• Apache has released the Apache Software Foundation Releases Security Updates:
• https://www.us-cert.gov/ncas/current-activity/2017/04/12/Apache-Software-Foundation-Releases-Security-Updates

There are a few vulnerabilities reported:

1. CVE-2017-5648 - http://mail-archives.us.apache.org/mod_mbox/www-announce/201704.mbox/%3C8a78e8fe-616e-1959-3c0e-26704fc72766@apache.org%3E
2. CVE-2017-5650 - http://mail-archives.us.apache.org/mod_mbox/www-announce/201704.mbox/%3C6d8077ef-1bcb-d07b-0bd0-f70ab0043faf@apache.org%3E
3. CVE-2017-5651 - http://mail-archives.us.apache.org/mod_mbox/www-announce/201704.mbox/%3C63a584ba-4db7-85d3-0206-c1164b9d26c6@apache.org%3E
4. CVE-2016-6817 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6817
5. CVE-2016-6816 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816

For CVE-2017-5650 and CVE-2017-5651, the Severity is Important and:

Versions Affected:

• Apache Tomcat 9.0.0.M1 to 9.0.0.M18
• Apache Tomcat 8.5.0 to 8.5.12
• Apache Tomcat 8.0.x and earlier are not affected

Users of the affected versions should apply one of the following
mitigations:

• Upgrade to Apache Tomcat 9.0.0.M19 or later
• Upgrade to Apache Tomcat 8.5.13 or later

Moving forward, fix versions of JIRA should be bundled with Tomcat 8.5.13/9.0.0.M19 or above.

Workaround

If Tomcat is to be manually upgraded, please refer to How to upgrade Apache Tomcat version in JIRA 7.x. Currently Tomcat 8.5.13 and 8.5.14 are available.

Manually upgrading Tomcat is not recommended or supported.