Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
http://www.iss.net/security_center/static/9863.php
http://www.apachelabs.org/tomcat-dev/200108.mbox/%3C20010810000819.6350.qmail%40icarus.apache.org%3E