search cancel

OC Security Observation JSESSION AUTH

book

Article ID: 216328

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

We were able to identify the JSESSIONID value did not change before and after authentication.

UIM 20.3.3 no hot fixes

URL:

 

Recommendation

Change the JSESSIONID value right after successful authentication, and also ensure that session id’s timeout after certain durations of inactivity.

Environment

Release : 20.3

Component : UIM - SECURITY VULNERABILITIES

Resolution

  This is already part of UIM 20.3.3 and is configurable in the wasp.cfg file.

    oc.jwt.autogeneratetoken = true
    oc.jwt.issuer = CA Broadcom
    oc.jwt.expiryInSecs = 1800
    oc.jwt.refreshInterval = 120