• Apache has released the Apache Software Foundation Releases Security Updates:
• [https://www.us-cert.gov/ncas/current-activity/2017/04/12/Apache-Software-Foundation-Releases-Security-Updates]

There are a few vulnerabilities reported:

CVE-2017-5648 - [http://mail-archives.us.apache.org/mod_mbox/www-announce/201704.mbox/<[email protected]>]

CVE-2017-5650 - [http://mail-archives.us.apache.org/mod_mbox/www-announce/201704.mbox/<[email protected]>]

CVE-2017-5651 - [http://mail-archives.us.apache.org/mod_mbox/www-announce/201704.mbox/<[email protected]>]

CVE-2016-6817 - [https://vulners.com/cve/CVE-2016-6817]

CVE-2016-6816 - [https://vulners.com/cve/CVE-2016-6816]

For CVE-2017-5650 and CVE-2017-5651, the Severity is Important and:
{quote}Versions Affected:

• Apache Tomcat 9.0.0.M1 to 9.0.0.M18
• Apache Tomcat 8.5.0 to 8.5.12
• Apache Tomcat 8.0.x and earlier are not affected{quote}
  {quote}Users of the affected versions should apply one of the following
  mitigations:
• Upgrade to Apache Tomcat 9.0.0.M19 or later
• Upgrade to Apache Tomcat 8.5.13 or later{quote}
  (+) Moving forward, fix versions of JIRA should be bundled with Tomcat 8.5.13/9.0.0.M19 or above.
  h5. Workaround

If Tomcat is to be manually upgraded, please refer to [How to upgrade Apache Tomcat version in JIRA 7.x|https://confluence.atlassian.com/display/JIRAKB/How+to+upgrade+Apache+Tomcat+version+in+JIRA+7.x]. Currently Tomcat 8.5.13 and 8.5.14 are available.

(!) Manually upgrading Tomcat is not recommended or supported.