This is a feature of Tomcat and it is working as expect, the issue here is the same kind of problem as leaving a default admin password in place. i.e. No competent deployment engineer would make this port 8009 active by mistake.
Unfortunately many IoT developers are great at writing software to make their hardware do things, but expecting them to also be experts in web site management, network management and security is stupid. My understanding is that Tomcat's memory footprint is small enough that it's popular on memory-limited devices, so it's probably deployed incorrectly on a gazillion field moisture monitors, sewer monitoring equipment, security cameras, alarm panels, etc.
FORTUNE'S FUN FACTS TO KNOW AND TELL:
A firefly is not a fly, but a beetle.
Feature not a bug (Score:5, Informative)
This is a feature of Tomcat and it is working as expect, the issue here is the same kind of problem as leaving a default admin password in place. i.e. No competent deployment engineer would make this port 8009 active by mistake.
https://tomcat.apache.org/tomc... [apache.org]
Re: (Score:3)
On the other hand, if I see a developer working with Tomcat at Starbucks, I might try to connect to their Tomcat.
Re: (Score:2)
Unfortunately many IoT developers are great at writing software to make their hardware do things, but expecting them to also be experts in web site management, network management and security is stupid. My understanding is that Tomcat's memory footprint is small enough that it's popular on memory-limited devices, so it's probably deployed incorrectly on a gazillion field moisture monitors, sewer monitoring equipment, security cameras, alarm panels, etc.