Found your support case, so I'd like to share the solution.
Added cipher list to conf/server.xml, and then the vulnerability was resolved.
<Connector .... port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" .... >
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384">
</Connector>
However, this configuration is not certified officially. Venkat also said that "I highly recommend that you validate these latest/strong ciphers in test environment before you move to PROD and take backup of server.xml before making any change to it. "
Thanks
Yas