OSSEVA FOR RABBITMQ

Keep running real RabbitMQ. We patch, architect, and operate it.

Drop-in CVE patches for 3.11, 3.12, 3.13, and current — plus the architectural and operational work Broadcom won't do for less than a 50-core Tanzu commitment.

Book a RabbitMQ DiscoverySee version coverage ↓
Last patch shipped: CVE-2026-3847 · RabbitMQ 3.13.7 · 3d ago

Why now

RabbitMQ 3.13.x: community support ended

The upstream community ended security patches for 3.13.x in August 2025. Unpatched CVEs now accumulate with no official fix path. OSSeva ships patches quarterly — signed and validated.

Broadcom Tanzu: 50/72-core minimum

Tanzu RabbitMQ now requires 50- or 72-core minimums. For most enterprise deployments, that's a 10–30× price increase versus the workloads you actually run.

Your auditor won't accept 'community EOL'

SOC 2, HIPAA, PCI, and ISO 27001 frameworks all require evidence of continued security controls. An unsupported runtime fails that test. Our attestations are designed to be handed to your auditor without revision.

Versions covered

All versions below receive active CVE patches from OSSeva. Version numbers in monospace are exact release identifiers.

VersionStatusActive CVEs
3.8.x(CVE backports where feasible; mitigations where not)ExtendedClean
3.9.x(CVE backports + architectural guidance)ExtendedClean
3.10.x(Full CVE coverage)ExtendedClean
3.11.xExtendedClean
3.12.xExtendedClean
3.13.x(1 patch in test)Extended1 open
3.13.7HardenedClean
4.xCurrentClean

What you get

Three tiers — pick the level of engagement that matches your team's operational needs and compliance requirements.

OSSeva Patch

CVE remediation, signed builds, repo manager integration.

  • Quarterly CVE patches for all covered versions
  • Signed artifacts (GPG + Sigstore)
  • Maven / Helm / private OCI repo delivery
  • Vulnerability disclosure notifications
  • Erlang/OTP compatibility matrix
  • Architecture review
  • 24/7 managed operations
Get started →
Most popular

OSSeva Assure

Patch plus architectural review and audit-ready documentation.

  • Everything in Patch
  • Annual configuration & architecture audit
  • Version upgrade planning
  • SOC 2 / HIPAA / PCI attestation package
  • Pen-test validation summary
  • Reference architecture for your deployment
  • 24/7 managed operations
Get started →

OSSeva Operate

Full MSP: 24/7 monitoring, 15-min SLA, named engineers.

  • Everything in Assure
  • 24/7 proactive monitoring & alerting
  • 15-minute P1 incident response SLA
  • Named senior engineer on your account
  • Runbook authoring and maintenance
  • Quarterly business reviews
  • On-call escalation path to RabbitMQ core contributors
Get started →

All tiers priced per cluster/application — not per core. Contact for pricing →

How it installs

OSSeva artifacts arrive via your existing package infrastructure. Pull the patched version the same way you pull upstream today — just from the OSSeva registry.

Helm — add OSSeva chart repositorybash
helm repo add osseva https://charts.osseva.io
helm repo update
helm install rabbitmq osseva/rabbitmq \
  --version 3.13.7-1 \
  --namespace messaging \
  --set auth.username=admin \
  --set replicaCount=3
Maven — OSSeva artifact coordinatesxml
<dependency>
  <groupId>io.osseva.rabbitmq</groupId>
  <artifactId>rabbitmq-server</artifactId>
  <version>3.13.7-osseva-1</version>
</dependency>

Migrate from Broadcom Tanzu RabbitMQ

Tanzu RabbitMQ now requires 50- or 72-core minimums — often 10–30× the cost of running equivalent community workloads with OSSeva support. Our migration playbook covers license exit, cluster migration, and runtime validation.

Pricing model

OSSeva for RabbitMQ is priced per application cluster, not per core. No surprise licensing math.

Start migration scoping

Compliance library

📄SOC 2 Type II Attestation
Request →
📄Sample Audit Narrative
Request →
📄Pen-Test Report Summary
Request →
📄HIPAA Technical Safeguard Matrix
Request →

Frequently asked questions

Which versions of RabbitMQ does OSSeva patch?

OSSeva currently delivers CVE patches for RabbitMQ 3.11.x, 3.12.x, and 3.13.x. These versions have reached community EOL and no longer receive upstream security fixes. OSSeva backports confirmed CVEs to all three version lines with signed binary releases.

How does OSSeva deliver RabbitMQ patches?

OSSeva delivers patched RabbitMQ builds as signed Docker images (ghcr.io/osseva), Helm chart updates for Kubernetes deployments, and direct binary tarballs for bare-metal or VM installations. Every release includes a SHA-256 checksum, GPG signature, and a compliance attestation letter documenting the CVEs addressed.

What Erlang/OTP versions are compatible with OSSeva's RabbitMQ builds?

OSSeva's RabbitMQ 3.11.x–3.13.x builds support Erlang/OTP 25.x and 26.x. We also deliver patched Erlang builds for teams still running Erlang 24.x. All Erlang builds included in OSSeva patch releases are themselves scanned and patched for known CVEs.

How does OSSeva's RabbitMQ support compare to Broadcom Tanzu RabbitMQ?

Broadcom Tanzu RabbitMQ requires a per-core licensing model with a 72-core minimum commitment, which runs $50,000–$500,000+ annually for most enterprise deployments. OSSeva provides equivalent CVE patching and compliance documentation at a fraction of the cost, without core-based licensing or proprietary lock-in. Customers retain full ownership of their RabbitMQ deployment.

Does OSSeva support RabbitMQ on Kubernetes?

Yes. OSSeva delivers patched RabbitMQ builds compatible with the RabbitMQ Cluster Operator for Kubernetes, including signed Helm chart updates and OCI-compliant container images. We have deep experience with RabbitMQ HA cluster deployments on OpenShift, EKS, AKS, and GKE.

What RabbitMQ CVEs has OSSeva remediated?

OSSeva has remediated 10+ publicly disclosed CVEs across supported runtimes. For RabbitMQ specifically, notable remediations include CVE-2026-41823 (AMQP 1.0 frame parsing crash), CVE-2025-3302 (queue metadata validation bypass), and CVE-2025-7634 (management API authentication timing). A full list is available in our public vulnerability directory.

Can OSSeva provide RabbitMQ compliance documentation for SOC 2 or PCI DSS audits?

Yes. OSSeva Assure includes compliance documentation specifically designed for RabbitMQ audits: CVE patch attestation letters, patch cadence evidence for PCI DSS Requirement 6.3.3, SOC 2 CC6 logical access control evidence templates, and audit narratives for HIPAA §164.312 technical safeguards. Our documentation is accepted by Big 4 and regional auditors.

What is RabbitMQ quorum queues and does OSSeva support them?

Quorum queues are RabbitMQ's durable, replicated queue type built on the Raft consensus protocol. They replace classic mirrored queues for high-availability workloads. OSSeva supports quorum queue deployments across all covered RabbitMQ versions and includes quorum queue configuration in our reference architectures.

Ready to get RabbitMQ patched and supported?

Start with a 45-minute discovery call. We confirm your version coverage, scope the engagement, and have you onboarded within your first quarter.

Book RabbitMQ Discovery