RecoverPoint for VMs: Security Vulnerabilities Related to Tomcat Default Passwords
Summary: In RecoverPoint for Virtual Machines 5.3.2 the default tomcat password was changed to be more secure and encrypted, but the password itself remains the default value. When a security check is run the following CVE may be triggered: CVE-2010-0557 ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
CVE-2010-0557 - This vulnerability revolves around using default credentials for the tomcat password, which is being used in RP4VMs 5.3.2.
From within the vRPA /etc/tomcat8/tomcat-users.xml log, the following can be witnessed:
From within the vRPA /etc/tomcat8/tomcat-users.xml log, the following can be witnessed:
<role rolename="manager-script"/> <user username="tomcat" password="cacca7676f4bc3bb4c58655e14ed135484628cc99b91e4383b257d5045852f48$1$762225945f39f905588d79a21d3902d31e0f4165" roles="manager-script"/>
NOTE: The string above in the password field is the default password in encrypted form.
Cause
Beginning in RP4VMs 5.3, default credentials are hard coded in the tomcat-users.xml for the tomcat manager, resulting in this vulnerability. In prior versions of RP4VMs, the password was not a default password.
Resolution
Workaround:
1. From root on a single vRPA run the following command and copy the output hash provided:
2. Navigate to /etc/tomcat8/tomcat-users.xml and use an editor such as VI to replace the user on this line with admin and the password with the new hash from Step 1:
Example of what is by default on each RPA:
Example of what things will look like after the changes are made:
3. Replace the credentials in the following files:
/home/kos/kbox/src/installation/Installation/scripts/tomcat_set_webapps_for_attached.bash
/home/kos/kbox/src/installation/Installation/scripts/tomcat_set_webapps_for_detached.bash
Each file has a section towards the top. Make the following changes:
USER_TOMCAT="tomcat"
PASSWORD_TOMCAT="tomcat"
Change them to the following:
USER_TOMCAT="admin"
PASSWORD_TOMCAT="kashya"
4. Restart the tomcat service on the vRPA with the following root command:
Resolution:
This issue has been addressed in RecoverPoint for VMs version 5.3.3 (5.3 SP3).
1. From root on a single vRPA run the following command and copy the output hash provided:
/usr/share/tomcat8/bin/digest.sh -a SHA kashyaOn all vRPAs, perform the following actions:
2. Navigate to /etc/tomcat8/tomcat-users.xml and use an editor such as VI to replace the user on this line with admin and the password with the new hash from Step 1:
Example of what is by default on each RPA:
<user username="tomcat" password="cacca7676f4bc3bb4c58655e14ed135484628cc99b91e4383b257d5045852f48$1$762225945f39f905588d79a21d3902d31e0f4165" roles="manager-script"/>
Example of what things will look like after the changes are made:
<user username="admin" password="aded34aac27452989f6167e03da57ffe3d7820578f73c1478c2dff440fb87d69$1$2451452fc306442a0c3ef8232c18eb80f636d12d" roles="manager-script"/>
3. Replace the credentials in the following files:
/home/kos/kbox/src/installation/Installation/scripts/tomcat_set_webapps_for_attached.bash
/home/kos/kbox/src/installation/Installation/scripts/tomcat_set_webapps_for_detached.bash
Each file has a section towards the top. Make the following changes:
USER_TOMCAT="tomcat"
PASSWORD_TOMCAT="tomcat"
Change them to the following:
USER_TOMCAT="admin"
PASSWORD_TOMCAT="kashya"
4. Restart the tomcat service on the vRPA with the following root command:
systemctl restart tomcat8OR reboot the vRPA
Resolution:
This issue has been addressed in RecoverPoint for VMs version 5.3.3 (5.3 SP3).
Affected Products
RecoverPoint for Virtual MachinesArticle Properties
Article Number: 000191335
Article Type: Solution
Last Modified: 25 Sept 2023
Version: 5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.