Vulnerability scan issue Tomcat Manager Gui with CA Output Management Web Viewer

Document ID : KB000045658
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem:

A vulnerability scan reports an issue with the Tomcat Manager with the Default Account Enabled

Environment:  

Apache Tomcat Manager

Cause: 

Roles and/or passwords in the tomcat-users.xml file.  By default, the sample user and role entries in this file wrapped in a comment. Any roles and/or passwords in this file would have been added by editing this text file. if you run the Tomcat Manager at http://localhost:8080/manager/html, the directions tell you to add a manager-gui role and a password:  "By default, no user is included in the "manager-gui" role required to operate the "/manager/html" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary and thus are ignored when reading this file. Do not forget to remove the comments <!.. ..> that surrounds them.  ." 

Resolution:

If this file has been modified, you can edit it to remove the modification that is causing the vulnerability. Edit the tomcat-users.xml file in the conf folder under the Tomcat directory and remove or comment out the manager-gui role and associated password.  

For example, remove these entries:

<role rolename="manager-gui"/> 
<user username="tomcat" password="tomcat" roles="manager-gui"/> 

And make sure there are comments around any other usernames and passwords if you decide not to remove them, for example:

<!-- 

xxxxxxxxxx

--> 

During regular operation of Web Viewer we do not use any userids or passwords that may be in this file. You can change or remove any existing userids and passwords in this file without affecting operations