They will be patched only if the end user has them installed on the system. link above is to the Solaris OS Install Directions for the JDK.The issue is seen if Tomcat is using compression (e.g. This issue is being fixed via JDK-8189789, which should be resolved in later JDK releases.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 7u161 are specified in the following table: The JRE expires whenever a new release with security vulnerability fixes becomes available.
A new system property has been introduced that allows users to configure the default key size used by the JDK provider implementations of Key Pair Generator and Algorithm Parameter Generator.
This property is named "jdk.security.default Key Size" and the value of this property is a list of comma-separated entries.
The download and install steps are no longer necessary.
To enable unlimited cryptography, one can use the new Security property.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 7u161) on February 16, 2018.
After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. Windows - There is a non-functional Java icon in the control panel after installing 6u171 or 7u161 Deployment features in 6u171 and 7u161 have been removed.
Tomcat versions 8.x and later don't appear to be affected.