Apache Tomcat CVE-2025-31650: The “Tomcat Killer” HTTP/2 Vulnerability A newly published proof-of-concept (PoC) exploit for Apache Tomcat CVE-2025-31650 has transformed a previously known Apache Tomcat vulnerability into an active security threat. The flaw impacts how Apache Tomcat handles HTTP/2 requests, enabling unauthenticated attackers to exhaust server memory and trigger denial-of-service (DoS) conditions. Apache Tomcat CVE-2025-31650 is rapidly gaining attention from attackers due to its low exploitation barrier and high impact across multiple Tomcat versions. Warning: If you're running Tomcat 8.5.x, 9.0.76–102, 10.1.10–10.1.39, or 11.0.0–11.0.5, your systems are vulnerable. This issue has been monitored since late April, but the public release…
Read More

Understanding End-of-Life (EOL) Products If you’re a developer or manager, you’ve likely faced the challenge of maintaining legacy systems. You know the delicate balance between keeping your software running, finding the resources for costly upgrades, and managing the expense of growing your team to support emerging issues. When a product like Apache Tomcat, TomEE, or ActiveMQ reaches its End-of-Life (EOL), it stops receiving critical updates and patches from the Open Source Community. This leaves your systems vulnerable to security breaches and compliance issues—a nightmare for developers maintaining these systems and managers responsible for avoiding business risks. Key Risks of Running…
Read More

Overview of CVE-2024-50379 and CVE-2024-56337 in Tomcat and TomEE You may have noticed a couple of new CVEs in Tomcat recently - CVE-2024-50379 and CVE-2024-56337. This vulnerability is rated as “important”, and could lead to remote code execution (RCE), if exploited. As TomEE is built using Tomcat, this will also be an issue for TomEE users. Let’s take a closer look so you can understand the impact and check whether your Tomcat/TomEE configuration may be affected. Detailed Analysis of the Vulnerability and Its Impact From the CVE description: “If the default servlet is write enabled (readonly initialisation parameter set to…
Read More
This blog aims at giving some pointers in order to address the challenge related to the switch from `javax` to `jakarta` namespace. This is one of the biggest changes in Java of the latest 20 years. No doubt. The entire ecosystem is impacted. Not only Java EE or Jakarta EE Application servers, but also libraries of any kind (Jackson, CXF, Hibernate, Spring to name a few). For instance, it took Apache TomEE about a year to convert all the source code and dependencies to the new `jakarta` namespace. This blog is written from the user perspective, because the shift from…
Read More
Last year, we announced Apache TomEE as a certified Jakarta EE 9.1 server (See blog post). The season favors gifts and good news, so I thought I would write this small blog to talk about our journey to being MicroProfile 5.0 certified. A while back, Apache TomEE started implementing MicroProfile. At that time, we were contributing to Apache Geronimo implementations for various specifications: config, openapi, opentracing, metrics, health and fault-tolerance. We had our own JWT implementation with additional integration features than what the MicroProfile JWT specification supports. Back then, we were passing the TCK for the MicroProfile 2.1, released October…
Read More
Introduction If you’ve been following tech news over the last couple of days, you’ll very likely have heard about CVE-2021-44228, or “Log4Shell” as it has become known. This particular vulnerability affects Apache Log4J2, a Java logging framework. Tomcat, TomEE, and ActiveMQ themselves do not ship with log4j2, so running out-of-the-box with their default configuration they are not vulnerable to this issue. However, before you breathe a sigh of relief, you should be aware that applications deployed on either TomEE or Tomcat can include additional Java libraries bundled inside. Any jar file included in a web application’s WEB-INF/lib directory will be…
Read More
Tomitribe is part of the expert group for the upcoming JMS 3.0 and provides ActiveMQ and Apache TomEE enterprise support for many organizations. This article demonstrates configuring Tibco EMS in TomEE. For generic guidelines on deploying alternative JMS providers, please see the official TomEE documentation for Changing JMS Implementations JMS providers are generally packaged as Java Connector Architecture (JCA) Resource Adapter Archive (RAR) files, and both outbound (for sending messages to the broker) and inbound (for receiving messages via Message Driven Beans (MDBs) connectors are provided. JCA RAR files are designed to be portable, and any portable RAR file should…
Read More

In the previous post, we saw how to use the built-in ‘tomcat-users.xml’ identity store with Apache TomEE. While this identity store is inherited from Tomcat and integrated into Jakarta Security implementation in TomEE, this is usually good for development or simple deployments, but may appear too simple or restrictive for production environments. This blog will focus on how to implement your own identity store. TomEE can use LDAP or JDBC identity stores out of the box. We will try them out next time. Let’s say you have your own file store or your own data store like an in-memory data…
Read More

While working on Jakarta EE 10 certification (See announcement Apache Tomee Jakarta EE certified after 10 years, Apache TomEE implemented Jakarta Security specification. Currently, there is only one implementation used in Glassfish and used by all the other vendors for Jakarta Security. In TomEE, we decided to create an alternative to bring some diversity, and have an Apache implementation. What is Jakarta Security? Jakarta Security defines a standard for creating secure Jakarta EE applications in modern application paradigms. It defines an overarching (end-user targeted) Security API for Jakarta EE Applications. Jakarta Security builds on the lower level Security SPIs defined…
Read More

We are extremely excited to spread the word that Apache TomEE 9.0.0-M7 has reached Jakarta EE 9.1 Web Profile certification. Speaking with our Apache-contributor hats on, this is not just our first certification in 10 years, but we are doubly proud Apache TomEE is on the list of certified servers on the day of the Jakarta EE release. Moreover, after 3 years of behind-the-scenes work, we're very excited the Apache Software Foundation has joined Jakarta EE Working Group as a Guest Member. And finally, not to be overlooked, the Apache TomEE project has a fresh new website: - https://tomee.apache.org/ As…
Read More