Skip to main content
Category

Tomcat

Aug 25
Love0
Open Source Lifecycle guide zero-day vulnerabilities

The Open Source Lifecycle Survival Guide

By ActiveMQ, CVEs, Open Source, Security, Tomcat, TomEE No Comments
The Open Source Lifecycle Survival Guide Recent high-profile data breaches have critically exposed a significant vulnerability in many corporations' digital infrastructure: unpatched open source software. Though seemingly innocuous and widely used, these freely available codebases can become catastrophic entry points for malicious actors when known security flaws remain unaddressed. The cases of Equifax, the widespread Log4j crisis, and the infamous Heartbleed bug serve as stark reminders of the potential consequences of using unsupported open source software. Is your company next? What You’ll Learn in This Guide: The reality of open source lifecycles The overlooked legal liability The hidden cost of…
Read More
Jul 28
Love0

Apache Tomcat CVE-2025-31650: The “Tomcat Killer” HTTP/2 Vulnerability

By CVEs, Tomcat, TomEE No Comments
Apache Tomcat CVE-2025-31650: The “Tomcat Killer” HTTP/2 Vulnerability A newly published proof-of-concept (PoC) exploit for Apache Tomcat CVE-2025-31650 has transformed a previously known Apache Tomcat vulnerability into an active security threat. The flaw impacts how Apache Tomcat handles HTTP/2 requests, enabling unauthenticated attackers to exhaust server memory and trigger denial-of-service (DoS) conditions. Apache Tomcat CVE-2025-31650 is rapidly gaining attention from attackers due to its low exploitation barrier and high impact across multiple Tomcat versions. Warning: If you're running Tomcat 8.5.x, 9.0.76–102, 10.1.10–10.1.39, or 11.0.0–11.0.5, your systems are vulnerable. This issue has been monitored since late April, but the public release…
Read More
Feb 06
Love0

The Hidden Risk of Running End-of-Life Apache Tomcat, TomEE, and ActiveMQ

By Security, ActiveMQ, CVEs, Tomcat, TomEE No Comments
Understanding End-of-Life (EOL) Products If you’re a developer or manager, you’ve likely faced the challenge of maintaining legacy systems.  You know the delicate balance between keeping your software running, finding the resources for costly upgrades, and managing the expense of growing your team to support emerging issues. When a product like Apache Tomcat, TomEE, or ActiveMQ reaches its End-of-Life (EOL), it stops receiving critical updates and patches from the Open Source Community. This leaves your systems vulnerable to security breaches and compliance issues—a nightmare for developers maintaining these systems and managers responsible for avoiding business risks. Key Risks of Running…
Read More
Jan 08
Love0

Protect Your Tomcat & TomEE: Insights into CVE-2024-50379 & CVE-2024-56337 Vulnerabilities

By CVEs, Security, Tomcat, TomEE No Comments
Overview of CVE-2024-50379 and CVE-2024-56337 in Tomcat and TomEE You may have noticed a couple of new CVEs in Tomcat recently - CVE-2024-50379 and CVE-2024-56337. This vulnerability is rated as “important”, and could lead to remote code execution (RCE), if exploited. As TomEE is built using Tomcat, this will also be an issue for TomEE users. Let’s take a closer look so you can understand the impact and check whether your Tomcat/TomEE configuration may be affected. Detailed Analysis of the Vulnerability and Its Impact From the CVE description:  “If the default servlet is write enabled (readonly initialisation parameter set to…
Read More
Oct 12
Love0

Moving from javax to jakarta namespace

By Java EE, ActiveMQ, Apache TomEE, Jakarta EE, MicroProfile, Open Source, Tomcat, TomEE One Comment
This blog aims at giving some pointers in order to address the challenge related to the switch from `javax` to `jakarta` namespace. This is one of the biggest changes in Java of the latest 20 years. No doubt. The entire ecosystem is impacted. Not only Java EE or Jakarta EE Application servers, but also libraries of any kind (Jackson, CXF, Hibernate, Spring to name a few). For instance, it took Apache TomEE about a year to convert all the source code and dependencies to the new `jakarta` namespace. This blog is written from the user perspective, because the shift from…
Read More
Dec 13
Love0

CVE-2021-44228 – Log4Shell Vulnerability

By CVEs, Tomcat, TomEE No Comments
Introduction If you’ve been following tech news over the last couple of days, you’ll very likely have heard about CVE-2021-44228, or “Log4Shell” as it has become known. This particular vulnerability affects Apache Log4J2, a Java logging framework. Tomcat, TomEE, and ActiveMQ themselves do not ship with log4j2, so running out-of-the-box with their default configuration they are not vulnerable to this issue. However, before you breathe a sigh of relief, you should be aware that applications deployed on either TomEE or Tomcat can include additional Java libraries bundled inside. Any jar file included in a web application’s WEB-INF/lib directory will be…
Read More
Aug 31
Love7

Using Tomcat’s `tomcat-users.xml` with Jakarta Security in TomEE

By Tomcat, Jakarta EE, TomEE No Comments
While working on Jakarta EE 10 certification (See announcement Apache Tomee Jakarta EE certified after 10 years, Apache TomEE implemented Jakarta Security specification.  Currently, there is only one implementation used in Glassfish and used by all the other vendors for Jakarta Security. In TomEE, we decided to create an alternative to bring some diversity, and have an Apache implementation. What is Jakarta Security? Jakarta Security defines a standard for creating secure Jakarta EE applications in modern application paradigms. It defines an overarching (end-user targeted) Security API for Jakarta EE Applications. Jakarta Security builds on the lower level Security SPIs defined…
Read More
Jul 15
Love7

Understanding Jakarta Security with TomEE

By Apache TomEE, Jakarta EE, Tomcat 2 Comments
There are many blogs explaining how to get Jakarta Security on Tomcat using all sorts of libraries and wiring everything manually. So many opportunities to get it wrong, if you are evaluating or currently using Apache TomEE. In TomEE, the good news is that, like JAX-RS, CDI or Bean Validation, Jakarta Security is out of the box ready to be used like Servlet, and CDI for example. This blog is a high-level view so you have the big picture of the technologies and how they interact with each other in the security landscape. The goal is to be able to…
Read More
Dec 05
Love5

TomEE vs. Tomcat

By Community, Jakarta EE, Open Source, Tomcat, TomEE One Comment
Our support customers will sometimes ask, "What is the difference between Tomcat and TomEE," but that’s not really the right question. It’s like asking which is better “Omelets or Eggs” or “JSP or Servlets”. You can’t have the first one without the second. TomEE is Tomcat Plus It’s easier to think of TomEE as the same thing as Tomcat plus some bells and whistles, because TomEE is built on top of Tomcat. Specifically, TomEE 8 is the complete Tomcat 9 distribution plus Jakarta EE 8 (formerly Java EE 8) specific APIs. Tomcat is a powerful and hugely popular Java web…
Read More