A new vulnerability for Tomcat Apache was released:
This vulnerability expose a vulnerability on the default CORS settings.
Is the CA API Portal 3.5 affected by this vulnerability?
Release: L7APIP99000-3.5-API Developer Portal-Perpetual
The CA API Portal 3.5 does not use Tomcat's CORS filter.
Therefore, the Portal is not vulnerable to this CVE.