Cisco has indeed issued a warning about Apache Struts2 and some products of Cisco that are affected by this. You can find information about this advisory here.
However, I have been unable to find any specific apache bug pertaining to the above version of IOS. Now this IOS is running on an ASR router platform, which doesn’t run Apache itself. Indeed I have looked into all bugs of this IOS version using Cisco’s bug search tool, and none indicate anything with Apache. In the link above, you can see the Cisco products that are affected by the security issue with Apache.
Having said that, if there are any security vulnerabilities in an IOS version, Apache notwithstanding, the best way to deal with them is indeed an upgrade to the latest stable version.
I suggest you further investigate the security issue your security department is referring to, to verify what systems need some intervention.
I hope this has been helpful!