[Security] Bump ActiveMQ from 5.14.5 to 5.19.2 (#37944)

Fixes CVE-2023-46604 (CVSS 10.0, RCE via OpenWire protocol) and
CVE-2022-41678 (CVSS 8.8, RCE via Jolokia and REST API).

ActiveMQ is used exclusively as a test dependency in Beam (embedded
broker for JMS, MQTT, and AMQP IO connector tests).

Changes required for compatibility:
- Upgrade JMS spec from 1.1 to 2.0 (geronimo-jms) for JMS IO, since
  ActiveMQ 5.19.x uses JMS 2.0 API (setJMSDeliveryTime).
- Add JMS 2.0 createContext() stubs to MockNonSerializableConnectionFactory.
- Exclude transitive proton-j from activemq-amqp in AMQP IO to avoid
  conflict with the directly declared proton-j:0.16.0.

All three affected test modules pass: JMS IO, MQTT IO, AMQP IO.

Fixes #37943

Author: bvolpato

CHANGES.md

@@ -85,6 +85,10 @@
 
 * Fixed X (Java/Python) ([#X](https://github.com/apache/beam/issues/X)).
 
+## Security Fixes
+
+* Fixed [CVE-2023-46604](https://www.cve.org/CVERecord?id=CVE-2023-46604) (CVSS 10.0) and [CVE-2022-41678](https://www.cve.org/CVERecord?id=CVE-2022-41678) by upgrading ActiveMQ from 5.14.5 to 5.19.2 (Java) ([#37943](https://github.com/apache/beam/issues/37943)).
+
 ## Known Issues
 
 [comment]: # ( When updating known issues after release, make sure also update website blog in website/www/site/content/blog.)
@@ -2382,4 +2386,4 @@ Schema Options, it will be removed in version `2.23.0`. ([BEAM-9704](https://iss
 
 ## Highlights
 
-- For versions 2.19.0 and older release notes are available on [Apache Beam Blog](https://beam.apache.org/blog/).
+- For versions 2.19.0 and older release notes are available on [Apache Beam Blog](https://beam.apache.org/blog/).

buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy

@@ -597,7 +597,7 @@ class BeamModulePlugin implements Plugin<Project> {
     //
     // There are a few versions are determined by the BOMs by running scripts/tools/bomupgrader.py
     // marked as [bomupgrader]. See the documentation of that script for detail.
-    def activemq_version = "5.14.5"
+    def activemq_version = "5.19.2"
     def autovalue_version = "1.9"
     def autoservice_version = "1.0.1"
     def aws_java_sdk2_version = "2.20.162"

sdks/java/io/amqp/build.gradle

@@ -30,7 +30,9 @@ dependencies {
   testImplementation library.java.slf4j_api
   testImplementation library.java.junit
   testImplementation library.java.activemq_broker
-  testImplementation library.java.activemq_amqp
+  testImplementation(library.java.activemq_amqp) {
+    exclude group: 'org.apache.qpid', module: 'proton-j'
+  }
   testImplementation library.java.activemq_junit
   testImplementation library.java.hamcrest
   testRuntimeOnly library.java.slf4j_jdk14

sdks/java/io/jms/build.gradle

@@ -32,7 +32,7 @@ dependencies {
   implementation project(path: ":sdks:java:core", configuration: "shadow")
   implementation library.java.slf4j_api
   implementation library.java.joda_time
-  implementation "org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1"
+  implementation "org.apache.geronimo.specs:geronimo-jms_2.0_spec:1.0-alpha-2"
   testImplementation library.java.activemq_amqp
   testImplementation library.java.activemq_broker
   testImplementation library.java.activemq_jaas

sdks/java/io/jms/src/test/java/org/apache/beam/sdk/io/jms/MockNonSerializableConnectionFactory.java

@@ -19,6 +19,7 @@
 
 import javax.jms.Connection;
 import javax.jms.ConnectionFactory;
+import javax.jms.JMSContext;
 import javax.jms.JMSException;
 
 public class MockNonSerializableConnectionFactory implements ConnectionFactory {
@@ -31,4 +32,24 @@ public Connection createConnection() throws JMSException {
   public Connection createConnection(String userName, String password) throws JMSException {
     return null;
   }
+
+  @Override
+  public JMSContext createContext() {
+    throw new UnsupportedOperationException();
+  }
+
+  @Override
+  public JMSContext createContext(String userName, String password) {
+    throw new UnsupportedOperationException();
+  }
+
+  @Override
+  public JMSContext createContext(String userName, String password, int sessionMode) {
+    throw new UnsupportedOperationException();
+  }
+
+  @Override
+  public JMSContext createContext(int sessionMode) {
+    throw new UnsupportedOperationException();
+  }
 }