From my own experience, It's wise to keep something in front of Tomcat to shield it a bit from the outside world. If you run tomcat with the Tomcat-native extension, IO are very fast and Tomcat will behave very well.
Also Tomcat can run on port 80 without running in root by using jsvc which is, if not provided with your distro, very simple to build and use.
However keeping a simple Web frontend just in case is also useful: because this frontend can give you the small touch of flexibility you'll never have with Tomcat (gzip on the fly, rewrite rules, handle more than one tomcat on the same IP:Port using simple virtualhost and proxy mapping,... )
Apache2 can be this frontend using mod_proxy + AJP. AJP handles headers and source IP forwarding to the Tomcat and you'll never be much happier when you'll have to add RewriteRules on your domain because Apache provides that in a very simple way.
However, AJP is very slow to pick the webapp status change and having to wait 30 seconds when your webapp restarts to see it available again on the internet is VERY frustrating. There are also some not so nice issues in latest AJP + Tomcat combination leading to empty pages and broken content type (can be fixed though, but by giving up the tomcat-native enhancements...).
The simple HTTP Mod_proxy can also be used, but by not being a real proxy (Apache changes the Host: header, source IP becomes proxy address,...) is something I don't really like.
Other nice alternatives include:
HAProxy: Very smart and simple proxy, very good at handling load, quite simple to configure, rock solid and a real HTTP Proxy, can forward the source IP via the usual X-Forwarded-For Header. I use this in production and I'm very happy about that. It can scale up to thousands of live connection while restricting the number of active connections to your backend and has many nice features built-in. However, it is probably not fit to make something much more clever than HTTP routing (like RewriteRules for example).
Nginx: I've heard this server do actually support AJP. Being lighter than Apache and more full-featured than HAProxy, I'll probably try this today if I had the opportunity.
Conclusion
- If you have some time for testing, try Nginx,
- If you prefer having a simple and solid frontend, go for HAProxy,
- If you prefer the "traditionnal" route, go for Apache2+AJP,
- If you think Tomcat will be strong enough and will provide you all the features you need, use jsvc and put Tomcat on port 80
The problem with these reports is that they just assume that if you allow user data entry on your site, then you are vulnerable to SQL injection attacks. There is no way for them to tell without actually looking at your SQL, or performing an injection attack, so they just flag it as a potential problem.
The only real way to prove to your boss that your are safe, is either to get a security expert come in and check your site, or get your boss to understand what an injection attack is, and show him it not working on your site.
Best Answer
Use updated package
As we don't know your OS, we cannot help you.
Install updated tomcat version
When you inspect http://www.cvedetails.com/cve/CVE-2011-3190/ you see that you have to install at least 6.0.34.
Current release is 6.0.36.
So go to http://tomcat.apache.org/download-60.cgi and install it.
patching
Grab the tomcat 6.0.24 sources with:
http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_24
The patch can be obtained with:
Add the patch to the sources and build tomcat6 yourself. See the BUILDING.txt document in the sources.
Double cross your fingers that the patch against 6.0.33 make sense also for 6.0.24.
WARNING
You creating a version nobody else has tested. No quality assurance has been done by the tomcat people from apache.