This is an automated email from the ASF dual-hosted git repository.
yhu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/beam.git
The following commit(s) were added to refs/heads/master by this push:
new 3aad50b99e8 [Security] Bump ActiveMQ from 5.14.5 to 5.19.2 (#37944)
3aad50b99e8 is described below
commit 3aad50b99e8f4f97ed5344e56d6915a5a1cf2b29
Author: Bruno Volpato <[email protected]>
AuthorDate: Tue Mar 24 21:47:30 2026 -0400
[Security] Bump ActiveMQ from 5.14.5 to 5.19.2 (#37944)
Fixes CVE-2023-46604 (CVSS 10.0, RCE via OpenWire protocol) and
CVE-2022-41678 (CVSS 8.8, RCE via Jolokia and REST API).
ActiveMQ is used exclusively as a test dependency in Beam (embedded
broker for JMS, MQTT, and AMQP IO connector tests).
Changes required for compatibility:
- Upgrade JMS spec from 1.1 to 2.0 (geronimo-jms) for JMS IO, since
ActiveMQ 5.19.x uses JMS 2.0 API (setJMSDeliveryTime).
- Add JMS 2.0 createContext() stubs to MockNonSerializableConnectionFactory.
- Exclude transitive proton-j from activemq-amqp in AMQP IO to avoid
conflict with the directly declared proton-j:0.16.0.
All three affected test modules pass: JMS IO, MQTT IO, AMQP IO.
Fixes #37943
---
CHANGES.md | 6 +++++-
.../org/apache/beam/gradle/BeamModulePlugin.groovy | 2 +-
sdks/java/io/amqp/build.gradle | 4 +++-
sdks/java/io/jms/build.gradle | 2 +-
.../jms/MockNonSerializableConnectionFactory.java | 21 +++++++++++++++++++++
5 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index e91da103c30..064b1485449 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -85,6 +85,10 @@
* Fixed X (Java/Python) ([#X](https://github.com/apache/beam/issues/X)).
+## Security Fixes
+
+* Fixed [CVE-2023-46604](https://www.cve.org/CVERecord?id=CVE-2023-46604)
(CVSS 10.0) and
[CVE-2022-41678](https://www.cve.org/CVERecord?id=CVE-2022-41678) by upgrading
ActiveMQ from 5.14.5 to 5.19.2 (Java)
([#37943](https://github.com/apache/beam/issues/37943)).
+
## Known Issues
[comment]: # ( When updating known issues after release, make sure also update
website blog in website/www/site/content/blog.)
@@ -2382,4 +2386,4 @@ Schema Options, it will be removed in version `2.23.0`.
([BEAM-9704](https://iss
## Highlights
-- For versions 2.19.0 and older release notes are available on [Apache Beam
Blog](https://beam.apache.org/blog/).
+- For versions 2.19.0 and older release notes are available on [Apache Beam
Blog](https://beam.apache.org/blog/).
\ No newline at end of file
diff --git
a/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
b/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
index 0c1327cd06c..e24ff600494 100644
--- a/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
+++ b/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
@@ -597,7 +597,7 @@ class BeamModulePlugin implements Plugin<Project> {
//
// There are a few versions are determined by the BOMs by running
scripts/tools/bomupgrader.py
// marked as [bomupgrader]. See the documentation of that script for
detail.
- def activemq_version = "5.14.5"
+ def activemq_version = "5.19.2"
def autovalue_version = "1.9"
def autoservice_version = "1.0.1"
def aws_java_sdk2_version = "2.20.162"
diff --git a/sdks/java/io/amqp/build.gradle b/sdks/java/io/amqp/build.gradle
index 628cc5a9a38..6f2899eeb05 100644
--- a/sdks/java/io/amqp/build.gradle
+++ b/sdks/java/io/amqp/build.gradle
@@ -30,7 +30,9 @@ dependencies {
testImplementation library.java.slf4j_api
testImplementation library.java.junit
testImplementation library.java.activemq_broker
- testImplementation library.java.activemq_amqp
+ testImplementation(library.java.activemq_amqp) {
+ exclude group: 'org.apache.qpid', module: 'proton-j'
+ }
testImplementation library.java.activemq_junit
testImplementation library.java.hamcrest
testRuntimeOnly library.java.slf4j_jdk14
diff --git a/sdks/java/io/jms/build.gradle b/sdks/java/io/jms/build.gradle
index b332ac12058..24a195e63f1 100644
--- a/sdks/java/io/jms/build.gradle
+++ b/sdks/java/io/jms/build.gradle
@@ -32,7 +32,7 @@ dependencies {
implementation project(path: ":sdks:java:core", configuration: "shadow")
implementation library.java.slf4j_api
implementation library.java.joda_time
- implementation "org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1"
+ implementation "org.apache.geronimo.specs:geronimo-jms_2.0_spec:1.0-alpha-2"
testImplementation library.java.activemq_amqp
testImplementation library.java.activemq_broker
testImplementation library.java.activemq_jaas
diff --git
a/sdks/java/io/jms/src/test/java/org/apache/beam/sdk/io/jms/MockNonSerializableConnectionFactory.java
b/sdks/java/io/jms/src/test/java/org/apache/beam/sdk/io/jms/MockNonSerializableConnectionFactory.java
index 60ab20d3ef1..752123327e9 100644
---
a/sdks/java/io/jms/src/test/java/org/apache/beam/sdk/io/jms/MockNonSerializableConnectionFactory.java
+++
b/sdks/java/io/jms/src/test/java/org/apache/beam/sdk/io/jms/MockNonSerializableConnectionFactory.java
@@ -19,6 +19,7 @@ package org.apache.beam.sdk.io.jms;
import javax.jms.Connection;
import javax.jms.ConnectionFactory;
+import javax.jms.JMSContext;
import javax.jms.JMSException;
public class MockNonSerializableConnectionFactory implements ConnectionFactory
{
@@ -31,4 +32,24 @@ public class MockNonSerializableConnectionFactory implements
ConnectionFactory {
public Connection createConnection(String userName, String password) throws
JMSException {
return null;
}
+
+ @Override
+ public JMSContext createContext() {
+ throw new UnsupportedOperationException();
+ }
+
+ @Override
+ public JMSContext createContext(String userName, String password) {
+ throw new UnsupportedOperationException();
+ }
+
+ @Override
+ public JMSContext createContext(String userName, String password, int
sessionMode) {
+ throw new UnsupportedOperationException();
+ }
+
+ @Override
+ public JMSContext createContext(int sessionMode) {
+ throw new UnsupportedOperationException();
+ }
}
