Hi
We are asked to use Tomcat 10 for vulnerabilities. IS Pega 8.7.4 compatible with Tomcat 10? We are getting issues
Below link suggests changes but is Pega compatible?
@Arvind please consult our Platform Support Guide.
@MarijeSchillern Thanks. Referred the guide, it doesnt list Tomcat 10. can we know when we can have Pega under Tomcat 10? We have vulnerabilities in Tomcat 9.
@Arvind all the vulnerabilities that are reported and investigated by our Support team are documented in our Security Bulletins.
These Security Advisories can also be found as Support Documents.
Please go through any recommended hotfixes/ suggestions and if you do not see your particular Tomcat vulnerability listed, please log a support Incident via the MSP.
Please can you provide the INC id here so that we can help track the progress of your issue?
@MarijeSchillern created INC-264107
@MarijeSchillern We have similar requirement in our organization to migrate from Tomcat 8.5 (Java 11) to Tomcat 10.1 (Java 17). Please advise if this is supported or anytime in future.
In the documentation it is mentioned till Tomcat 9.1
@VELPRABU.kr You did not specify your Pega version.
See the Pega Platform Version Chart for release dates and timeframes for Standard Support and Extended Support.
Platform Support Guide for Pega Platform™ version 8.8 (including versions 8.1 - 8.7).
(No change in support of other versions of Tomcat since the explanation provided in the original post above.)
Platform Support Guide for Pega Platform™ release '23 (including versions 8.1 - 8.8).
For the latest containerized deployments the ‘Pega ready’ Docker images contain the latest Tomcat and other patches and are released on a regular basis to take advantage of all the latest vendor changes.
@Arvind thanks for the info.
I do wonder, though… The issue you have logged is “.The Pega web application need to be compatible to Jakarta EE version 9 to be compatible and deploy successfully on Tomcat 10.”
I am not clear on why you have updated the Tomcat version to a version that is not supported by the Pega Platform.
What is the actual vulnerability which led you to that action?
Likely the support team will inform you of the same info I have already provided. ( If there is no impact to Pega then likely it is not considered a factor for update).
----> Please can you give the exact vulnerability which you encountered using Tomcat 9 *whilst using Pega *.
@MarijeSchillern I have attached a document named Tomcat10.pdf in the INC, that lists the Vulnerabilities of tomcat9. Attaching the same here.
Tomcat10.pdf (48.8 KB)
@Arvind the support ticket is now closed as the support team echoed the analysis I provided earlier.
"We have discussed internally and as per Pega Platform support guide Tomcat 10 is unsupported for your platform version
. From the document it seems all of them appear to have Tomcat 9 versions that resolve the issue. Also, the latest version of Tomcat 9 is 9.0.73, released Feb 27.
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html
Our engineering team confirmed that Pega platform will not support Tomcat 10 in anytime near future for your version.
You might reach out to Apache for any such vulnerabilities.
Support Guide :
https://docs-previous.pega.com/pega-platform-support-guide-resources"