bvolpato opened a new issue, #37943: URL: https://github.com/apache/beam/issues/37943
## Summary The ActiveMQ version used by Apache Beam (`5.14.5`) is affected by multiple security vulnerabilities, most critically: | CVE | CVSS | Severity | Description | |-----|------|----------|-------------| | [CVE-2023-46604](https://www.cve.org/CVERecord?id=CVE-2023-46604) | **10.0** | 🔴 Critical | Remote Code Execution via ClassInfo manipulation in OpenWire protocol. Actively exploited in the wild by ransomware. | | [CVE-2022-41678](https://www.cve.org/CVERecord?id=CVE-2022-41678) | **8.8** | 🔴 High | RCE via Jolokia and REST API | | [CVE-2023-46604](https://activemq.apache.org/security-advisories) | | | Fixed in 5.15.16+, 5.16.7+, 5.17.6+, 5.18.3+ | ActiveMQ is used exclusively as a **test dependency** in Beam (embedded broker for JMS, MQTT, AMQP IO connector tests) — not in production code. However, upgrading eliminates security scanner noise and ensures test infrastructure itself is not vulnerable. ## Proposed Fix Upgrade `activemq_version` from `5.14.5` to `5.19.2` in `BeamModulePlugin.groovy`. ## References - https://activemq.apache.org/security-advisories - https://activemq.apache.org/news/cve-2023-46604 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
