Preloader image

Apache TomEE 9.1.0 has been released.

It is a maintenance release with some bug fixes and dependencies upgrades (MicroProfile 5, ActiveMQ, Johnzon, XBean, etc).

It fixes the latest Tomcat vulnerabilities (CVE-2023-28708, CVE-2023-24998, CVE-2023-28709) by back porting and patching Tomcat inside the TomEE build.

Dependency upgrade


  • TOMEE-4181 BCProv jar loses its signature during the patch process

  • TOMEE-4183 TomEE 9.0.0 is not creating service in Windows 10 incompatible software

  • TOMEE-4189 java.lang.ClassNotFoundException: org.apache.openejb.loader.SystemInstance

  • TOMEE-4192 ApplicationComposers do not clear GC references on release

  • TOMEE-4174 Port TOMEE-3779 to 9.x

  • TOMEE-4199 jakartaee-api with tomcat classifier has too much in it

  • TOMEE-4112 Performance Regression in bean resolution in EAR files


  • TOMEE-4200 Use ActiveMQ client jakarta instead of shading it in TomEE

  • TOMEE-4202 Backport CVE fixes of Tomcat 10.1.x to 10.0.27



  • TOMEE-4186 Update download page for discontinued branches


  • TOMEE-4190 RunWithApplicationComposer should support inheritance

Fixed Common Vulnerabilities and Exposures (CVEs)