The remote web server is missing an Apache Tomcat patch update.
Apache Tomcat 7.0.x before 7.0.67 or 8.0.x before 8.0.32 is affected by a flaw that allows conducting a session fixation attack. This flaw exists because the application, when establishing a new session, does not invalidate an existing session identifier and assign a new one. With a specially crafted request fixating the session identifier via the 'requestedSessionSSL' field, a context-dependent attacker can ensure a user authenticates with the known session identifier, allowing the session to be subsequently hijacked. This vulnerability is only present when at least one web application is configured to use the SSL session ID as the HTTP session ID.
Update to Apache Tomcat version 8.0.32 or later. If version 8.0.x cannot be obtained, version 7.0.67 is also patched for these vulnerabilities.