Enterprise

Version 2.15 release notes

Grafana Labs is excited to announce the release of Grafana Enterprise Metrics (GEM) 2.15, which is built on top of Grafana Mimir 2.15.

GEM 2.15 inherits all the features, enhancements, and bug fixes that are in the Grafana Mimir 2.15 release. Given this, it’s best to start with the Grafana Mimir 2.15 release notes.

Features and enhancements

This release introduces changes to the federation-frontend, which now requires GEM clusters as proxy targets and mandates upgrading to GEM 2.15+ before updating the frontend. It also updates the Ruler to handle missing rule groups gracefully and resolves several bugs, including fixes for cross-cluster query federation label handling, token creation ETag responses, and critical security vulnerabilities in go-jose and go-oidc.

Upgrade considerations

This release also inherits the upgrade considerations from the Grafana Mimir 2.15 release.

After you upgrade to GEM 2.15, upgrade your GEM plugin to the latest version. For more information about the most recent enhancements and bug fixes in the GEM plugin, see the Grafana Enterprise Metrics: Changelog.

Bug fixes

v2.15.0

  • Include the initial ETag version in the token creation response when using the Admin API
  • When using cross-cluster query federation, series with the label name __cluster__ were incorrectly handled in shardable queries, which are queries that can be divided up and sent to different clusters and then combined later. This fixes that issue and allows users to use original___cluster__ as a label matcher to match that label and __cluster__ to match the cluster they defined, making it consistent with the behavior of other kinds of queries. This applies to aggregation grouping labels as well.
  • Upgrade dependencies to address CVE-2024-28180.
  • Upgrade dependencies to address CVE-2024-28180.

v2.15.1

  • Upgrade Go base image to 1.23.6.
  • Update base image to alpine:3.20.5.
  • Upgrade to github.com/golang/glog to v1.2.4 to resolve CVE-2024-45339.

v2.15.2

  • Update module golang.org/x/net to v0.36.0 to address CVE-2025-22870.
  • Update module github.com/golang-jwt/jwt/v5 to v5.2.2 to address CVE-2025-30204.
  • Update module github.com/golang-jwt/jwt/v4 to v4.2.2 to address CVE-2025-30204.
  • Update module github.com/golang-jwt/jwt/v3 to v3.0.4 to address CVE-2025-30204.
  • Update module golang.org/x/oauth2 to v0.27.0 to address CVE-2025-22868.
  • Update module golang.org/x/crypto to v0.35.0 to address CVE-2025-22869.
  • Update module github.com/go-jose/go-jose/v4 to v4.0.5 to address CVE-2025-27144.
  • Upgrade Go base image to 1.23.7.