Error Message

NA

CVE-2023-28708
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
https://nvd.nist.gov/vuln/detail/CVE-2023-28708

All current versions of Desktop and Laptop Option (DLO), including DLO 9.8.2, are impacted by this vulnerability, when using the default installed Apache Tomcat version.

This vulnerability is resolved in Apache Tomcat version 8.5.86 or higher, which are now available for use with DLO 9.8.2.
It is possible to update to the latest supported Tomcat version (currently 8.5.89 with DLO 9.8.2), using the VxUpdate - Component Update facility in DLO 9.8.2.

Customers using DLO versions earlier than 9.8.2 are advised to upgrade to DLO 9.8.2 to allow access to the non-vulnerable version of Apache Tomcat. 

See the below artticle for details of the default and maximum supported versions of Apache, Tomcat, OpenSSL & Log4j products used in each of the DLO versions; 

Apache, Tomcat, OpenSSL and Log4j versions used in Desktop and Laptop Option (DLO)
https://www.veritas.com/content/support/en_US/article.100048632.html