Updating to latest version of Tomcat

A security scan on our server (Centos 6.5 running Lucee tells me
that there is a medium risk associated with:

83526 - Apache Tomcat 7.0.x < 7.0.60 Multiple Vulnerabilities (FREAK)

The Tomcat version that is bundled with Lucee is 7.0.59 whereas the latest
version which patches these vulnerabilities is 7.0.60 or higher (latest
available is 7.0.62).

I have searched for issues related to updating just the Tomcat version
within Lucee but have found no information.

Can anyone outline whether they have updated Tomcat within Lucee and what
issues I might encounter please?

I think it best to avoid the risk identified with version 7.0.59

best wishes

Documentation on upgrading your version of Tomcat (as well as the JRE) can be found here:

I will be moving this information to the installer GitHub repo and updating it shortly.


Thanks Jordan

It all went well.

The pages you refer to do not provide the information though.

I used this

Everyone running fine after the update.

I appreciate your help.

best wishes


The pages you refer to do not provide the information though.

I’m not sure what you mean? The link you included in your response below was one of the links on the page that I sent you. Further, the link I sent you also contains a link to a page that shows how to update your JRE.

Either way, and however you found it, I’m glad you found the information you needed and that you’ve upgraded successfully. =)

Kind regards,
Jordan Michaels

Thanks Jordan. The JRE update was straight forward. We’ll sit tight for the
updated installer for the rest.

It might be worth updating to the latest version 7 point release to
get the security patch sooner. I’ve found that copying the jars does
work fine if you stick to the same major version.

Yes. The configs change slightly from tomcat 7 to 8. In my testing, any errors I ran into were logged in the catalina.out file. I am in the process (right at this very moment in fact) of creating updated installers that include Tomcat 8, so that can be used as a pattern in the future. Until then, there are some other resources for getting Lucee installed on Tomcat 8, if you’d like the make that jump now. The updated installers will also include the new mod_cfml 1.1.

You should be able to upgrade from the 1.7 JRE to the 1.8 JRE without much hassle, if that is something you’d like to do now.


My reading of the documentation told me to avoid going up a version (from
7.x to 8.x) as it would involve much more than upgrading the lib folder

So I just updated to the last version of 7.x

I would restore your backup and then just go to the last version of 7 and
wait for the full update from the Lucee team.

I think, in general, it would be good for the Lucee team to make it a
scheduled matter to update the Tomcat component as Apache release the

Security matters would dictate that to be good practice.

best wishes

Here is what I did on Linux Box.
I downloaded apache-tomcat-8.0.24.tar.gz to /tmp and untared it
Then I ran this:

/bin/cp /tmp/apache-tomcat-8.0.24/lib/* /opt/lucee/tomcat/lib/
/bin/cp /tmp/apache-tomcat-8.0.24/bin/*.jar /opt/lucee/tomcat/bin/

Note that I only copied the jars, no .bat or .sh files!
Then I commented out this line in /opt/lucee/tomcat/conf/server.xml

<Listener className="org.apache.catalina.core.JasperListener" />

Everything works fine!