Apache Tomcat Manager Common Administrative Credentials

This script is Copyright (C) 2008-2014 Tenable Network Security, Inc.


Synopsis :

The management console for the remote web server is protected using a
known set of credentials.

Description :

It is possible to gain access to the Manager web application for the
remote Tomcat server using a known set of credentials. A remote
attacker can leverage this issue to install a malicious application on
the affected server and run code with Tomcat's privileges (usually
SYSTEM on Windows, or the unprivileged 'tomcat' account on Unix).

Worms are known to propagate this way.

See also :

http://markmail.org/thread/wfu4nff5chvkb6xp
http://svn.apache.org/viewvc?view=revision&revision=834047
http://www.intevydis.com/blog/?p=87
http://www.zerodayinitiative.com/advisories/ZDI-10-214/
http://archives.neohapsis.com/archives/fulldisclosure/2010-10/0260.html

Solution :

Edit the associated 'tomcat-users.xml' file and change or remove the
affected set of credentials.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 34970 ()

Bugtraq ID: 36253
36954
37086
38084
44172

CVE ID: CVE-2009-3099
CVE-2009-3548
CVE-2010-0557
CVE-2010-4094