This issue stands as a place holder to track the progress of resolving the issue described at FAQ for CVE-2022-22965.
As part of normal security practice, we do not disclose security issues until they are fully resolved in our products so as to mitigate the risk to our customers. In this case the broader security concern was raised publicly by a third party, so broad stroke information about the issue is already available.
We cannot disclose particular details of the issue, and the FAQ for CVE-2022-22965 remains the single source of truth. Once this issue is resolved, we will update this issue to point to the security disclosure issue with additional detail.
We’ve released these new versions with an upgraded version of Tomcat which also serves to mitigate this issue: