Apache Tomcat fixed two vulnerabilities CVE-2016-8735 and CVE-2016-6816 in version 6.0.48, 7.0.73 and 8.0.39.
Airlock WAF is not affected and protects back-end applications
Details:
Vulnerability CVE-2016-8735 affects the JMX Remote Lifecycle Listener which is not used by any Airlock product.
Vulnerability CVE-2016-6816 affects the parsing of the HTTP request line. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. [1]
Airlock WAF protects back-end systems by decoding all requests and building new, properly encoded and normalized requests.
no action required.