We had a client run a PEN test on SSPR 4.1.0.5 and the results basically say upgrade Tomcat to 4.0.77.
This is an IDM 4.5.4 installation including OSP (6.0.0 r4) on an SSPR Stand Alone (no other IDM Apps) box, federated with NAM.

Can this be as simple as getting a newer version of Tomcat?