Automic Workload Automation

  • Private Community
 View Only

  • 1.  AWI JSESSIONID not marked secure and X-Content-Type-Options HTTP Header missing

    Posted 30 days ago

    We have loadbalanced AWI servers.  Our Vulnerabilty Scanning Group scanned the AWI servers directly on port 8080 and marked these as vulnerabilities:

    HTTP Cookie missing Secure attribute on JSESSIONID
    X-Content-Type-Options HTTP Header missing 

    Are there any configuration settings in the configuration.properties where headers can be set and parameters for JSESSIONID?



  • 2.  RE: AWI JSESSIONID not marked secure and X-Content-Type-Options HTTP Header missing

    Posted 30 days ago
    Edited by Michael A. Lowry 30 days ago

    We reported several similar problems to Broadcom in 2022. In response, Broadcom fixed the vulnerabilities in AWI v21.0.4.

    I suggest that you open a support ticket for this.



  • 3.  RE: AWI JSESSIONID not marked secure and X-Content-Type-Options HTTP Header missing

    Broadcom Employee
    Posted 30 days ago

    Hi @Greg Elsbernd

    please make sure that you are using the latest version of AWI/AW and have a look at the various AWI setting described in the documentation:

    https://docs.automic.com/documentation/webhelp/english/AA/24.0/DOCU/24.0/Automic%20Automation%20Guides/Content/Installation_Manual/AWI/AWI_config_configuration_properties.htm

    Michael



    ------------------------------
    Michael K. Dolinek

    Engineering Program Manager | Agile Operation Division
    Broadcom Software
    ------------------------------

    Original Message