Upgrade Tomcat without performing Foreman upgrade

My security team has reached out to inform us our Foreman server is running a version of Tomcat that has a high VBR. We’re running Foreman version 3.0.1, which has Tomcat 9.0.30. We’ve been asked to upgrade Tomcat to version 9.0.31 or higher. I’ve been unable to find good information on how to upgrade only the Tomcat binaries. Would someone be able to provide some information how to successfully upgrade Tomcat?

Path: /usr/share/tomcat/bin/

Expected outcome:
Upgrade Tomcat binaries without needing to upgrade Foreman.
Distribution and version:
Centos8 Stream
Other relevant data:

Short answer: dnf update

Long answer:

Hello!, before I start let me say that neither Foreman nor Katello (thus Tomcat) are affected by log4j:


To your problem: We do not ship Tomcat ourselves, your OS does. That is CentOS, so you should reach out to CentOS project to ask for 9.0.31. Minor versions do not work that way tho, OS distributors use what’s called a release number after the minor version for security fixes. The latest version is:



There were no relevant patches in this release and this is considered the last stable and supported version of Tomcat for RHEL 8. If someone reports an important security bug, it will be fixed first in CentOS 8 Stream and then in RHEL8.

If your security team has any concerns, they need to reach out to Red Hat for further investigation. But approaching with “upstream released .31 bump the version in the OS” will not be successful - that is not how it works.

Hope that explained it a bit. I learned a lot along the way - like tomcat is actually named pki-servlet-engine in EL8. What a wonderful name!

Also: What on Earth is VBR? :wink:

Just in case:

We do not test upgrading Tomcat provided by the OS with an upstream release, you can probably do this, but you are on your own.