Vulnerability scan issue Tomcat Manager Gui with CA Output Management Web Viewer
search cancel

Vulnerability scan issue Tomcat Manager Gui with CA Output Management Web Viewer

book

Article ID: 45658

calendar_today

Updated On:

Products

Output Management Document Viewer Output Management Web Viewer

Issue/Introduction

Problem:

A vulnerability scan reports an issue with the Tomcat Manager with the Default Account Enabled

Environment:  

Apache Tomcat Manager

Cause: 

Roles and/or passwords in the tomcat-users.xml file.  By default, the sample user and role entries in this file wrapped in a comment. Any roles and/or passwords in this file would have been added by editing this text file. if you run the Tomcat Manager at http://localhost:8080/manager/html, the directions tell you to add a manager-gui role and a password:  "By default, no user is included in the "manager-gui" role required to operate the "/manager/html" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary and thus are ignored when reading this file. Do not forget to remove the comments <!.. ..> that surrounds them.  ." 

Resolution:

If this file has been modified, you can edit it to remove the modification that is causing the vulnerability. Edit the tomcat-users.xml file in the conf folder under the Tomcat directory and remove or comment out the manager-gui role and associated password.  

For example, remove these entries:

<role rolename="manager-gui"/> 
<user username="tomcat" password="tomcat" roles="manager-gui"/> 

And make sure there are comments around any other usernames and passwords if you decide not to remove them, for example:

<!-- 

xxxxxxxxxx

--> 

During regular operation of Web Viewer we do not use any userids or passwords that may be in this file. You can change or remove any existing userids and passwords in this file without affecting operations

 

 

 

Environment

Release: OUTWBV01300-12.1-Output Management-Web Viewer for AIX
Component: