Tomcat 9 End of Life (EOL) is scheduled for March 31, 2027. After that date, the Apache Tomcat project will no longer provide security patches, bug fixes, or vulnerability remediation for Tomcat 9.

Organizations running production workloads on Tomcat 9 should begin planning now for how they will maintain security and compliance after community support ends. Organizations evaluating their options can learn more about Tomcat 9 Enterprise Support.

For many organizations, the challenge is not understanding that Tomcat 9 is approaching End of Life. The challenge is determining the right path forward while maintaining security and minimizing operational risk.

Upgrading to Tomcat 10.1 or Tomcat 11 may be the long-term objective, but it is not always a simple version upgrade. Many environments must address the transition from the legacy javax namespace to jakarta, along with the planning, testing, and validation required for production deployments.

The following sections compare the available options and explain the technical considerations behind each approach.

Executive Summary

  • Apache Tomcat 9.0.x reaches End of Life on March 31, 2027.
  • After EOL, the Apache Tomcat project will no longer provide security patches, bug fixes, or vulnerability remediation for Tomcat 9.
  • Organizations running Tomcat 9 should begin planning their migration or support strategy well before the deadline.
  • For most enterprises, the decision is whether to migrate to a supported Tomcat release or secure enterprise support while planning modernization efforts.
  • Migrating from Tomcat 9 to Tomcat 10.1 or Tomcat 11 often requires addressing the transition from javax to jakarta.
  • Enterprise support can provide continued security maintenance while organizations execute a planned modernization strategy.

When Does Tomcat 9 Reach End of Life?

Apache Tomcat 9.0.x reaches End of Life on March 31, 2027.

After this date, the Apache Tomcat project will stop providing:

  • Security patches
  • CVE remediation
  • Bug fixes
  • Maintenance releases

Organizations still running Tomcat 9 after EOL should have a plan in place to address future vulnerabilities and ongoing support requirements.

Organizations evaluating long-term support options should also review Tomitribe’s Lifecycle Policy to better understand support coverage and lifecycle planning.

What Happens When Tomcat 9 Reaches End of Life?

Once community support ends, organizations no longer receive:

  • Security fixes
  • Vulnerability remediation
  • Bug fixes
  • Maintenance releases

Security Risks of Running Unsupported Tomcat

Unsupported software becomes increasingly vulnerable over time as newly discovered vulnerabilities remain unpatched. Organizations operating internet-facing applications may face heightened security exposure and increased risk from future CVEs.

Compliance Risks After Tomcat 9 EOL

Many regulatory frameworks and security standards require supported software in production environments. Running unsupported middleware can create compliance challenges during audits and security reviews.

Operational Risks of Delaying a Strategy

Without a clear upgrade or support plan, organizations may be forced into emergency remediation projects when new vulnerabilities emerge, creating unplanned costs and disruption.

Comparing Your Options

Option Security Updates Migration Effort Best For
Continue running Tomcat 9 after EOL No None Short-term operation only
Upgrade to Tomcat 10.1 or Tomcat 11 Yes High Organizations ready to modernize
Obtain Enterprise Support for Tomcat 9 Yes Low Organizations that need security coverage while planning upgrades

The right path depends on your application architecture, compliance requirements, available engineering resources, and migration timeline.

For most organizations, the decision ultimately comes down to either upgrading to a supported Tomcat release or securing enterprise support while preparing for migration.

Upgrade Tomcat 9 or Enterprise Support?

Organizations approaching the Tomcat 9 End of Life deadline generally face two strategic choices.

Option 1: Upgrade to Tomcat 10.1 or Tomcat 11

Upgrading provides access to an actively maintained platform and the latest improvements across the Tomcat ecosystem.

However, many teams discover that migration requires more than simply replacing binaries. The move from javax to jakarta often requires:

  • Application updates
  • Dependency reviews
  • Testing cycles
  • Validation efforts
  • Deployment planning

For some organizations, this work is straightforward. For others, it may require a significant modernization project involving multiple teams and extended testing cycles.

Organizations that are ready to modernize may benefit from moving directly to a supported Tomcat release and beginning their Jakarta migration journey sooner rather than later.

Option 2: Obtain Enterprise Support for Tomcat 9

Enterprise Support allows organizations to continue operating on their existing platform while receiving ongoing security maintenance and vulnerability remediation.

Rather than forcing migration work into a compressed timeline, teams can plan upgrades around business priorities, release schedules, and available engineering resources.

For organizations with large application portfolios, strict compliance requirements, or limited migration capacity, Enterprise support can significantly reduce operational risk while maintaining security coverage.

Why Many Organizations Obtain Enterprise Support

Instead of accelerating a complex migration project, many organizations choose commercial support for Tomcat 9.0 to maintain security while planning modernization on their own schedule.

Benefits of Enterprise Tomcat 9 Support

Commercial support can provide:

  • Active CVE monitoring
  • Security patch delivery
  • Vulnerability remediation guidance
  • Technical assistance from Tomcat experts

Avoiding a Rushed Jakarta Migration

Enterprise support provides the time needed to properly plan application modernization. Teams can approach the javax to jakarta transition as a structured initiative rather than a deadline-driven project.

This allows organizations to prioritize application quality, testing, and business continuity instead of rushing changes to meet an external deadline.

Access to Apache Tomcat Expertise

Organizations often select support providers with deep Apache Tomcat expertise, particularly when maintaining critical production systems beyond the community support lifecycle.

Organizations requiring assistance across multiple Tomcat versions can also explore Tomitribe’s Apache Tomcat support services.

Enterprise support is often the most practical option for organizations that need to maintain security and compliance while aligning modernization efforts with business priorities.

Tomcat 9 End of Life FAQ


Is Tomcat 9 Still Supported?

Yes. Apache Tomcat 9.0.x remains community-supported until March 31, 2027.


What Happens After Tomcat 9 Reaches End of Life?

The Apache Tomcat project will stop providing security patches, bug fixes, maintenance releases, and vulnerability remediation for Tomcat 9.

Community support timelines are maintained by the Apache Tomcat project on the Apache Tomcat Which Version page.


Can I Continue Running Tomcat 9 After EOL?

Yes, but organizations should carefully consider the security, compliance, and operational risks associated with running unsupported software.


What Are My Options When Tomcat 9 Reaches End of Life?

Organizations running Tomcat 9 generally have three practical options:

  1. Continue running Tomcat 9 without support.
  2. Upgrade to Tomcat 10.1 or Tomcat 11.
  3. Obtain commercial support for Tomcat 9.

Most organizations ultimately choose either to modernize to a supported release or secure enterprise support while preparing for migration.


How Can I Receive Tomcat 9 Security Patches After 2027?

Commercial support providers can continue delivering security updates, CVE remediation, technical assistance, and lifecycle support after community support ends.

Tomitribe’s Tomcat 9 support offering provides continued support coverage for organizations that need additional time before migrating.


Are Support Agreements Available With SLAs?

Yes. Organizations requiring defined response times and support commitments can review Tomitribe’s Support Guidelines for details regarding support coverage and service expectations.


Summary

As the Tomcat 9 End of Life date approaches, organizations must balance security, compliance, operational risk, and migration effort.

Organizations approaching the Tomcat 9 End of Life deadline typically face an important decision: migrate to a supported Tomcat release or secure enterprise support while planning modernization.

Both approaches can maintain security and compliance. The right choice depends on application complexity, migration timelines, resource availability, and business priorities.

For organizations that are not ready to complete a Jakarta migration before March 2027, enterprise support can provide continued security coverage, ongoing vulnerability remediation, and access to Tomcat expertise while modernization efforts proceed on a realistic timeline.

Tomitribe provides Apache Tomcat support, including Tomcat 9 Enterprise Support, ongoing CVE remediation, security patch delivery, and migration guidance for organizations that need additional time to modernize their applications. Tomitribe’s team includes contributors to Apache open-source projects and has extensive experience helping organizations maintain secure Tomcat deployments while planning long-term upgrade strategies.

Don’t Wait Until Tomcat 9 Reaches
End of Life

March 31, 2027 is closer than you think. Stay secure with enterprise support while you plan your upgrade.

Tomitribe provides:

  • Enterprise support for Tomcat 9 with active CVE monitoring and patch delivery
  • Guided javax-to-jakarta migration planning
  • Direct access to Apache Tomcat contributors and experts


Get Tomcat 9 Enterprise Support

David Heffelfinger

David Heffelfinger

David R. Heffelfinger is an independent consultant based in the Washington D.C. area. He is a Java Champion and Apache NetBeans PMC member. He has written several books on Jakarta EE, Java EE, NetBeans, and JasperReports, and is a frequent speaker at Java conferences.
ensode

Leave a Reply