Tomcat vulnerability

[Onorio]

Hi,

Server Edition is using the default Tomcat user/password, so in generate a huge vulnerability because I can access with this user/password to tomcat and make changes so anybody could do it.
Do you know if I can change the default password without affecting Avaya applications?
I don't understand how Avaya left this user by default.
Thanks

 

[kyle555]

For which access method is tomcat's password default?
For bash, wouldn't tomcat, in /etc/passwd, have something like /sbin/nologon - like service users such as postgres, thereby making shell access impossible?

 

[Onorio]

Hi,

I mean:

http://ipaddress:8080/manager/status

and some other ports.

 

[kyle555]

I wouldn't be surprised if they overlooked it, but considering how many people have their system passwords at default, I think the stock answer is to firewall that stuff off

 

[Onorio]

Yes, but I was thinking in a internal attack, not from the outside.
With this hole anybody in the LAN can access to this Tomcat management and make some changes.
I need to avoid it.

 

[sizbut]

Well hopefully you've told Avaya rather than just blurting it out in public.

Stuck in a never ending cycle of file copying.

 

[qtelcom]

I'm unable to duplicate this. Seems default password don't work on mine.