Problem:
A vulnerability scan reports an issue with the Tomcat Manager with the Default Account Enabled
Environment:
Apache Tomcat Manager
Cause:
Roles and/or passwords in the tomcat-users.xml file. By default, the sample user and role entries in this file wrapped in a comment. Any roles and/or passwords in this file would have been added by editing this text file. if you run the Tomcat Manager at http://localhost:8080/manager/html, the directions tell you to add a manager-gui role and a password: "By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary
and thus are ignored when reading this file. Do not forget to remove the comments <!.. ..> that surrounds them. ."
Resolution:
If this file has been modified, you can edit it to remove the modification that is causing the vulnerability. Edit the tomcat-users.xml file in the conf folder under the Tomcat directory and remove or comment out the manager-gui role and associated password.
For example, remove these entries:
<role rolename="manager-gui"/>
<user username="tomcat" password="tomcat" roles="manager-gui"/>
And make sure there are comments around any other usernames and passwords if you decide not to remove them, for example:
<!--
xxxxxxxxxx
-->
During regular operation of Web Viewer we do not use any userids or passwords that may be in this file. You can change or remove any existing userids and passwords in this file without affecting operations