A new Tomcat CVE (CVE-2020-1938) referred to as 'Ghostcat' has a lot of users asking how Esri software is affected.
Michael Young has written a blog describing how users may be impacted and offers guidance for customers who deploy the Java version of the ArcGIS Web Adaptor on Tomcat or use Apache httpd along with Tomcat in a reverse proxy solution.
You'll find this blog titled "Don't get Bitten by GhostCat Tomcat Vulnerability"in the 'Alerts and Announcements' section on the front page of the ArcGIS Trust Center.