Cookie Without Secure Flag for JazzSM

News

Abstract

This issue is detected for all version JazzSM 1.1.3.0/DASH 3.1.3.0 until 1.1.3.7 /DASH 3.1.3.7. The login URL for example https://IP:16311/ibm/console and logon.jsp are detected by security scanning tools to have no Secure flag for all these cookies and are subject to vulnerability attack.

GET:https://evern22-jazzsm:16311/ibm/console

CONSOLE_LOGOUT_CHECK

GET:https://evern22-jazzsm:16311/ibm/console/logon.jsp

CONSOLE_LOGOUT_CHECK

GET:https://evern22-jazzsm:16311/ibm/console/logon.jsp

WASReqURL

GET:https://evern22-jazzsm:16311/ibm/console/logon.jsp?error=wrongPassword

CONSOLE_LOGOUT_CHECK

GET:https://evern22-jazzsm:16311/ibm/console/logon.jsp?error=wrongPassword

WASReqURL

Content

The issue had been logged as IJ25902. The issue will be fix in next JazzSM/DASH release which will be the 1.1.3.8/3.1.3.8 release tentatively September 2020. If you can't wait for the official release for this APAR IJ25902 fix, please do raise a ticket with the IBM Support team for a temporary workaround.	A

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEKCU","label":"Jazz for Service Management"},"ARM Category":[{"code":"a8m500000008bt0AAA","label":"DASH->DASH UI Services - Security Category->DUIS-Security - Attack Vulnerability issues"}],"ARM Case Number":"TS003844106","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

IJ25902, Jazz for service management

Was this topic helpful?

Document Information

Modified date:
10 July 2020

UID

ibm16245642

Tips