Can Tomcat be upgraded to a newer version than Enforce is shipped with?
Any
Tomcat is baked into the Enforce Version. The only supported way to upgrade Tomcat is by upgrading Enforce versions.
If there is a specific vulnerability please send the CVE to support and we will verify if it applies to Enforce or not. Since we only use about 10% of the Tomcat code it is very likely it does not apply.