Apache Tomcat insecure default administrative password
Description
The Windows installer for Apache Tomcat versions 5.5.x and 6.0.x creates an administrative user account with a blank password by default. During installation, if the administrator does not explicitly set a password, the installer creates a user named 'admin' with both 'admin' and 'manager' roles but no password protection. This insecure default configuration leaves the Tomcat management interface exposed to unauthorized access immediately after installation.
Remediation
Immediately secure your Apache Tomcat installation using one of the following methods:
- Set a strong password during installation: When using the Windows installer, ensure you specify a complex password for the admin user during the setup process.
- Modify the tomcat-users.xml file: After installation, edit the
conf/tomcat-users.xmlfile to set a strong password for the admin user:<tomcat-users> <role rolename="manager-gui"/> <role rolename="admin-gui"/> <user username="admin" password="YourStrongPasswordHere" roles="manager-gui,admin-gui"/> </tomcat-users>
- Remove the default admin user: Delete the admin user entry from
conf/tomcat-users.xmland create a new user with a unique username and strong password. - Use alternative distributions: Consider using the .zip or .tar.gz distributions which do not create default administrative accounts.
After making changes to tomcat-users.xml, restart the Tomcat service for the changes to take effect. Ensure passwords are at least 12 characters long and include a mix of uppercase, lowercase, numbers, and special characters.