The CA Service Management solution uses Apache Tomcat. Announcements of newly discovered or newly fixed vulnerabilities occur regularly.
For example, the following issue was reported publicly on 6 April 2018 and formally announced as a vulnerability on 22 July 2018.
Title: CVE-2018-1336 Apache Tomcat - Denial of Service
Description: An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service
Affects: 7.0.28 to 7.0.88; 8.5.0 to 8.5.30