Hello. We need to meet <14 days patching requirements of available patches of High and Critical CVSS vulnerabilities, which tomcat vulnerabilities seem to be a very frequent occurrence.

Am i right to ask support every time to patch tomcat? Or is there a simpler route?

The environments cannot be excluded from compliance scope.