Installed Endevor web services using CCS Tomcat 9.0.35, Is there any AJP vulnerabilities ? 

Release : 18.1

Component : CA Endevor Software Change Manager

CCS Tomcat 9.0.35

Review $Tomcat/conf/server.xml:

Tomcat is configured to use SSL protocol.

    <Connector port="XXXX" maxHttpHeaderSize="8192"
          maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
          enableLookups="false" disableUploadTimeout="true"
          SSLEnabled="true"
          algorithm="IbmX509"
          acceptCount="100" scheme="https" secure="true"
          clientAuth="false" sslProtocol="TLS"
          sslEnabledProtocols="+TLSv1.2,+TLSv1.1,+TLSv1"
          keystoreType="JCERACFKS"
          keystoreFile="safkeyring://keyringowner/kyering"
          sslImplementationName="com.ca.sslsocket.CASSLImplementation" />

Tomcat is not using AJP protocol (the AJP configuration has been comment out). 

    <!--
    <Connector protocol="AJP/1.3"
               address="::1"
               redirectPort="8443" />

    </Connector>
    -->

 There should be no AJP vulnerabilities if AJP protocol is not enabled in Tomcat. (the default protocol used in CCS Tomcat 9 is SSL).  

CVE-2020-1938 Ghostcat - Apache Tomcat AJP File Read/Inclusion Vulnerability