upgrading Apache Tomcat to avoid known fixed vulnerabilities