CVE-2016-8735

Summary

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Tomcatbefore 6.0.48affected
Apache Software FoundationApache Tomcat7.x before 7.0.73affected
Apache Software FoundationApache Tomcat8.x before 8.0.39affected
Apache Software FoundationApache Tomcat8.5.x before 8.5.7affected
Apache Software FoundationApache Tomcat9.x before 9.0.0.M12affected

Weaknesses

  • Remote code execution

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: yes
    • Technical Impact: total

Additional References

References