Apache Tomcat Manager Common Administrative Credentials

This script is Copyright (C) 2008-2015 Tenable Network Security, Inc.


Synopsis :

The management console for the remote web server is protected using a
known set of credentials.

Description :

Nessus was able to gain access to the Manager web application for the
remote Tomcat server using a known set of credentials. A remote
attacker can exploit this issue to install a malicious application on
the affected server and run arbitrary code with Tomcat's privileges
(usually SYSTEM on Windows, or the unprivileged 'tomcat' account on
Unix).

Worms are known to propagate this way.

See also :

http://markmail.org/thread/wfu4nff5chvkb6xp
http://svn.apache.org/viewvc?view=revision&revision=834047
http://www.intevydis.com/blog/?p=87
http://www.zerodayinitiative.com/advisories/ZDI-10-214/
http://archives.neohapsis.com/archives/fulldisclosure/2010-10/0260.html

Solution :

Edit the associated 'tomcat-users.xml' file and change or remove the
affected set of credentials.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 34970 ()

Bugtraq ID: 36253
36954
37086
38084
44172

CVE ID: CVE-2009-3099
CVE-2009-3548
CVE-2010-0557
CVE-2010-4094