Hi,
just to be sure, as this came up recently.
Is Sonarqube affected by this CVE due to embedded Tomcat ?
Gilbert
SonarQube should not be affected as we don’t use the AJP protocol – still, SonarQube will bump the version of Tomcat up in SonarQube v8.3 to remove any risk and also stop showing up on security reports. 
We specifically removed the support for the AJP since SonarQube 6.1, with SONAR-7989
Still, as Colin pointed out, the fix is already merged on master and will be available with 8.3.
Thanks for the details!