After reading https://robotattack.org/ and testing https://robotattack.org/check/?h=demo-trunk.ofbiz.apache.org which returned (same for stable and old)
This host is not vulnerable. However it still allows connections with the problematic RSA encryption ciphers.
I concluded that we should remove RSA encryption ciphers from our Tomcat config. I'll use https://tomcat.apache.org/tomcat-8.5-doc/config/http.html as a reference to fix this possible issue.
If you are more interested in this please read https://mailarchive.ietf.org/arch/msg/tls/t6SKfh49fb4kRET2krZ6UoaEefs