Change effective on 08 October 2017
Heroku’s support for Java now uses Apache Tomcat 8.5.23 as the default version when deploying WAR files with the Heroku Deploy CLI or Heroku Maven Plugin. This upgrade addresses CVE-2017-12617, which affects earlier versions of Tomcat.
To update your application to the latest version, please run
heroku update and run the appropriate
heroku war:deploy command to deploy your app. When deploying with Maven, update the
heroku-maven-plugin to version “1.2.1” in your
pom.xml and run
If you require a version of Tomcat earlier than 8.5.x, you can specify Tomcat Webapp Runner version 220.127.116.11 as per the documentation on WAR Deployment in the Dev Center. For more information, see the Dev Center article on Heroku’s support for Java.