Upgrade Tomcat to the fixed version of CVE-2020-9484

Problem Definition

A recent Tomcat vulnerability (CVE-2020-9484) in which an attacker can access the content and names of files on a server when custom PersistenceManager filestores are used was announced that affects the following versions:
10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103

Confluence, as shipped, does not use PersistenceManager and is not vulnerable, but can be made so with customizations.

Affected versions of Tomcat include:

• 7.0.0 to 7.0.103
• 8.5.0 to 8.5.54
• 9.0.0.M1 to 9.0.34
• 10.0.0-M1 to 10.0.0-M4

Suggested Solution

Include an unaffected version of Tomcat (9.0.35 and above for Tomcat) in Confluence,