If you’re running Apache Tomcat in production, you’ve probably wondered: “Is my current version still supported?” Today, we’ll provide a comprehensive overview of Apache Tomcat’s End of Support (EOS) dates across all versions and critical vulnerability information to help you maintain secure server operations.
1. Complete Apache Tomcat Version History and Current EOS Status
Apache Tomcat began in November 1998 as a servlet reference implementation by James Duncan Davidson at Sun Microsystems. Over 27 years of development, 11 major versions have been released, making it one of the most enduring open-source projects in the Java ecosystem.
Currently Supported Versions (September 2025)
✅ Actively Maintained Versions
- Tomcat 11.0.x (Latest: 11.0.11, September 1, 2025)
- Jakarta EE 11 platform implementation
- Servlet 6.1, JSP 4.0, EL 6.0 support
- Minimum Java version: Java 17
- Tomcat 10.1.x (Latest: 10.1.44, September 1, 2025)
- Jakarta EE 10 platform implementation
- Servlet 6.0, JSP 3.1, EL 5.0 support
- Minimum Java version: Java 11
- Tomcat 9.0.x (Latest: 9.0.109, September 1, 2025)
- Java EE 8 platform implementation (final Java EE version)
- Servlet 4.0, JSP 2.3, EL 3.0 support
- Minimum Java version: Java 8
- Extended Support: Planned 9.1.x branch for continued support beyond March 31, 2027
End-of-Life Versions – Exact EOS Dates
| Version | Release Period | End of Support | Key Features | Status |
|---|---|---|---|---|
| Tomcat 10.0.x | 2020 | October 31, 2022 | Jakarta EE 9 (javax → jakarta transition) | ❌ EOL |
| Tomcat 8.5.x | 2016 | March 31, 2024 | HTTP/2 support, Tomcat 9 feature backports | ❌ Recently EOL |
| Tomcat 8.0.x | 2014 | June 30, 2018 | Servlet 3.1, WebSocket 1.1 support | ❌ EOL |
| Tomcat 7.0.x | 2010 | March 31, 2021 | Servlet 3.0, JSP 2.2, memory leak prevention | ❌ EOL |
| Tomcat 6.0.x | 2006 | December 31, 2016 | Servlet 2.5, JSP 2.1 support | ❌ EOL |
| Tomcat 5.5.x | 2004 | September 30, 2012 | Performance optimization, stability improvements | ❌ EOL |
| Tomcat 5.0.x | 2003 | ~2008 (unofficial) | JMX support, JSP 2.0 implementation | ❌ EOL |
| Tomcat 4.1.x | 2002 | ~2008 (unofficial) | Enhanced Catalina architecture | ❌ EOL |
| Tomcat 4.0.x | 2001 | ~2007 (unofficial) | Complete new Catalina architecture | ❌ EOL |
| Tomcat 3.3.x | 2000 | ~2005 (unofficial) | Servlet 2.2, JSP 1.1 support | ❌ EOL |
| Tomcat 3.2.x | 1999 | ~2004 (unofficial) | Early production version | ❌ EOL |
Note: Versions 3.x through 5.0.x did not have formal EOS announcements; support naturally ended with subsequent major releases.
2. Critical Vulnerability Information – CVE-2025-24813 Emergency Response
The most significant Apache Tomcat vulnerability in 2025 is CVE-2025-24813, which has prompted emergency responses from security administrators worldwide due to its remote code execution potential.
CVE-2025-24813 Complete Analysis
Vulnerability Overview
- CVE ID: CVE-2025-24813
- Disclosure Date: March 10, 2025
- Severity: Important – but high priority due to RCE potential
- Attack Vector: Unauthenticated remote code execution
Affected Versions and Patches
| Affected Versions | Patched Version | Upgrade Recommendation |
|---|---|---|
| Tomcat 11.0.0-M1 ~ 11.0.2 | 11.0.3 or later | Immediate upgrade |
| Tomcat 10.1.0-M1 ~ 10.1.34 | 10.1.35 or later | Immediate upgrade |
| Tomcat 9.0.0.M1 ~ 9.0.98 | 9.0.99 or later | Immediate upgrade |
| Tomcat 8.5.x (all versions) | No longer supported | Upgrade to 9.0.99+ |
Attack Prerequisites (Mitigating Factors)
Successful RCE requires all of the following conditions:
- Default Servlet write permissions enabled
- Default value:
readonly=true(disabled) - Vulnerable configurations are rare in production
- Default value:
- Partial PUT support enabled
- File-based session storage required
- Specific application configuration needed
- Presence of deserialization vulnerabilities in libraries
Real-world Risk Assessment
- GitHub code search results: Only 218 open-source projects use write-enabled configurations
- Shodan scan results: Of 378,444 exposed Tomcat instances, actual vulnerable configurations are minimal
- Conclusion: More suitable for targeted attacks than automated mass exploitation
Additional 2025 Critical Vulnerabilities
1. HTTP/2 “Made You Reset” Attack (August 2025)
- Symptom: OutOfMemoryError causing denial of service
- Impact: All HTTP/2-enabled versions
- Mitigation: Update to latest versions
2. CVE-2023-24998 – Apache Commons FileUpload DoS
- Cause: No limit on request parts processed
- Attack: Malicious multipart uploads causing DoS
- Resolution: maxPartCount configuration (default limited to 10 parts)
3. Multipart Upload Integer Overflow (July 2025)
- Condition: Size limit bypass in specific multipart configurations
- Result: DoS attack vector
- Status: Fixed in all currently supported versions
3. Version-Specific Guides and Migration Strategies
Tomcat 11.0.x – Next-Generation Web Server Platform
Key Innovations
- Complete Jakarta EE 11 Implementation: Latest enterprise Java standards
- Enhanced Performance: Optimized memory management and thread handling
- Security Hardening: More secure default configurations
Migration Considerations
# Package namespace changes required
javax.servlet.* → jakarta.servlet.*
javax.jsp.* → jakarta.jsp.*
Recommended For
- New project development
- Organizations requiring latest security standards
- Environments capable of running Java 17+
Tomcat 10.1.x – Balance of Stability and Innovation
Core Advantages
- Stable Jakarta EE 10 Implementation: Proven new standards
- Excellent Compatibility: Broad library ecosystem support
- Mature Ecosystem: Extensive documentation and community support
Upgrade Scenario
<!-- web.xml configuration example -->
<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee
https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd"
version="6.0">
Tomcat 9.0.x – Proven Enterprise Standard
Strategic Position
- Final Java EE 8 Version: Maximum legacy compatibility
- Extended Support Plan: 9.1.x branch continuing beyond 2027
- Production Proven: Years of validation in enterprise environments
Long-term Operations Strategy
# Tomcat 9.x Support Roadmap
September 2025: 9.0.109 (current)
March 2027: 9.0.x end of support
April 2027: 9.1.x branch begins (extended support)
4. Production Security Hardening Checklist
Immediately Actionable Security Configurations
1. CVE-2025-24813 Defense Configuration
<!-- Check in conf/web.xml -->
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>readonly</param-name>
<param-value>true</param-value> <!-- Required: keep true -->
</init-param>
<init-param>
<param-name>allowPartialPut</param-name>
<param-value>false</param-value> <!-- Additional security -->
</init-param>
</servlet>
2. HTTP Method Restrictions (Security Hardening)
<!-- Block dangerous HTTP methods -->
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>TRACE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
3. Multipart Upload Limits
<!-- Connector configuration in server.xml -->
<Connector port="8080" protocol="HTTP/1.1"
maxParameterCount="1000"
maxPostSize="2097152"
maxPartCount="50" />
4. Server Information Hiding
<!-- server.xml configuration -->
<Connector port="8080"
server="WebServer"
serverRemoveAppProvidedValues="true" />
Monitoring and Log Analysis
Security Event Detection
# Detect CVE-2025-24813 attack attempts
grep -E "(PUT.*\.(jsp|jspx|class|jar))" /opt/tomcat/logs/localhost_access_log.*.txt
# Detect suspicious session file uploads
grep -E "PUT.*JSESSIONID" /opt/tomcat/logs/localhost_access_log.*.txt
# Monitor large multipart requests
awk '$7 ~ /POST/ && $10 > 1000000 {print}' /opt/tomcat/logs/localhost_access_log.*.txt
Real-time Monitoring Script
#!/bin/bash
# tomcat_security_monitor.sh
LOGFILE="/opt/tomcat/logs/localhost_access_log.$(date +%Y-%m-%d).txt"
ALERT_EMAIL="admin@company.com"
tail -f $LOGFILE | while read line; do
if echo "$line" | grep -q "PUT.*\.jsp"; then
echo "SECURITY ALERT: Suspicious PUT request detected" | mail -s "Tomcat Security Alert" $ALERT_EMAIL
fi
done
5. Systematic Upgrade Implementation Plan
Phased Migration Strategy
Phase 1: Current State Analysis and Planning
# Check current Tomcat version
$CATALINA_HOME/bin/version.sh
# Analyze deployed application dependencies
find $CATALINA_HOME/webapps -name "*.jar" -exec grep -l "javax.servlet" {} \;
# Verify Java version compatibility
java -version
Phase 2: Test Environment Setup
# Test environment configuration
export CATALINA_BASE=/opt/tomcat-test
mkdir -p $CATALINA_BASE/{conf,logs,temp,webapps,work}
# Use migration tool for Jakarta EE transition
java -jar tomcat-migration-tool.jar --source webapps/myapp.war --destination webapps/myapp-jakarta.war
Phase 3: Staged Deployment
# Blue-Green deployment script example
#!/bin/bash
BLUE_PORT=8080
GREEN_PORT=8081
HEALTH_CHECK_URL="http://localhost"
# Start Green environment
./catalina.sh start -Dhttp.port=$GREEN_PORT
# Health check
if curl -f "$HEALTH_CHECK_URL:$GREEN_PORT/health"; then
# Switch traffic (load balancer configuration)
echo "Switching traffic to Green environment"
# Stop Blue environment
./catalina.sh stop
else
echo "Green environment failed health check"
exit 1
fi
Emergency Patch Scenarios
CVE-2025-24813 Emergency Response Procedure
1. Immediate Action (Within 5 minutes)
# Block PUT requests at WAF level
# Add to nginx.conf or Apache httpd.conf
location / {
limit_except GET POST HEAD {
deny all;
}
}
2. Temporary Mitigation (Within 30 minutes)
# Immediately modify Tomcat configuration
cd $CATALINA_HOME/conf
cp web.xml web.xml.backup.$(date +%Y%m%d_%H%M%S)
# Enforce readonly setting
sed -i 's/<param-value>false<\/param-value>/<param-value>true<\/param-value>/g' web.xml
# Restart Tomcat
./bin/shutdown.sh && ./bin/startup.sh
3. Permanent Solution (Within 24 hours)
# Upgrade to patched version
wget https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.109/bin/apache-tomcat-9.0.109.tar.gz
tar xzf apache-tomcat-9.0.109.tar.gz
# Migrate configuration files and redeploy applications
6. Version-Specific Recommendations and Roadmap
Current Version-Based Recommendations
🔴 Immediate Upgrade Required (HIGH Priority)
- Tomcat 8.5.x and below: Security patches discontinued, immediate upgrade essential
- Tomcat 9.0.98 and below: CVE-2025-24813 vulnerability present
🟡 Planned Upgrade Recommended (MEDIUM Priority)
- Tomcat 10.0.x: EOL since 2022, migrate to 10.1.x
- Tomcat 9.0.99~108: Update to latest version recommended
🟢 Stable Operations Possible (LOW Priority)
- Tomcat 9.0.109: Stable, maintain regular updates
- Tomcat 10.1.44: Excellent choice, maintain current state
- Tomcat 11.0.11: Latest technology, continue monitoring
2025-2027 Upgrade Roadmap
Current Support Timeline:
├── Tomcat 9.0.x [2017-2027] → Extended 9.1.x [2027-2032]
├── Tomcat 10.1.x [2021-2030]
└── Tomcat 11.0.x [2024-2034]
Recommended Upgrade Windows:
├── 8.5.x → 9.0.x [Q2 2024 - Critical]
├── 9.0.x → 10.1.x [2025-2026 - Planned]
└── 10.1.x → 11.0.x [2026-2027 - Future]
Additional Resources