Automic Workload Automation

  • Private Community
 View Only

  • 1.  AWI JSESSIONID not marked secure and X-Content-Type-Options HTTP Header missing

    Posted Mar 27, 2024 12:32 PM

    We have loadbalanced AWI servers.  Our Vulnerabilty Scanning Group scanned the AWI servers directly on port 8080 and marked these as vulnerabilities:

    HTTP Cookie missing Secure attribute on JSESSIONID
    X-Content-Type-Options HTTP Header missing 

    Are there any configuration settings in the configuration.properties where headers can be set and parameters for JSESSIONID?



  • 2.  RE: AWI JSESSIONID not marked secure and X-Content-Type-Options HTTP Header missing

    Posted Mar 28, 2024 03:23 AM
    Edited by Michael A. Lowry Mar 28, 2024 03:22 AM

    We reported several similar problems to Broadcom in 2022. In response, Broadcom fixed the vulnerabilities in AWI v21.0.4.

    I suggest that you open a support ticket for this.



  • 3.  RE: AWI JSESSIONID not marked secure and X-Content-Type-Options HTTP Header missing

    Broadcom Employee
    Posted Mar 28, 2024 03:53 AM

    Hi @Greg Elsbernd

    please make sure that you are using the latest version of AWI/AW and have a look at the various AWI setting described in the documentation:

    https://docs.automic.com/documentation/webhelp/english/AA/24.0/DOCU/24.0/Automic%20Automation%20Guides/Content/Installation_Manual/AWI/AWI_config_configuration_properties.htm

    Michael



    ------------------------------
    Michael K. Dolinek

    Engineering Program Manager | Agile Operation Division
    Broadcom Software
    ------------------------------

    Original Message