We use the Jira Server version LTS 8.20.1 and Apache Tomcat/8.5.65 is installed here. Our security department would like at least version Apache Tomcat/8.5.72
You could rip out the installed version of Tomcat and replace it with another, but there is no way anyone would recommend that.
If nothing else, you are instantly unsupported. Any problems you might have could easily just get "go back to a supported installation and try it again" responses. On top of that, yes, I've seen Jira systems fail when people have changed the Tomcat under it, more than once, so it's not a low-risk thing to do. It's also complex, long-winded, can break any upgrade from working, and you absolutely need to test it thoroughly, so it's a LOT of expensive work that you're quickly going to want to throw away.
I recommend you wait for the next release of Jira and tell your security department to absrb all the costs and risks of a project to do this.
Also, being unsupported is a much bigger security and compliance risk than whatever your security department are thinking the risks of that Tomcat version are.
Currently supported platform doc says Apache Tomcat V8.5.65 as supported one. Usually Jira Application installer is bundled with that version only, hence upgrading to some other version would not be recommended. Better solution is reach out to Atlassian Support Team and ask this question.
Hi, Jira users! Do you use Jira alongside Microsoft Teams? We want to hear how you’ve used the power of Jira Cloud and Microsoft Teams (via the Jira Cloud for Microsoft Teams app) to achieve a team...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events