Uploaded image for project: 'TomEE'
  1. TomEE
  2. TOMEE-4419

TomEE Plus 9.1.3 shipping EOL Tomcat 10.0.27

    XMLWordPrintableJSON

Details

    • Dependency upgrade
    • Status: Closed
    • Critical
    • Resolution: Won't Fix
    • 9.1.3
    • None
    • TomEE Build
    • Important

    Description

      We have identified that Apache TomEE Plus 9.1.3 is shipping with Tomcat version 10.0.27, which has reached End of Life (EOL) status. From our  research, it appears that new vulnerabilities are not tested against the 10.0.x branch of Tomcat.

      The stable version of TomEE Plus is currently 9.1.3, while the 10.x version of TomEE Plus is still a milestone release that we can not deploy in production.
      The bundled Tomcat version is outdated and vulnerable, and updating it separately is not possible. Could someone explain why an outdated Tomcat version (10.0.27) is being shipped with TomEE Plus 9.1.3, and is there any potential resolution to ensure the system remains secure?

      Expected Result:
      TomEE Plus should include a supported, non-EOL version of Tomcat that is tested against recent vulnerabilities.

      Attachments

        Activity

          People

            jgallimore Jonathan Gallimore
            arinsukhwal Arin Sukhwal
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: