Are CCS and CSM Apache Tomcat affected by the CVE-2020-1938 vulnerability? How can this be verified? 

• z/OS 2.x
• CCS and CSM Apache Tomcat 

Regarding your concern, I have confirmed with Common Services and Chorus Software Manager Level 2 that by default the AJP connector that is referenced in the CVE-2020-1938 vulnerability description is disabled in CCS and CSM Apache Tomcat.

This can be verified by viewing the Tomcat server XML file. In the file delivered with CCS Tomcat you will find the connector associated with AJP disabled (eg. commented out).