Access Manager security concerns with active default tomcat servlets

  • 3549647
  • 02-Jan-2007
  • 26-Apr-2012

Environment


Novell Access Management 3 Linux Novell Identity Server

Situation

With a freshly installed Identity Server from the shipping code, the /admin and
/manager contexts are enabled by default e.g. Navigate to http://:8080/admin
and http://:8080/manager. When these paths are hit on the Identity server,
a request to authenticate is sent to the browser. There are no tomcat users configured
so authentication to these servlets is not possible. However, these links should be
disabled and not allowed.

Resolution

Although the servlet is not functional it is enabled and will flag security scanners
with a possible vulnerability. To prevent these links from doing anything, the admin
will need to manually remove the following 2 files:

/var/opt/novell/tomcat4/webapps/admin.xml
/var/opt/novell/tomcat4/webapps/manager.xml

This will be done automatically in Access Manager 3 SP1.