I'm interested in a solution here as well.
Apache Tomcat CVE's:
CVE-2019-17569 HTTP Request Smuggling with reverse proxy code regression (Fixed Apache Tomcat 9.0.31)
CVE-2020-1935 HTTP Request Smuggling (fixed Apache Tomcat 9.0.30)
CVE-2020-1938 file read/inclusion vulnerability in the AJP connector (Fixed Apache Tomcat 9.0.31)
CVE-2021-44228 Apache Log4j logging library (fixed in Log4j 2.17.1)
Are these addressed by VMware and why not using the newest Apache?
