A vulnerability scan found that the machine that has the OC Server on it shows that ' CWE 296': (Improper Following of a Certificate's Chain of Trust) vulnerability present.

Any UIM version

The vulnerability CWE 296 does not pertain to the UIM product itself but rather stems from improper certificate configuration for enabling HTTPS. 

By default, UIM generates a self-signed certificate when HTTPS is activated. It is critical for customers to deploy a digital certificate issued by a trusted entity — a Certificate Authority (CA). CA certificates establish a digital trust chain, ensuring secure data transmission.

Problems can arise when this trust chain is incomplete or improperly ordered. For instance, if an intermediary certificate is treated as the root instead of being validated by a trusted CA, a vulnerability can manifest.

Since the UIM product doesn't have control over the selection of CA certifications, we strongly encourage customers to engage with their network security engineers and compliance experts to align with their unique security requirements.