There are a few vulnerabilities reported in Apache Tomcat 9.0.102 and below versions.

CVE-2025-31651(Critical): Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. 

CVE-2025-46701 (High): Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. 

CVE-2025-31650 (High): Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. 

CA Service Catalog 17.4

These issues will be addressed in the upcoming 17.4 RU5 version (tentatively scheduled for late October 2025 - early November 2025) with an upgrade to Apache Tomcat 9.0.106.

In the meantime, upgrade to Apache Tomcat Version 9.0.106 (or above)

1.  Download Apache-Tomcat-9.0.106 (or higher) (64-bit Windows Zip - apache-tomcat-9.0.106-windows-x64.zip) from following Tomcat 9 Software Downloads

2.  Stop the "CA Service Catalog" and "CA Service Accounting" services

3.  Upgrade Tomcat using the 'ant upgrade-tomcat' command from the CA Service Catalog command prompt (%USM_HOME%/usm.cmd)

4.  Modify the %USM_HOME%/view/conf/server.xml file to set the value of compression attribute of Tomcat Connectors to "off" 

<Connector port="8083" enableLookups="false" redirectPort="8443" maxThreads="400" minSpareThreads="25" connectionTimeout="15000" disableUploadTimeout="true" compression="off" compressionMinSize="2048"   compressableMimeType="text/html,text/plain,text/xml,text/css,text/javascript,image/png,image/gif,image/jpeg,application/json" useBodyEncodingForURI="false" URIEncoding="UTF-8" server="Service Catalog" maxHttpHeaderSize="20480"/>

5.  Restart the  "CA Service Catalog" and "CA Service Accounting" services