'Dead simple' hijacking hole in Apache Tomcat 'now actively exploited in the wild'