Tomcat is bundled with the installation package and a change to a new version typically requires an upgrade to a new version release by Ubisecure.
Prior to SSO 8.2 Java has been included in the installation package. Beginning in SSO 8.2 (Release due August 2017) Java is no longer provided in the installation package and must be provided by the operating system and managed externally to Ubisecure software. Any Java vulnerabilities can be patched via standard package management tools as required. Java versions used in testing are mentioned in our Release Notes
In the event of a Tomcat vulnerability, Ubisecure reviews the vulnerability notices and determines if the vulnerability is relevant to our customers. Many vulnerabilities apply to standard default installs where deployed applications can be managed via included applications and interfaces. Our own distribution and pre-configuration removes many of these risks. In the event that a vulnerability applies, we provide instructions via our technical-announcements blog at https://www.ubisecure.com/technical-announcements/ It is possible and encouraged to subscribe to email notifications of the technical announcements at the bottom of the page https://www.ubisecure.com/developers/ . An RSS feed is also available and could be directed to a ticketing system to ensure action is taken when new software is released or announcements are made.
Instructions typically include configuration changes to existing installations to eliminate the vulnerability. Sometimes a new patch is made to correct a vulnerability before the following scheduled release.
Software updates and fixes for proven, relevant vulnerabilities are included in the support and maintenance agreement. All of our customers use our software in mission critical customer facing services and require the same corrections.
If we have a proven workaround that mitigates the problem, we document the workaround and provide the instructions and configurations via our extranet. An announcement is made on the technical-announcements blog. If no workaround is available a new maintenance release is made at high priority within days. Each release requires thorough analysis and testing. Independent upgrading of the Tomcat installation directly is not recommended and not supported.
Our recommended production deployment is behind a production class firewall / load balancer tool. Some customers deploy IPS products that include automated threat management capabilities. In many cases these proxy servers prevent attacks. The recent change to allow Java to be updated independently further reduces risks at the application level.