Details
-
Dependency upgrade
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
9.1.3
-
None
-
Important
Description
We have identified that Apache TomEE Plus 9.1.3 is shipping with Tomcat version 10.0.27, which has reached End of Life (EOL) status. From our research, it appears that new vulnerabilities are not tested against the 10.0.x branch of Tomcat.
The stable version of TomEE Plus is currently 9.1.3, while the 10.x version of TomEE Plus is still a milestone release that we can not deploy in production.
The bundled Tomcat version is outdated and vulnerable, and updating it separately is not possible. Could someone explain why an outdated Tomcat version (10.0.27) is being shipped with TomEE Plus 9.1.3, and is there any potential resolution to ensure the system remains secure?
Expected Result:
TomEE Plus should include a supported, non-EOL version of Tomcat that is tested against recent vulnerabilities.