- <div class="bb-coolbox"><span class="bb-dark">This alert was generated using only banner information. It may be a false positive. </span></div><br/><strong>Fixed in Apache Tomcat 6.0.9:</strong><br/><ul> <li> <strong>moderate</strong>: Session hi-jacking CVE-2008-0128<br/> When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it being transmitted to any content that is - by purpose or error - requested via http from the same server. </li> </ul><br/> <span class="bb-navy">Affected Apache Tomcat version (6.0.0 - 6.0.8).</span><br/>
- Upgrade Apache Tomcat to the latest version.