Tomcat versions from 8.5.0 to 8.5.54 (and 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 7.0.0 to 7.0.103) are vulnerable to RCE when:
No action required for Airlock IAM and WAF
Details:
CVE-2020-9484 - Airlock IAM does not persist Sessions in files (PersistenceManager is not used), neither it is usually possible to write attacker controlled files on the IAM or WAF host.
No actions required for Airlock WAF or IAM.
Actions required for Back-ends
Verify on your back-end servers that the setup described above does not apply or update to the latest tomcat version if possible: http://tomcat.apache.org/