I'm using Karaf 4.2.3 over JDK 1.8. I had ran a Black Duck Scan, and it is pointing to Apache ActiveMQ -5.15.9 with some vulnerabilities, one of them is critical. I'd like to know if it is possible to get this updated to the recommended version which is 5.17.1. Please if you have some advice it'd be highly appreciated. I'd like to point out that in the current project, I'm not really using ActiveMQ.
ActiveMQ 5.17.1 requires Java 11 so you won't be able to use that. You should upgrade to ActiveMQ 5.16.5 instead. It's the latest version which supports Java 8. That said, if you're not using ActiveMQ in your project then the simplest (and most secure) thing you can do is just remove it.