lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 09 Nov 2009 13:52:39 +0000
From: Mark Thomas <markt@...che.org>
To: announce@...cat.apache.org,
	Tomcat Users List <users@...cat.apache.org>,
	Tomcat Developers List <dev@...cat.apache.org>,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [SECURITY] CVE-2009-3548 Apache Tomcat Windows Installer insecure
 default administrative password

CVE-2009-3548: Apache Tomcat Windows Installer insecure default
administrative password

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 5.5.0 to 5.5.28
Tomcat 6.0.0 to 6.0.20

The unsupported Tomcat 3.x, 4.0.x, 4.1.x and 5.0.x versions may be also
affected.

Description:
The Windows installer defaults to a blank password for the
administrative user. If this is not changed during the install process,
then by default a user is created with the name admin, roles admin and
manager and a blank password.

Mitigation:
Users of all Tomcat versions may mitigate this issue by one of the
following methods:
- Using the .zip or .tar.gz distributions
- Specifying a strong password for the admin user when using the
  Windows installer
- Removing the admin user from the tomcat-users.xml file after the
  Windows installer has completed
- Editing the tomcat-users.xml file to provide the admin user with
  a strong password after the Windows installer has completed

A patch for this issue [1] has been applied to trunk and will be
included in the next releases of 6.0.x and 5.5.x

Credit:
This issue was reported directly [2] to the tomcat users public mailing
list by David Horheim.
Security researchers are reminded that undisclosed vulnerabilities in
Apache Tomcat should, in the first instance, be reported to the private
security mailing list. [3]

References:
[1] http://svn.apache.org/viewvc?view=revision&revision=834047
[2] http://markmail.org/thread/wfu4nff5chvkb6xp
[3] http://tomcat.apache.org/security.html

Mark Thomas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ