OSSEVA FOR APACHE TOMCAT

Apache Tomcat — patched, protected, operated.

Drop-in CVE patches for Tomcat 8.5.x and 9.0.x — including EncryptInterceptor bypass and classloader vulnerabilities the upstream project has closed. OSSeva keeps the servlet container running your enterprise Java applications patched and compliant.

Book a Apache Tomcat DiscoverySee version coverage ↓
Last patch shipped: CVE-2026-29881 · Tomcat 8.5.x · 41d ago

Why now

Tomcat 8.5.x community EOL: March 2024

Apache Tomcat 8.5.x reached community end-of-life in March 2024. Tomcat 9.0.x will follow by late 2025. Hundreds of thousands of enterprise Java applications run on these versions — with no upstream CVE patch path.

CVE-2026-29881 — EncryptInterceptor bypass in clustered deployments

A critical EncryptInterceptor bypass in Tomcat 8.5.x–9.0.x clustered deployments was disclosed in April 2026. Attackers can decrypt cluster member communication and inject arbitrary session data. OSSeva shipped a backport within 48 hours.

Java 8 dependency creates compounded upgrade risk

Many Tomcat 8.5.x deployments run on Java 8 — itself past Oracle paid support. Upgrading Tomcat and the JDK simultaneously is a significant operational risk for enterprises with large Java application portfolios. OSSeva covers Tomcat on your current JDK.

Versions covered

All versions below receive active CVE patches from OSSeva. Version numbers in monospace are exact release identifiers.

VersionStatusActive CVEs
8.5.x(Community EOL March 2024)Extended1 open
9.0.x(Full CVE coverage)ExtendedClean
10.0.x(Full CVE coverage)ExtendedClean
10.1.xCurrentClean
11.xCurrentClean

What you get

Three tiers — pick the level of engagement that matches your team's operational needs and compliance requirements.

OSSeva Patch

CVE patches for Tomcat 8.5.x–10.x. Signed builds, all deployment types.

  • Quarterly CVE patches for Tomcat 8.5.x, 9.0.x, and 10.x
  • EncryptInterceptor and classloader CVE priority coverage
  • Docker / apt / yum / zip delivery
  • Signed artifacts (GPG)
  • CVE disclosure notifications
  • Architecture review
  • 24/7 managed operations
Get started →
Most popular

OSSeva Assure

Patch plus Tomcat hardening review and compliance documentation.

  • Everything in Patch
  • Tomcat security configuration hardening review
  • Connector (HTTP/HTTPS/AJP) configuration audit
  • SOC 2 / PCI DSS attestation package
  • JVM upgrade sequencing plan
  • Tomcat 10/11 migration assessment
  • 24/7 managed operations
Get started →

OSSeva Operate

Full MSP: 24/7 monitoring, 15-min SLA, named Tomcat engineers.

  • Everything in Assure
  • 24/7 JVM and Tomcat health monitoring
  • 15-minute P1 incident response SLA
  • Named senior Tomcat engineer on your account
  • Thread pool and connection pool monitoring
  • GC and heap alerting
  • Tomcat major version migration execution
Get started →

All tiers priced per cluster/application — not per core. Contact for pricing →

How it installs

OSSeva artifacts arrive via your existing package infrastructure. Pull the patched version the same way you pull upstream today — just from the OSSeva registry.

Docker — OSSeva Tomcatbash
docker pull artifacts.osseva.io/tomcat:9.0.87-osseva-1-jdk11

docker run -d \
  --name tomcat \
  -p 8080:8080 \
  -v ./webapps:/usr/local/tomcat/webapps \
  artifacts.osseva.io/tomcat:9.0.87-osseva-1-jdk11
apt — install OSSeva Tomcatbash
# Add OSSeva apt repository
curl -fsSL https://packages.osseva.io/gpg | sudo gpg --dearmor -o /usr/share/keyrings/osseva.gpg
echo "deb [signed-by=/usr/share/keyrings/osseva.gpg] https://packages.osseva.io/apt stable main" \
  | sudo tee /etc/apt/sources.list.d/osseva.list

sudo apt-get update
sudo apt-get install -y osseva-tomcat9=9.0.87-osseva-1

Migrate from Oracle WebLogic / IBM WebSphere

Teams migrating from Oracle WebLogic or IBM WebSphere to Apache Tomcat often land on 8.5.x or 9.0.x — and then discover those versions are EOL before their migration is complete. OSSeva provides CVE coverage for the Tomcat version you landed on while you complete the migration or plan the next upgrade.

Pricing model

OSSeva for Tomcat is priced per application server — not per core or per deployment. Contact for scoping.

Start migration scoping

Compliance library

📄SOC 2 compliance evidence package
Request →
📄Sample Audit Narrative
Request →
📄Pen-Test Report Summary
Request →
📄HIPAA Technical Safeguard Matrix
Request →

Frequently asked questions

Which versions of RabbitMQ are past community end-of-life?

RabbitMQ 3.8.x, 3.9.x, 3.10.x, 3.11.x, and 3.12.x have all reached community EOL — meaning no further security patches or CVE fixes are released by the RabbitMQ maintainers for those versions. RabbitMQ 3.13.x reached EOL in late 2024. OSSeva delivers backported CVE patches for 3.11 through 3.13.

Which PostgreSQL versions are no longer receiving community security patches?

PostgreSQL 9.6 through 13 have all reached community EOL. PostgreSQL 11 reached EOL November 2023, PostgreSQL 12 reached EOL November 2024, and PostgreSQL 13 reaches EOL November 2025. OSSeva provides extended security patching for PostgreSQL 11, 12, and 13 for teams that cannot immediately migrate to PG 14 or later.

Is Spring Framework 5.3.x still supported?

Spring Framework 5.3.x reached its community OSS EOL on December 31, 2024. Broadcom's commercial support for Spring 5.3.x is also no longer available under standard terms. OSSeva delivers backported CVE patches for Spring Framework 5.3.x and Spring Boot 2.7.x under our extended lifecycle support program.

Which versions of Apache Kafka are EOL?

Apache Kafka versions 2.x and 3.0 through 3.4 are past their community supported window, meaning no further patch releases. Kafka 3.5 and 3.6 have reached or are approaching EOL. OSSeva supports Kafka 2.8 through 3.5 with backported security patches and compliance documentation.

What happened to Redis licensing? Can I still use Redis for free?

In March 2024, Redis Ltd. changed the Redis license from BSD-3-Clause to the Business Source License (BSL 1.1), which restricts use in competing database products. The Valkey project (a Linux Foundation fork) continues under BSD-3-Clause. OSSeva maintains BSD-licensed, CVE-patched builds of Redis 6.2 and 7.0 for enterprises that need verifiable open-source licensing alongside security coverage.

Is Node.js 18 still receiving security patches?

Node.js 18 (LTS 'Hydrogen') reached its end-of-life date in April 2025 and no longer receives security releases from the Node.js project. OSSeva delivers CVE patches for Node.js 18 for enterprise teams that have not yet migrated to Node.js 20 or 22.

Is Apache Tomcat 8.5 still supported?

Apache Tomcat 8.5 reached its community EOL in March 2024. OSSeva provides extended security patching for Tomcat 8.5.x for teams running Java EE 7 workloads that cannot immediately migrate to Tomcat 9.0 or 10.1.

What .NET versions does OSSeva support?

.NET 6 reached Microsoft end-of-support in November 2024. .NET 7 reached EOL in May 2024. OSSeva delivers CVE patches for .NET 6 and .NET 7 for teams that have not yet migrated to .NET 8 (LTS, supported through November 2026).

Ready to get Apache Tomcat patched and supported?

Start with a 45-minute discovery call. We confirm your version coverage, scope the engagement, and have you onboarded within your first quarter.

Book Apache Tomcat Discovery