For all who are interested. Here is the answer from Atlassian:

Good day, Hannes.

Thanks for reaching out. We understand that you are writing in regarding CVE-2019-10072.

To answer your question about what Tomcat version is shipped with Jira and Confluence, you can verify this as per the following KB article How to determine your version of Tomcat and Java.

For example, your Jira version (the one stated when you opened this ticket) 8.0.2 comes with 8.5.35:

Server version: Apache Tomcat/8.5.35
Server built:   Nov 3 2018 17:39:20 UTC

While reviewing the page https://nvd.nist.gov/vuln/detail/CVE-2019-10072, we understand that this vulnerability only affects HTTP/2 protocol. By design, Jira and Confluence uses HTTP/1.1:

protocol="org.apache.coyote.http11.Http11NioProtocol" 

The above protocol I extracted from Confluence 6.15.4 and Jira 8.0.2. That protocol can be found in the server.xml file. Our recommendation is checking your load balancers and proxy(in case you have), and downgrade any HTTP/2 protocol to HTTP/1.1.

Hope this helps! Let me know if you have any additional questions.

Best regards,
Akmal