Skip to content

[Security] Upgrade ActiveMQ from 5.14.5 to 5.19.2 to fix CVE-2023-46604 and other vulnerabilities #37943

New issue
New issue
Closed
#37944
Closed
[Security] Upgrade ActiveMQ from 5.14.5 to 5.19.2 to fix CVE-2023-46604 and other vulnerabilities#37943
#37944
Milestone
2.73.0 Release
@bvolpato

Description

@bvolpato
bvolpato
opened on Mar 24, 2026

Summary

The ActiveMQ version used by Apache Beam (5.14.5) is affected by multiple security vulnerabilities, most critically:

CVE CVSS Severity Description
CVE-2023-46604 10.0 🔴 Critical Remote Code Execution via ClassInfo manipulation in OpenWire protocol. Actively exploited in the wild by ransomware.
CVE-2022-41678 8.8 🔴 High RCE via Jolokia and REST API
CVE-2023-46604 Fixed in 5.15.16+, 5.16.7+, 5.17.6+, 5.18.3+

ActiveMQ is used exclusively as a test dependency in Beam (embedded broker for JMS, MQTT, AMQP IO connector tests) — not in production code. However, upgrading eliminates security scanner noise and ensures test infrastructure itself is not vulnerable.

Proposed Fix

Upgrade activemq_version from 5.14.5 to 5.19.2 in BeamModulePlugin.groovy.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions