CA Service Management 17.0 and 17.2 are both packaged with Apache Tomcat Server version 8.5.6.  This dependency is documented in the Supportability Matrix. 

However version 8.5.6 of Apache Tomcat has known vulnerabilities, for example, CVE-2020-1938.

Is a later version of Apache Tomcat supported with CA Service Management 17.2? 

Release : 17.2

Component : SERVICE DESK MANAGER

You may upgrade Apache Tomcat to version 8.5.51, which is the version that resolves CVE-2020-1938. However, it may not be necessary to upgrade to 8.5.51 to avoid only CVE-2020-1938.

The vulnerability named CVE-2020-1938 is fixed in Tomcat 8.5.51.  However, AJP connections are not used by Service Desk Manager, xFlow, Service Point or ITAM; Service Catalog needs to have AJP Connector enabled only in load balancing scenario.  Generally, though, it is advisable to keep the environment up-to-date with the current point versions of Tomcat 8.5.

The Apache Tomcat version supported by CA Service Management 17.2 in the product documentation as Tomcat 8.5.6. Additionally, point releases above 8.5.6 are supported.

The latest Tomcat 8.5 version that is available today (on 2020-03-16) is 8.5.51, which is a point release of 8.5.6 and so it is supported by CA/Broadcom support and engineering team.

There is no automated method provided in the CA Service Management product to upgrade Apache Tomcat 8.5.6 to 8.5.51.  A manual procedure to upgrade Apache Tomcat is documented in the 14.1 product documentation; the procedure for 17.2 would be similar.  Please see additional information below.

Supportability Matrix for CA Service Management 17.2
( Also see knowledge article 143911 ).

Apache Tomcat versions

CVE-2020-1938 is fixed in Apache Tomcat 8.5.51

How to upgrade Apache Tomcat 8.5.6 to 8.5.16 in CA Service Desk 14.1