Can you provide examples of those vulnerabilities? All vulnerabilities I'm aware of are from Java applet technology and not applicable to server applications. The only vulnerability that I can remember is something about parsing float, but even that was very low risk.
I don't use TLS and even if I would use it, I would use nginx frontend. My subset is fairy common, Spring+JDBC, sometimes Hibernate, sometimes pure servlets, but basically all interaction between outer world is via HTTP interface implemented in Tomcat.
A targeted attack would probably hole you fairly easily then. Cleartext means you’re likely open to all sorts of replay attacks and data leaks, which can then be escalated to exploit vulnerable libs and jvm.
