We were using Camunda 7.16 with its inbuilt/embedded Apache tomcat 9.0.52 and it was all fine so far. However, recently when we started fixing the vulnerability issues of our camunda applications (war files that we deploy in the Apache tomcat 9.0.52 of Camunda 7.16), we realized we have to upgrade some of our dependencies to say for e.g. Spring 6. Also, we had to upgrade our java runtime to Java 17 because of Spring 6.
Build of such camunda applications is just fine, however, when we deploy in a setup where we have Java 17 + Camunda 7.16 + Apache Tomcat 10.1.20 … the server does not start properly. (because console shows server started but the logs show many ClassNotFoundExceptions).
What I have done is I have compared Apache Tomcat 9.0.52 with Apache Tomcat 10.1.20 and borrowed all camunda specific configurations, dependencies, applications but I get the error mentioned above.
Since i could not attach log file and since i cannot copy paste the log file contents due to size limitations i am copying the image of the classes its saying not found on start of camunda: -
What is the solution to this as we need to move ahead with Vulnerability fixes ?
Hi @patkaromkar
I do not see Java 17 in the supported versions for Camunda 7.16 - Supported Environments | docs.camunda.org
We have tried and tested Camunda 7.16 + Tomcat 9.0.52 + Java 17 and it worked, BPMN, DMN get deployed, they can be executed, process instances, tasks etc are getting created. We assume, due to backward compatibility of Java 17, it is working.
Do you recommend any problem we may face but are not aware of it now ?
I understand that it worked, but I tried to say that it’s not listed as supported in case of any issues. I would recommend following the supported versions that would allow me to raise a support ticket with Camunda team if required but it’s me 
To summarize, we not in supported list we are using Java 17 (Adoptium OpenJDK 17) with camunda 7.16 and Apache 9.0.52 and things are fine, BPMNs, DMNs get deployed, they can be executed without any issues.
The problem is the camunda process applications that we develop need other libraries like spring, jackson etc …and they have vulnerabilities, to solve the vulnerability issues, if we upgrade the libraries then we have to upgrade Apache Tomcat to 10.1.2 and if we do that then, things don’t work.
So, how should we solve this ?
