CVE-2009-3548: Apache Tomcat Windows Installer insecure default
administrative password
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 5.5.0 to 5.5.28
Tomcat 6.0.0 to 6.0.20
The unsupported Tomcat 3.x, 4.0.x, 4.1.x and 5.0.x versions may be also
affected.
Description:
The Windows installer defaults to a blank password for the
administrative user. If this is not changed during the install process,
then by default a user is created with the name admin, roles admin and
manager and a blank password.
Mitigation:
Users of all Tomcat versions may mitigate this issue by one of the
following methods:
A patch for this issue [1] has been applied to trunk and will be
included in the next releases of 6.0.x and 5.5.x
Credit:
This issue was reported directly [2] to the tomcat users public mailing
list by David Horheim.
Security researchers are reminded that undisclosed vulnerabilities in
Apache Tomcat should, in the first instance, be reported to the private
security mailing list. [3]
References:
[1] http://svn.apache.org/viewvc?view=revision&revision=834047
[2] http://markmail.org/thread/wfu4nff5chvkb6xp
[3] http://tomcat.apache.org/security.html
Mark Thomas