This update especially solve the "Ghostcat" vulnerability
The problem in ghostcat lies in the AJP-connector.
In Tomcat 7.0.100 therefore the allowed IP for AJP is localhost.
This is confiugred in server.xml like this:
<!-- Define an AJP 1.3 Connector on port 8009 -->
If you run OpenWGA in a cluster environment you probably have to change this address restriction to the IPs of the cluster nodes or completely remove the address restriction (like before in tomcat 7.0.90). We advice to ensure the firewall blocks the AJP port (normally 8009) for public access.