The current release of JFrog Artifactory (7.49.8) ships with Apache Tomcat v9.0.62 embedded. The Apache Foundation lists five security vulnerabilities in 9.0.62 (See https:/tomcat.apache.org/security-9.html), including an Apache Tomcat denial of service vulnerability (CVE-2023-24998, currently under analysis).
Where can I find info on any JFrog plans to upgrade/remediate the embedded Tomcat version? Does JFrog support the independent upgrading of Apache Tomcat at end user sites to remediate the vulnerabilities, if necessary?
Latest version of Apache Tomcat 9 is 9.0.72. Can I upgrade the embedded version (if our security analysts insist)?
Tomcat version is already bumped in later version of Artifactory, version 7.55.2 is available with upgraded version(9.0.71) of tomcat. We don't recommend manual upgrade for embedded tomcat.