> On Oct 13, 2023, at 1:23 PM, Hamilton, Eric J [US] (DS) > <eric.hamil...@ngc.com> wrote: > > Privately, I have devised a process to overlay new Tomcat 9 releases overtop > TomEE 8 in order to deploy my server updates faster than the TomEE release > cadence. So that should continue to serve me well past end of life. My gap > is with those additional TomEE dependent libraries which I haven't been > following as closely.
Definitely, Tomcat vulnerabilities make up a good percentage of the vulnerabilities in TomEE, but just be careful as that only addresses about 14% of the jars (measure by MB). The other 72MB of jars in a TomEE 8 Plume dist do create a decent amount of work to monitor and patch. Some of them are already discontinued by their respective communities. On possible releases after EOL, as Richard mentions we don't ship releases with known CVEs in them and that's really the issue. Tomcat 9 is still getting maintained, but that other 72MB is aging very quickly. Someone would need to do the patching for all the CVEs for any release to come out after EOL. So far no one is willing to do that. -David
