This issue can be mitigated by using your server firewall rules to restrict access to the AJP port. This port should only be used by a local Apache HTTPD service or a load balancer. Unless your load balancer is using AJP, this port should be locked down from outside the loopback devices. In the load balancer case, lock down access to just your load balancer.
Please have your Operations Team upgrade Tomcat as soon as feasible. For uPortal 5, the tomcat version is kept in gradle.properties. After updating the version, running `./gradlew tomcatInstall` will setup the new version locally. Make sure to back up PORTAL_HOME files before running this command!
Benito J. Gonzalez Senior Software Developer Unicon, Inc. Voice: 209.777.2754 Text: 209.777.2754 [hidden email] GitHub: bjagg BitBucket: bjagg