The Apache Tomcat Manager can be accessed using a known set of credentials.
A remote attacker can leverage this issue to install a malicious application on the affected server and run code with Tomcat's privileges (usually SYSTEM on Windows, or the unprivileged 'tomcat' account on UNIX).
How can we fix this so a remote attacker cannot install a malicious application.
We use UNIX
<tomcat-users>
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary. It is
strongly recommended that you do NOT use one of the users in the commented out
section below since they are intended for use with the examples web
application.
-->
<!--
NOTE: The sample user and role entries below are intended for use with the
examples web application. They are wrapped in a comment and thus are ignored
when reading this file. If you wish to configure these users for use with the
examples web application, do not forget to remove the <!.. ..> that surrounds
them. You will also need to set the passwords to something appropriate.
-->
<role rolename="tomcat"/>
<role rolename="manager-gui"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="manager-gui"/>
<user username="xxxxxxx" password="zzzzzz" roles="manager-gui"/>
<user username="both" password="both" roles="tomcat,role1"/>
<user username="role1" password="role1" roles="role1"/>
</tomcat-users>