Update Tomcat to a version >= 10.1.16 and >= 9.0.83

[tasso94]

Acceptance Criteria (Required on creation)

• Tomcat is updated in the Tomcat distribution and Camunda Run
• Where possible, the Spring Boot starter patch level is raised to a version that includes these Tomcat versions

Hints

Links

• https://jira.camunda.com/browse/SUPPORT-19797

Breakdown

### camunda-bpm-platform PR
- [ ] https://github.com/camunda/camunda-bpm-platform/pull/4037
- [ ] https://github.com/camunda/camunda-bpm-platform-maintenance/pull/1152
- [ ] https://github.com/camunda/camunda-bpm-platform-maintenance/pull/1155
- [ ] https://github.com/camunda/camunda-bpm-platform-maintenance/pull/1154

### camunda-bpm-rpa-bridge-ee PR
- [ ] https://github.com/camunda/camunda-bpm-rpa-bridge-ee/pull/96
- [ ] https://github.com/camunda/camunda-bpm-rpa-bridge-ee/pull/97

Dev2QA handover

• [ ] Does this ticket need a QA test and the testing goals are not clear from the description? Add a Dev2QA handover comment

[psavidis]

• Latest Spring Boot 3.2.1 support includes tomcat:10.1.17
  • 7.21 already includes it
  • 7.20 works with Spring Boot 3.2.0 which also includes tomcat:10.1.17

[yanavasileva]

@psavidis, I think we should also bump the spring boot version for rpa bridge with this ticket: https://github.com/camunda/camunda-bpm-rpa-bridge-ee/blob/1.1/pom.xml#L20

[psavidis]

Update

• Reviewing the tomcat update together with @yanavasileva, we found that the Tomcat vulnerability CVE-2022-42252. affected versions are in the range: [9.0.0 - 9.0.68) according to the respective NVD source.

• The above means that this tomcat update is not required to get unaffected by the vulnerability.

• Since the work has been done, this ticket can continue normally irrespectively.