if you go to the cis website and download cis benchmark for tomcat, that's what he's talking about... This affects all ca products which embed tomcat and is likely a security issue that affects most of your customers who are hardening their production web servers.