ELS for Apache Tomcat: Extending Security Support Beyond EOL

Introduction

Web applications remain the backbone of countless business operations. Behind many of these critical applications stands Apache Tomcat, one of the most widely deployed Java servlet containers powering enterprise applications worldwide. But what happens when your stable, well-tested Tomcat environment reaches its End-of-Life (EOL) date? Do you risk disruption with a potentially complex upgrade, or accept the growing security risks of running unsupported software?

We’re excited to announce TuxCare’s Endless Lifecycle Support (ELS) for Apache Tomcat – a comprehensive security maintenance service that allows organizations to maintain their Apache Tomcat 8.5 environments securely beyond the official EOL date, without the risks and challenges of forced upgrades.

Understanding Apache Tomcat’s Critical Role

Apache Tomcat serves as the implementation of the Java Servlet, JavaServer Pages, Java Expression Language, and WebSocket technologies, forming a vital part of many Java-based web application architectures. As a servlet container, Tomcat provides the environment in which Java code runs in response to web requests, handling everything from connection management to request processing.

In the Java ecosystem, Tomcat integrates seamlessly with:

• Java Enterprise Edition (Java EE) applications
• Spring Framework deployments
• Java-based microservices architectures
• Legacy enterprise applications that power critical business functions
• DevOps pipelines where consistent application behavior is paramount

For many organizations, Tomcat 8.5 represents a perfect balance of features, performance, and stability that their production systems rely upon daily.

The Upgrade Dilemma

While upgrading to newer versions like Tomcat 9.x or 10.x might seem like the obvious choice when facing EOL, the reality is far more complex. Based on our research and customer feedback, upgrading from Tomcat 8.5 presents numerous challenges:

1. Breaking configuration changes requiring manual reviews and adjustments
2. API changes and deprecations that can break existing applications
3. The significant shift to Jakarta EE (especially in Tomcat 10.x) requiring code refactoring
4. Third-party library compatibility issues with newer Tomcat versions
5. Java version requirements that may force cascading upgrades
6. Extensive testing and validation requirements
7. Potential downtime during migration
8. Custom module and plugin incompatibilities

These factors make upgrading a resource-intensive project with significant business risk. For many organizations, particularly those with stable, mission-critical applications, “if it’s not broken, don’t fix it” remains a prudent approach – except for when it comes to the critical issue of ongoing security vulnerabilities.

Introducing ELS for Apache Tomcat

TuxCare’s ELS for Apache Tomcat addresses this exact challenge by providing continued security maintenance for Tomcat 8.5 environments beyond their official EOL date. Our service delivers:

• Security-patched Tomcat packages
• Protection against new CVEs discovered after EOL
• Backported fixes from newer Tomcat versions
• Custom security patches developed by TuxCare’s security team
• Minimal disruption with no need for application changes
• Regular security updates that maintain your security posture

Comprehensive Coverage

Our ELS for Apache Tomcat covers the core components that matter most:

• Catalina – The servlet container that processes Java servlets and JSP pages
• Coyote – The HTTP connector handling incoming connections
• Jasper – The JSP engine that compiles JSP into Java servlets
• Cluster – Components enabling session replication across multiple Tomcat instances

We’re also evaluating additional components based on customer needs:

• APR (Apache Portable Runtime) native library
• Web Applications (examples, manager, host-manager)
• Connectors for other protocols (AJP, etc.)

Do these components matter in your environment? We’d love to hear from you to prioritize our development roadmap. Reach out here.

Real Security Protection: Recent CVEs We Cover

To illustrate the real-world value of ELS for Apache Tomcat, here are some critical vulnerabilities our service protects against immediately:

Catalina (Servlet Container)

• CVE-2016-0763: Affected Tomcat 8.5.0–8.5.3 — Security bypass vulnerability through misconfigured JSP Servlet parameters
• CVE-2016-8735: Affected Tomcat 8.5.0–8.5.6 — Allowed malicious JSP uploads via HTTP PUT
• CVE-2017-12617: Affected Tomcat 8.5.0–8.5.23 on Windows — Remote Code Execution vulnerability

Coyote (HTTP Connector)

• CVE-2020-13943: Affected Tomcat 8.5.0–8.5.58 — HTTP/2 handling vulnerability causing incorrect responses
• CVE-2022-42252: Affected Tomcat 8.5.0–8.5.83 — Request smuggling vulnerability

Jasper (JSP Engine)

• CVE-2018-1336: Affected Tomcat 8.5.0–8.5.31 — UTF-8 decoding vulnerability leading to potential DoS
• CVE-2018-8034: Affected 8.5.0–8.5.31 — Deserialization vulnerability

AJP Connector

• CVE-2020-1938 “Ghostcat”: Affected Tomcat 8.5.0–8.5.50 — One of the most severe vulnerabilities allowing file exposure and potential RCE

HTTP/2 Support

• CVE-2020-11996: Affected Tomcat 8.5.17–8.5.55 — DoS vulnerability through specially crafted HTTP/2 requests

When ELS Makes Business Sense

Our ELS for Apache Tomcat service is particularly valuable for organizations that:

1. Run critical applications on Tomcat 8.5 that are stable and well-tested
2. Face significant costs or risks in upgrading to newer Tomcat versions
3. Need to maintain security compliance while postponing major upgrades
4. Have complex application architectures where Tomcat is deeply integrated
5. Operate in regulated industries with strict change management requirements
6. Maintain legacy applications with limited development resources

Implementation and Deployment

Implementing ELS for Apache Tomcat is straightforward:

1. Subscribe to the service based on your environment size
2. Replace your existing Tomcat packages with our security-maintained versions
3. Receive security updates through our standard repository
4. Deploy updates using your existing patch management processes

There’s no need for application changes, recompilation, or extensive testing – our patches focus exclusively on security vulnerabilities while maintaining full compatibility with your existing environment.

Security Without Compromise

With TuxCare’s ELS for Apache Tomcat, you can:

• Maintain security compliance without disruptive upgrades
• Reduce business risk by avoiding potentially breaking changes
• Extend the life of stable, mission-critical applications
• Gain time for proper planning of future migrations
• Optimize IT resources by focusing on business value rather than forced updates

Security and stability don’t have to be opposing forces. ELS for Apache Tomcat allows you to maintain both, giving you control over your upgrade timeline while ensuring your applications remain protected against emerging threats.

Ready to learn more about securing your Tomcat environment beyond EOL? Contact our team today for a consultation and discover how ELS for Apache Tomcat can support your security and business continuity needs.

Summary

Article Name

ELS for Apache Tomcat: Extending Security Support Beyond EOL

Description

TuxCare's ELS for Apache Tomcat – a service that allows to maintain their Apache Tomcat 8.5 environments securely beyond the official EOL

Author

Joao Correia

Publisher Name

TuxCare

Publisher Logo