We had expected that the Jira upgrade would result in a Tomcat upgrade but it did not.
How can we upgrade Tomcat or is there a plan to upgrade Tomcat in Jira in a future release? The 8.5.57 version of Tomcat has a number of vulnerabilities.
Atlassian Team members are employees working across the company in a wide variety of roles.
October 19, 2020 edited
Hello Simon,
The Tomcat version that Jira uses is tied to the specific release of Jira. You would not be able to upgrade Tomcat independently of Jira; whatever version of Tomcat ships with the version of Jira you're using is the version of Tomcat that you'll be using. We've got a page here describing which version of Tomcat (and which JRE) is bundled with specific versions of Jira.
Tomcat 8.5.57 was released on July 5, 2020. In general, the Tomcat releases need to prove stable, and then some bake time is required as the releases of Jira are developed and built. The Preparing for Jira X.Y pages contain notices of Tomcat upgrades for developers to prepare - that's usually a good place to check if a Tomcat upgrade is happening for a not-yet-released version of Jira.
In terms of open vulnerabilities - unless I've searched incorrectly, I only see one at the time of this writing, which actually has to do with the bundling of Tomcat in OpenSUSE rather than something specific to Tomcat itself. Are you seeing something different you're concerned about?
Thanks, Daniel | Atlassian Support
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.