ActiveMQ 5.18.3 released — fixes Jolokia RCE and other high‑severity flaws, patch now
- Apache ActiveMQ did not release 5.18.3 today; that version shipped on October 25, 2023, and Apache now lists 5.18.x as deprecated. - The current Jolokia remote-code-execution fix is CVE-2026-34197, patched in ActiveMQ 5.19.4 and 6.2.3, with 5.19.6 now the supported 5.x release. - ActiveMQ’s own download page says deprecated branches no longer receive updates, so 5.18.3 is not the patch target now. (activemq.apache.org)
Apache ActiveMQ 5.18.3 is not a new security release. Apache says it was published on October 25, 2023, and the 5.18.x line is now deprecated. (activemq.apache.org 1) (activemq.apache.org 2) The current issue tied to Jolokia is CVE-2026-34197. Apache describes it as an authenticated remote-code-execution flaw in the Jolokia JMX-HTTP bridge exposed at `/api/jolokia/` on the web console. (activemq.apache.org) Jolokia is the broker’s management API: a web endpoint that lets administrators call Java Management Extensions, or JMX, methods over HTTP. Apache’s monitoring documentation says ActiveMQ Classic bundles Jolokia by default for that purpose. (activemq.apache.org) Apache’s advisory says the default Jolokia policy allowed `exec` operations on ActiveMQ MBeans, including `addNetworkConnector(String)` and `addConnector(String)`. An authenticated attacker could pass a crafted discovery URI that loads a remote Spring XML application context and reaches `Runtime.exec` on the broker’s Java virtual machine. (activemq.apache.org) Apache says CVE-2026-34197 affects ActiveMQ before 5.19.4 and from 6.0.0 before 6.2.3. The project recommends upgrading to 5.19.4 or 6.2.3, and its download page now shows 5.19.6 and 6.2.5 as the latest supported releases. (activemq.apache.org 1) (activemq.apache.org 2) That matters for anyone still treating 5.18.3 as the “patched” build. Apache’s release matrix says deprecated versions do not receive updates and are not recommended for new deployments. (activemq.apache.org) The confusion is understandable because 5.18.3 did include an OpenWire marshaller change and landed days before Apache published its November 3, 2023 update on CVE-2023-46604. But Apache’s security page still tracks CVE-2023-46604 separately from the newer Jolokia flaws. (activemq.apache.org 1) (activemq.apache.org 2) (activemq.apache.org 3) Apache’s security page now lists a chain of newer issues around the same management surface, including CVE-2024-32114, CVE-2026-34197, CVE-2026-40466, CVE-2026-41043, and CVE-2026-41044. That list shows the risk is no longer limited to the 2023 OpenWire bug. (activemq.apache.org) The immediate takeaway is narrower than the headline: 5.18.3 is old, 5.18.x is end-of-life, and the Jolokia fix operators need is in newer supported releases, not in 5.18.3. (activemq.apache.org) (activemq.apache.org)
