The CA Service Management solution uses Apache Tomcat. Announcements of newly discovered or newly fixed vulnerabilities occur regularly. 

For example, the following issue was reported publicly on 6 April 2018 and formally announced as a vulnerability on 22 July 2018. 

Title: CVE-2018-1336 Apache Tomcat - Denial of Service

Description: An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service
Affects: 7.0.28 to 7.0.88; 8.5.0 to 8.5.30 

Are the Tomcat releases listed in the CA Service Management Supportability Matrix the only releases that are supported?

CA Service Management 17.1

The current point versions of Tomcat are supported as per the following statements in the documentation:
 

For example, at the time of writing this knowledge article:

• The Third-Party Common Components section of the Supportability Matrix showed the following support for Apache Tomcat:

 

CA SDM	CA Service Catalog	CA APM	USS	xFlow Analyst Interface
(8.5.6)	(8.5.6)	(8.5.6)	(7.0.40)	NA

• For Tomcat 7, current point version is 7.0.90; for Tomcat 8.5, current point version is 8.5.32.  Both of these point versions include a fix to vulnerability CVE-2018-1336. (Note: Version 8.5.32 also contains a fix to CVE-2018-8037; there does not yet appear to be a fix to that yet in 7.0.xx.)

https://docops.ca.com/ca-service-management/17-1/en/ca-service-management-17-1-release-notes/supportability-matrix
 
https://tomcat.apache.org/download-70.cgi 
https://tomcat.apache.org/download-80.cgi 

Please also review the following enhancement Idea in CA Communities:

Title: Add support for the recent version of Tomcat 9.x and JRE 10.x
https://communities.ca.com/ideas/235740460-add-support-for-the-recent-version-of-tomcat-9x-and-jre-10x