The Session cookies for Admin UI (JSESSIONID) are not configured to restrict access via unencrypted channels.
The ‘secure’ directive instructs the user's browser to send the cookie only over SSL/TLS encrypted channels.
Secure is not set for the JSESSIONID cookie.
You can enable the Secure and the HttpOnly flag by updating the following element in web.xml file as below:
The location of web.xml file is :
This version is not affected with this vulnerability and doesn't have this as configuration option.
Element to modify