The Apache Tomcat Manager can be accessed using a known set of credentials.
A remote attacker can leverage this issue to install a malicious application on the affected server and run code with Tomcat's privileges (usually SYSTEM on Windows, or the unprivileged 'tomcat' account on UNIX).
How can we fix this so a remote attacker cannot install a malicious application.
We use UNIX
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary. It is
strongly recommended that you do NOT use one of the users in the commented out
section below since they are intended for use with the examples web
NOTE: The sample user and role entries below are intended for use with the
examples web application. They are wrapped in a comment and thus are ignored
when reading this file. If you wish to configure these users for use with the
examples web application, do not forget to remove the <!.. ..> that surrounds
them. You will also need to set the passwords to something appropriate.
<user username="tomcat" password="tomcat" roles="manager-gui"/>
<user username="xxxxxxx" password="zzzzzz" roles="manager-gui"/>
<user username="both" password="both" roles="tomcat,role1"/>
<user username="role1" password="role1" roles="role1"/>
Hi RogerShirley603913 ,
I think this page might be a good starting point.
Apache Tomcat 8 (8.5.34) - Security Considerations
I also found this one:
For security reasons, Manager is disabled by default - in fact, a User with privileges to access it is not even configured in tomcat-users.xml.
Gaining access to the Tomcat Manager would give an attacker considerable control over your Tomcat instance. The first question you should ask is whether you need access to the Manager at all. If you are using an alternative method of administering your Tomcat instances, it's best to leave the Manager disabled.
If you do need to use the Manager application, there are a number of configuration options and best practices you can enforce to limit the risk associated with running it.
That's why AWA does not activate the Tomcat Manager by default.