Upgrade the bundled version of Apache Tomcat to 8.5.68 or later

h3. Issue Summary

The recently disclosed vulnerability regarding Apache Tomcat

• [CVE-2021-33037|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037], [CVE-2021-33037|https://nvd.nist.gov/vuln/detail/CVE-2021-33037] (Base Score: 5.3 MEDIUM)
• [CVE-2021-42340|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42340] (NVD score not yet provided.)
  {quote}The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
  {quote}

affects the following versions:

• Apache Tomcat 10.0.0-M1 to 10.0.6
• Apache Tomcat 9.0.0.M1 to 9.0.53
• Apache Tomcat 8.5.60 to 8.5.71

We should bundle a more recent version of Tomcat so that Jira is not affected by this in the future.
Current bundled version of Tomcat 8.5.68
h3. Steps to Reproduce

• Check the CVE reports:
  ** [CVE-2021-33037|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037]

h3. Expected Results

• Not applicable.

h3. Actual Results

• Not applicable.

h3. Workaround

• Manually upgrade Tomcat according to our [documentation|https://confluence.atlassian.com/jirakb/how-to-upgrade-apache-tomcat-version-used-by-jira-879957866.html].

h3. Note on fix

Jira 8.21.0 is shipped with Apache Tomcat 8.5.72