I'm interested in a solution here as well.

Apache Tomcat CVE's:

CVE-2019-17569 HTTP Request Smuggling with reverse proxy code regression (Fixed Apache Tomcat 9.0.31)

CVE-2020-1935 HTTP Request Smuggling (fixed Apache Tomcat 9.0.30)

CVE-2020-1938 file read/inclusion vulnerability in the AJP connector (Fixed Apache Tomcat 9.0.31)

CVE-2021-44228 Apache Log4j logging library (fixed in Log4j 2.17.1)

Are these addressed by VMware and why not using the newest Apache?