Is CA Spectrum affected by the Apache Tomcat vulnerability CVE-2020-17527?

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

Spectrum 10.4.1

In order for this vulnerability to be confirmed, HTTP2 would need to be used like follows:

An HTTP/2 enabled connector would have a configuration as follows

<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"maxThreads="150" SSLEnabled="true" >
   <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
   <SSLHostConfig>
   <Certificate certificateKeyFile="conf/key.pem"
   certificateFile="conf/cert.pem"
   certificateChainFile="conf/chain.pem"type="RSA" />
   </SSLHostConfig>
</Connector>

CA Spectrum 10.4.1 uses Tomcat version 9.0.24 which is one of the affected versions. 

However, HTTP/2 is not used in the CA Spectrum Tomcat configuration. Therefore, Spectrum is not vulnerable to this CVE.