Apache Geronimo default administrative credentials
Description
Apache Geronimo is deployed with default administrative credentials that are publicly documented and widely known. The default username system with password manager provides full access to the Geronimo Administration Console and command-line deployment tools. These credentials are identical across all default installations, making systems easily accessible to unauthorized users who are aware of these defaults.
Remediation
Immediately change the default administrative credentials through the following steps:
1. Log into the Geronimo Administration Console using the current credentials
2. Navigate to Security -> Console Realm
3. Locate the Console Realm Users portlet
4. Change the username from 'system' to a unique administrative username
5. Set a strong password that meets complexity requirements (minimum 12 characters, including uppercase, lowercase, numbers, and special characters)
6. Remove or disable any other default accounts that may exist
7. Verify the changes by logging out and authenticating with the new credentials
Additionally, implement account lockout policies and monitor authentication logs for suspicious login attempts. Consider restricting administrative console access to specific IP addresses or networks through firewall rules or application-level access controls.