CVE-2016-8735

Description

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

CVSS Metrics

• v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• v3.0•CRITICAL•Score: 9.8CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
• v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 93.81%• Percentile: 100%

Affected Systems

• apache software foundation•apache tomcat

  < 6.0.48 | 7.x before 7.0.73 | 8.x before 8.0.39 | 8.5.x before 8.5.7 | 9.x before 9.0.0.M12

• Unknown•Tomcat

  < 6.0.48 | ≥ 7.0.0, < 7.0.73 | ≥ 8.0, < 8.0.39 | ≥ 8.5.0, < 8.5.7 | 9.0.0 | 9.0.0:milestone1 | 9.0.0:milestone10 | 9.0.0:milestone11 | 9.0.0:milestone2 | 9.0.0:milestone3 | 9.0.0:milestone4 | 9.0.0:milestone5 | 9.0.0:milestone6 | 9.0.0:milestone7 | 9.0.0:milestone8 | 9.0.0:milestone9

• canonical•ubuntu_linux

  16.04

• debian•debian_linux

  8.0

• org.apache.tomcat•tomcat-catalina

  < 6.0.48 | ≥ 7.0.0, < 7.0.73 | ≥ 8.0.0, < 8.0.39 | ≥ 8.5.0, < 8.5.7 | ≥ 9.0.0.M1, < 9.0.0.M12

• org.apache.tomcat•tomcat-catalina-jmx-remote

  < 6.0.48 | ≥ 7.0.0, < 7.0.73 | ≥ 8.0.0, < 8.0.39 | ≥ 8.5.0, < 8.5.7 | ≥ 9.0.0.M1, < 9.0.0.M12

• netapp•7-mode_transition_tool

  na

• netapp•oncommand_insight

  na

• netapp•oncommand_shift

  na

• netapp•snap_creator_framework

  na

• oracle•agile_engineering_data_management

  6.1.3 | 6.2.0 | 6.2.1.0

• oracle•agile_plm

  9.3.5 | 9.3.6

• oracle•communications_application_session_controller

  3.7.1 | 3.8.0

• oracle•communications_instant_messaging_server

  10.0.1

• oracle•communications_interactive_session_recorder

  6.0 | 6.1 | 6.2

• oracle•hospitality_guest_access

  4.2.0 | 4.2.1

• oracle•micros_relate_crm_software

  10.8 | 11.4

• oracle•micros_retail_xbri_loss_prevention

  10.0.1 | 10.5.0 | 10.6.0 | 10.7.7 | 10.8.0 | 10.8.1

• oracle•mysql_enterprise_monitor

  ≤ 3.2.8.2223 | ≥ 3.3.0, ≤ 3.3.4.3247 | ≥ 3.4.0, ≤ 3.4.2.4181

• oracle•retail_convenience_and_fuel_pos_software

  2.1.132

• oracle•transportation_management

  6.3.0 | 6.3.1 | 6.3.2 | 6.3.3 | 6.3.4 | 6.3.5 | 6.3.6 | 6.3.7

• redhat•jboss_enterprise_web_server

  3.0.0

References (62)

• http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
• http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
• http://svn.apache.org/viewvc?view=revision&revision=1767676
• http://tomcat.apache.org/security-9.html
• http://www.securitytracker.com/id/1037331
• http://www.securityfocus.com/bid/94463
• http://www.debian.org/security/2016/dsa-3738
• http://tomcat.apache.org/security-7.html
• http://svn.apache.org/viewvc?view=revision&revision=1767644
• http://tomcat.apache.org/security-8.html
• http://svn.apache.org/viewvc?view=revision&revision=1767656
• http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
• https://security.netapp.com/advisory/ntap-20180607-0001/
• http://tomcat.apache.org/security-6.html
• http://rhn.redhat.com/errata/RHSA-2017-0457.html
• https://access.redhat.com/errata/RHSA-2017:0455
• http://svn.apache.org/viewvc?view=revision&revision=1767684
• https://access.redhat.com/errata/RHSA-2017:0456
• http://seclists.org/oss-sec/2016/q4/502
• https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
• https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
• https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
• https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
• https://usn.ubuntu.com/4557-1/
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-8735
• https://nvd.nist.gov/vuln/detail/CVE-2016-8735
• https://github.com/apache/tomcat/commit/0e83ad3e547fc9a75a258799ef581249b40a82a6
• https://github.com/apache/tomcat/commit/292d6ccdc9edbf80859929b0af070b2ea99fa688
• https://github.com/apache/tomcat/commit/7e3a037055cca4a17e90b49399fb1bab4dd7c821
• https://github.com/apache/tomcat80/commit/0f76016a4ec45635e450ada9c84ff7ee0c5f3799
• https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
• https://security.netapp.com/advisory/ntap-20180607-0001
• https://usn.ubuntu.com/4557-1
• https://web.archive.org/web/20170423095340/http://www.securityfocus.com/bid/94463
• https://web.archive.org/web/20170928203901/http://www.securitytracker.com/id/1037331
• https://github.com/apache/tomcat
• https://github.com/search?q=repo%3Aapache%2Ftomcat+catalina.mbeans+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F&type=code
• https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E