security: upgrade Apache Tomcat from 9.0.113 to 9.0.118

[mbiuki]

Summary

Bumps the bundled Apache Tomcat version from 9.0.113 to 9.0.118 (the latest 9.0.x patch, released 2026-05-10) to resolve six published Apache Tomcat CVEs that affect 9.0.113.

Single-property change in parent/pom.xml; propagates to:

• bom/application/pom.xml (BOM declarations)
• dotCMS/pom.xml (direct dep, docker base image, distribution folder, remote zip URL)
• dotcms-integration/pom.xml
• dotCMS/src/main/docker/original/docker-descriptor.xml

Closes #35793.

CVEs addressed

CVE	Severity (Apache)	Affected range	Fixed in
CVE-2026-29146	Important	9.0.13 – 9.0.115	9.0.116
CVE-2026-34500	Moderate	9.0.92 – 9.0.116	9.0.117
CVE-2026-34487	Low	9.0.13 – 9.0.116	9.0.117
CVE-2026-34483	Low	9.0.40 – 9.0.116	9.0.117
CVE-2026-25854	Low	9.0.0.M23 – 9.0.115	9.0.116
CVE-2026-24880	Low	9.0.0.M1 – 9.0.115	9.0.116

Source: https://tomcat.apache.org/security-9.html

9.0.117 would be sufficient to clear all six; 9.0.118 is chosen for currency.

Why this is safe

• Tomcat 9.0.x is API-stable across patch versions — no source-code changes are required.
• Mirrors the previous bump approach in security: upgrade Apache Tomcat from 9.0.108 to 9.0.113 (CVE-2025-66614) #34955 (9.0.108 → 9.0.113), which landed cleanly.
• The version property is the only thing that changes; downstream Maven artifacts, docker base image (tomcat:9.0.118-jdk11), and runtime layout (dotserver/tomcat-9.0.118/...) all rebuild automatically.

Test plan

• CI build succeeds
• Full integration test suite passes (servlet/JSP/JDBC paths exercise Tomcat internals)
• Docker base image tomcat:9.0.118-jdk11 resolves and pulls cleanly
• Semgrep Supply Chain finding count for org.apache.tomcat:* drops to zero in the next scan
• Smoke test push-publishing and HTTPS endpoint behavior unchanged

Follow-up (separate work, tracked in #35793)

• Backport to 24.12.27_lts (next revision)
• Backport to 25.07.10_lts (next revision) — prioritized, multiple enterprise customers are blocked here

🤖 Generated with Claude Code

[claude]

Claude finished @mbiuki's task in 52s —— View job

---

Rollback Safety Analysis

• Read docs/core/ROLLBACK_UNSAFE_CATEGORIES.md
• Reviewed full PR diff (parent/pom.xml only — tomcat.version 9.0.113 → 9.0.118)
• Checked diff against every unsafe category (C-1…C-4, H-1…H-7, M-1…M-4)
• Applied AI: Safe To Rollback label

Verdict: ✅ Safe to Rollback

The diff is a single-property bump in parent/pom.xml:

-<tomcat.version>9.0.113</tomcat.version>
+<tomcat.version>9.0.118</tomcat.version>

No category from ROLLBACK_UNSAFE_CATEGORIES.md applies:

• C-1…C-4 (CRITICAL): No runonce/schema migration, no ES mapping change, no CURRENT_MODEL_VERSION bump, no DROP TABLE/COLUMN.
• H-1…H-7 (HIGH): No data backfill, no rename, no PK restructuring, no new field type, no storage provider change, no procedure/function drop, no NOT NULL column.
• M-1…M-4 (MEDIUM): No column type change, no push-publishing bundle XML change, no REST/GraphQL contract change, no OSGi interface change.

Tomcat 9.0.x is API-stable across patch versions; the upgrade only swaps the embedded servlet container binary and the Docker base image (tomcat:9.0.118-jdk11). N-1 (on 9.0.113) and N (on 9.0.118) both read the same database schema, the same ES mappings, the same contentlet_as_json model, and expose the same REST/GraphQL contracts — rollback is a clean redeploy of the prior artifact.
• Branch: security/upgrade-tomcat-9.0.118