CVE-2009-3548

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 5.5.0 through 5.5.28 Apache Tomcat versions 6.0.0 through 6.0.20

Description The issue arises from the Windows installer for Apache Tomcat using a blank default password for the administrative user. This allows remote attackers to gain privileges. The default configuration creates a user named admin with roles admin and manager and a blank password if not changed during installation.

Recommendations For Apache Tomcat versions 5.5.0 through 5.5.28, change the default password for the administrative user to a secure password. For Apache Tomcat versions 6.0.0 through 6.0.20, change the default password for the administrative user to a secure password. As a temporary workaround, consider changing the default configuration to use a secure password for the admin user until a more permanent solution is applied.