OSSEVA FOR RABBITMQ

Keep running real RabbitMQ. We patch, architect, and operate it.

Drop-in CVE patches for 3.11, 3.12, 3.13, and current — plus the architectural and operational work Broadcom won't do for less than a 50-core Tanzu commitment.

Book a RabbitMQ DiscoverySee version coverage ↓
Last patch shipped: CVE-2026-3847 · RabbitMQ 3.13.7 · 3d ago

Why now

RabbitMQ 3.13.x: community support ended

The upstream community ended security patches for 3.13.x in August 2025. Unpatched CVEs now accumulate with no official fix path. OSSeva ships patches quarterly — signed and validated.

Broadcom Tanzu: 50/72-core minimum

Tanzu RabbitMQ now requires 50- or 72-core minimums. For most enterprise deployments, that's a 10–30× price increase versus the workloads you actually run.

Your auditor won't accept 'community EOL'

SOC 2, HIPAA, PCI, and ISO 27001 frameworks all require evidence of continued security controls. An unsupported runtime fails that test. Our attestations are designed to be handed to your auditor without revision.

Versions covered

All versions below receive active CVE patches from OSSeva. Version numbers in monospace are exact release identifiers.

VersionStatusActive CVEs
3.11.xExtendedClean
3.12.xExtendedClean
3.13.x(1 patch in test)Extended1 open
3.13.7HardenedClean
4.xCurrentClean

What you get

Three tiers — pick the level of engagement that matches your team's operational needs and compliance requirements.

OSSeva Patch

CVE remediation, signed builds, repo manager integration.

  • Quarterly CVE patches for all covered versions
  • Signed artifacts (GPG + Sigstore)
  • Maven / Helm / private OCI repo delivery
  • Vulnerability disclosure notifications
  • Erlang/OTP compatibility matrix
  • Architecture review
  • 24/7 managed operations
Get started →
Most popular

OSSeva Assure

Patch plus architectural review and audit-ready documentation.

  • Everything in Patch
  • Annual configuration & architecture audit
  • Version upgrade planning
  • SOC 2 / HIPAA / PCI attestation package
  • Pen-test validation summary
  • Reference architecture for your deployment
  • 24/7 managed operations
Get started →

OSSeva Operate

Full MSP: 24/7 monitoring, 15-min SLA, named engineers.

  • Everything in Assure
  • 24/7 proactive monitoring & alerting
  • 15-minute P1 incident response SLA
  • Named senior engineer on your account
  • Runbook authoring and maintenance
  • Quarterly business reviews
  • On-call escalation path to RabbitMQ core contributors
Get started →

All tiers priced per cluster/application — not per core. Contact for pricing →

How it installs

OSSeva artifacts arrive via your existing package infrastructure. Pull the patched version the same way you pull upstream today — just from the OSSeva registry.

Helm — add OSSeva chart repositorybash
helm repo add osseva https://charts.osseva.io
helm repo update
helm install rabbitmq osseva/rabbitmq \
  --version 3.13.7-1 \
  --namespace messaging \
  --set auth.username=admin \
  --set replicaCount=3
Maven — OSSeva artifact coordinatesxml
<dependency>
  <groupId>io.osseva.rabbitmq</groupId>
  <artifactId>rabbitmq-server</artifactId>
  <version>3.13.7-osseva-1</version>
</dependency>

Migrate from Broadcom Tanzu RabbitMQ

Tanzu RabbitMQ now requires 50- or 72-core minimums — often 10–30× the cost of running equivalent community workloads with OSSeva support. Our migration playbook covers license exit, cluster migration, and runtime validation.

Pricing model

OSSeva for RabbitMQ is priced per application cluster, not per core. No surprise licensing math.

Start migration scopingDownload migration playbook (PDF) →

Compliance library

📄SOC 2 Type II Attestation
Request →
📄Sample Audit Narrative
Request →
📄Pen-Test Report Summary
Request →
📄HIPAA Technical Safeguard Matrix
Request →

Frequently asked questions

Are your RabbitMQ builds a fork?

No. OSSeva patches are applied to upstream community source code. Your cluster continues to run real Apache-licensed RabbitMQ. We are not a fork, and there is no proprietary runtime in your stack.

How do CVE patches reach my cluster?

Patches are delivered as signed OCI/Helm packages or Maven artifacts via the OSSeva artifact registry. You pull the patched version the same way you pull upstream today — just from our registry.

What Erlang/OTP versions are included?

Each OSSeva release ships with a validated, tested Erlang/OTP version. The compatibility matrix is published per release. Our Erlang/OTP builds also receive CVE patches independently of the RabbitMQ release cycle.

We're on Broadcom Tanzu RabbitMQ today. How hard is the migration?

The migration scope depends on how many Tanzu-specific configuration extensions you've used. For most Tanzu customers, the migration is a configuration change and a cluster migration with zero downtime. We run a fixed-scope migration discovery engagement to scope the work before any commitment.

Does OSSeva hold the CVE remediation SLA or just ship patches?

For OSSeva Operate customers, we hold a contractual SLA on critical CVE remediation. For Patch and Assure customers, we publish a quarterly cadence with out-of-cycle patches for CVSS 9+ vulnerabilities.

Can you operate RabbitMQ on our infrastructure, not yours?

Yes. OSSeva Operate is a managed service on your infrastructure — your cloud account, your VPC, your on-prem. We provide the operations layer (monitoring, runbooks, incident response) and you retain data sovereignty.

Ready to get RabbitMQ patched and supported?

Start with a 45-minute discovery call. We confirm your version coverage, scope the engagement, and have you onboarded within your first quarter.

Book RabbitMQ DiscoveryDownload version coverage matrix (PDF) →