Apache Tomcat insecure default administrative password

Description

The Windows installer for Apache Tomcat defaults to a blank password for the administrative user. If this is not changed during the install process, then by default a user is created with the name admin, roles admin and manager and a blank password.

ShareShare on FacebookTweet about this on TwitterShare on Google+

Impact
A remote attacker can access the administrative console.

Recommendation
Users of all Tomcat versions may mitigate this issue by one of the following methods:

  • Using the .zip or .tar.gz distributions
  • Specifying a strong password for the admin user when using the Windows installer [l/i]
  • Removing the admin user from the tomcat-users.xml file after the Windows installer has completed
  • Editing the tomcat-users.xml file to provide the admin user with a strong password after the Windows installer has completed

A patch for this issue [1] has been applied to trunk and will be included in the next releases of 6.0.x and 5.5.x

References
CVE-2009-3548
Apache Tomcat Windows Installer insecure default administrative password