I can upgrade Tomcat myself, but that approach isn't documented and isn't likely to be supported by Adobe.
Tomcat is bundled as part of ColdFusion 11, previously Adobe has provided a hotfix to upgrade Tomcat. Is this something on your roadmap?
Tomcat 7.0.68 fixes the following issues:
Moderate: CSRF token leak CVE-2015-5351
Moderate: Security Manager bypass CVE-2016-0714
Moderate: Security Manager bypass CVE-2016-0763
This is supposedly being fixed in CF 11 Update 8. There is no ETA on the update but it is "just around the corner"
Copy link to clipboard
I can confirm Tomcat is updated to 7.0.68 in CF 11 Update 8, and will be out very soon.