ColdFusion 2021 and outdated Tomcat

I'll add that at least CF2023 (the final release) now comes (initially) with 9.0.72. Still not 9.0.75 or 74, but a step in the right direction. 

Again, time will tell when a CF2021 update may update the Tomcat in CF2021 beyond the 9.0.60 in update 6 (as I write, which last changed in update 4).

I've added this comment to the tracker ticket...but sadly we've heard not a word from Adobe or anyone else.

I raised a bug the same day I added this conversatioin. However, I can not see it so I raised a Feature request. I encourage people to vote for it: CF-4217860

My answer would be: yes, they always do eventually offer an update which updates the Tomcat. But the problem is we don't know when, and it has sometimes lingered for over a year. Also, sadly, we can't update it ourselves, as it's a custom implementation of tomcat. 

What's one to do?

1) Well, as bkbk said you can file a  bug report (or add a vote to one already created).

2) Another option is to run cf atop a Tomcat that you implement yourself, deploying cf as a war file. That's an option offered on running the cf installer (to create that war file), or it can be created from within the cf admin, package mgt section. This war file can be deployed in tomcat or any Java app server. (Lucee also offers this deployment option of running it as a war file.)

Unfortunately, running such a CF war in production requires a license--and Adobe currently ptevents running as a war if a CF Standard license key is implemented. This is also why Commandbox cannot run cf with a Standard license. I do really wish Adobe would lift that limitation, for both reasons. 

Running cf (or lucee) via a war file does entail learning use of aspects of tomcat that normally hidden from those who run cf the "normal" way. Also, various config folders are in quite different locations, which challenges using traditional help resources (written and human). But desperate times call for desperate measures, and I wanted to clarify this is an option.

3) Finally, some folks simply present the situation to their security folks and seek an exception while awaiting Adobe to finally implement the update.

Hope that's a little more clarifying for you, even if more conciliatory than comforting. 

Good question.

You should put in a Feature Request. If you do, you might want to include the link to the list of Tomcat vulnerabilities.