Hi Casey, Thanks for pointing that out. It was a typo and the right version to use is 5.19.4 (not 5.19.5) or 6.2.3. It should say "Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue."
I updated the website [1] and I requested security send an update to Mitre so the cve.org link should update when that happens. Chris [1] https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt On Tue, Apr 7, 2026 at 3:01 PM Casey A. Owen <[email protected]> wrote: > > Christopher, the description below specifies the vulnerability as "before > 5.19.4" but recommends upgrade to 5.19.5. > > The website (https://activemq.apache.org/components/classic/download/) has > 5.19.4 available for download (03/31/2026) but lists 5.19.3 (03/24/2026) as > latest/last. > > Can you update the website to reflect 5.19.4 as latest/last and clarify > whether/when 5.19.5 will be released or if its mention is just a typo? > > Thanks, > > > Casey Owen | Sr Applications Analyst > Southwest Power Pool > > -----Original Message----- > From: Christopher L. Shannon <[email protected]> > Sent: Monday, April 6, 2026 8:08 AM > To: [email protected]; [email protected] > Subject: **External Email** CVE-2026-34197: Apache ActiveMQ Broker, Apache > ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans > > STOP! This is NOT an SPP email. > Be very cautious of any links or attachments unless you recognize this sender > and are expecting this email. > Please click the "Report Phish" button if you are unsure about this email. > > Severity: important > > Affected versions: > > - Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.4 > - Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before > 6.2.3 > - Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.4 > - Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.3 > > Description: > > Improper Input Validation, Improper Control of Generation of Code ('Code > Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. > > Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ > on the web console. The default Jolokia access policy permits exec operations > on all ActiveMQ MBeans (org.apache.activemq:*), including > BrokerService.addNetworkConnector(String) and > BrokerService.addConnector(String). > > An authenticated attacker can invoke these operations with a crafted > discovery URI that triggers the VM transport's brokerConfig parameter to load > a remote Spring XML application context using ResourceXmlApplicationContext. > Because Spring's ResourceXmlApplicationContext instantiates all singleton > beans before the BrokerService validates the configuration, arbitrary code > execution occurs on the broker's JVM through bean factory methods such as > Runtime.exec(). > This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before > 6.2.3; Apache ActiveMQ: . > > Users are recommended to upgrade to version 5.19.5 or 6.2.3, which fixes the > issue. > > Credit: > > Naveen Sunkavally (Horizon3.ai) (finder) > > References: > > https://activemq.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2026-34197 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] For further > information, visit: https://activemq.apache.org/contact > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information, visit: https://activemq.apache.org/contact
