I will check on the state of these CVEs with respect to the backports, and reply on this thread.
One comment I'll make though, is that NexusIQ (I also use it) will potentially still identify the jars as Tomcat 10.0.27, and therefore may still identify them as vulnerable (incorrectly), despite a patch being applied. While I understand the frustration that may cause both yourself and your customers, please understand that both Tomcat and TomEE are community projects, and everyone contributing is doing so as a volunteer. Richard has already outlined why we can't move to Tomcat 10.1.x on TomEE 9.x. TomEE 10.x is in progress. Any contributions you wanted to make would be most welcome. Jon On Mon, Nov 13, 2023 at 1:29 PM COURTAULT Francois <francois.courta...@thalesgroup.com.invalid> wrote: > THALES GROUP LIMITED DISTRIBUTION to email recipients > > Hello Richard, > > I performed a vulnerabilities scan using NexusIQ, the result are: > - CVE-2022-45143 (CVSS 3 scoring 7.5) on tomcat-catalina : 10.0.27 > - CVE-2023-24998 (CVSS 3 scoring 7.5) on tomcat-coyote : 10.0.27 > > Some of our customers won't accept that ☹ > > BTW I also scan Tomcat 10.1.15 with the same tool and I don't have anymore > such CVSS 3 score. > So will you start TomEE 10.x at some point ? > > Best Regards. > > -----Original Message----- > From: Richard Zowalla <r...@apache.org> > Sent: lundi 13 novembre 2023 12:53 > To: users@tomee.apache.org > Subject: Re: TomEE 9.x relies on Tomcat 10.0.27 but this one is quite old > ... > > Hi, > > the TomEE 10.0.27 contained in TomEE 9.1.x is patched inside the TomEE > build to fix the latest CVEs. We did not backport bug fixes, though. > > As TomEE 9 targets EE9(.1), we cannot upgrade to Tomcat 10.1.x, which is > EE10. So from a spec perspective, there is currently no plan to migrate > TomEE 9.x to Tomcat 10.1.x (without breaking the tck). > > Gruß > Richard > > > Am Montag, dem 13.11.2023 um 11:30 +0000 schrieb COURTAULT Francois: > > THALES GROUP LIMITED DISTRIBUTION to email recipients > > > > Hello everyone, > > > > According to this link > > https://tomcat.apache.org/tomcat-10.0-eol.html Tomcat 10.0.x is EOL, > > right? > > But TomEE 9.1.1 still rely on Tomcat 10.0.x. > > > > Any plan to migrate TomEE 9.x to Tomcat 10.1.x ? > > > > Best Regards. > > > > > > >
