Tomcat status page
Description
The Apache Tomcat status page (/manager/status) exposes detailed server runtime information including memory usage statistics, active thread counts, connector states, and recent HTTP request details. When publicly accessible without authentication, this administrative interface provides attackers with valuable reconnaissance data about the server's configuration, performance characteristics, and operational state that can be leveraged to plan targeted attacks.
Remediation
Restrict access to the Tomcat status page by implementing authentication and authorization controls. Edit the tomcat-users.xml file to define authorized users with the 'manager-status' role:
<tomcat-users> <role rolename="manager-status"/> <user username="admin" password="secure_password" roles="manager-status"/> </tomcat-users>
Additionally, configure IP-based access restrictions in the
web.xml file of the manager application or use a reverse proxy to limit access to trusted networks only. For production environments, consider disabling the status page entirely by removing or commenting out the status servlet mapping in $CATALINA_HOME/webapps/manager/WEB-INF/web.xml. Verify the configuration by attempting to access the status page from an unauthorized context.