We were able to identify the JSESSIONID value did not change before and after authentication.
UIM 20.3.3 no hot fixes
Change the JSESSIONID value right after successful authentication, and also ensure that session id’s timeout after certain durations of inactivity.
Release : 20.3
Component : UIM - SECURITY VULNERABILITIES
This is already part of UIM 20.3.3 and is configurable in the wasp.cfg file.
oc.jwt.autogeneratetoken = true
oc.jwt.issuer = CA Broadcom
oc.jwt.expiryInSecs = 1800
oc.jwt.refreshInterval = 120