We've recently upgraded to Automation Point 11.6 and our security team is reporting security vulnerability.

Please advise if there is a remediation path for: CVE-2019-10072?

Release : 11.6

Component : Automation Point

The security vulnerability is addressed by the following instructions:

For the Apache Tomcat version at Automation Point you can upgrade tomcat from the Tomcat page itself.
In the Windows program tree is a the Apache Tomcat entry and if you select the Tomcat Home Page option you get to the http://tomcat.apache.org.
Here you can download the latest version of Tomcat. 
At the download page select the 32-/64-bits Windows Service Installer.
Install it and don't forget to select Service Startup at the component selection (under Tomcat main component).
After the install of the new Tomcat version you install the AP web applications again into the new directories.
This is done via AP Configuration Manager.
There are 3 (or 4) areas to cover here.
Depending on the release you run, all these options first need to be DISABLED and when all are disabled, then ENABLED again.
1. In the Infrastructure part, Web Services
2. In the Notification Services part, under Notification Manager, the NM Website
3. In Automation, Web message Viewing and when running AP release 11.6 SP1, then also
4. in Automation, under Event Interface the Alert Manager Control Panel.

First disable them all, and when disabled, then enable them all.

With this action, AP Configuration Manager will copy all necessary war files from these applications again into the new tomcat server instance and when you then start Apache Tomcat services, it will find and support them.