Vulnerabilities/

Apache Tomcat Manager Login Found

Impact: Medium

Description

By default the Manager should be only accessible from a browser running on the same machine as Tomcat. With a Apache Tomcat Login accessible over the internet, attackers can use Password guessing and Brute Force methods to break into you server.

Recommendation

Update the webapps/manager/META-INF/context.xml file to allow white listed IP addresses. Below example allows local machine IPs starting with 127.

<Context antiResourceLocking="false" privileged="true" >
  
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
  
  <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>

References

Last updated on June 06, 2022

Use SmartScanner Free version to test for this issue

Download