Apache Tomcat insecure default administrative password

  • The Windows installer for Apache Tomcat defaults to a blank password for the administrative user. If this is not changed during the install process, then by default a user is created with the name admin, roles admin and manager and a blank password.
  • Users of all Tomcat versions may mitigate this issue by one of the following methods:
    • Using the .zip or .tar.gz distributions
    • Specifying a strong password for the admin user when using the Windows installer [l/i]
    • Removing the admin user from the tomcat-users.xml file after the Windows installer has completed
    • Editing the tomcat-users.xml file to provide the admin user with a strong password after the Windows installer has completed

    A patch for this issue [1] has been applied to trunk and will be included in the next releases of 6.0.x and 5.5.x