVE patches for Node.js 18 for enterprise teams that have not yet migrated to Node.js 20 or 22.

Is Apache Tomcat 8.5 still supported?

Apache Tomcat 8.5 reached its community EOL in March 2024. OSSeva provides extended security patching for Tomcat 8.5.x for teams running Java EE 7 workloads that cannot immediately migrate to Tomcat 9.0 or 10.1.

What .NET versions does OSSeva support?

.NET 6 reached Microsoft end-of-support in November 2024. .NET 7 reached EOL in May 2024. OSSeva delivers CVE patches for .NET 6 and .NET 7 for teams that have not yet migrated to .NET 8 (LTS, supported through November 2026).

Ready to get GemFire / Geode patched and supported?

Start with a 45-minute discovery call. We confirm your version coverage, scope the engagement, and have you onboarded within your first quarter.

Book GemFire / Geode Discovery