1. Home
  2. Vulnerabilities
  3. CVE-2016-8735

CVE-2016-8735

CVSS v3.1 9.8 (Critical)
98% Progress
CVSS v2.0 7.5 (High)
75% Progress
EPSS 73.74 % (98th)
73.74% Progress
Affected Products 19
Advisories 18
NVD Status Analyzed
Info CVSS EPSS Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

Weaknesses
CWE-NVD-noinfo
Related CVEs
CVE Status
PUBLISHED
NVD Status
Analyzed
CNA
Apache Software Foundation
Published Date
2017-04-06 21:59:00
(7 years ago)
Updated Date
2024-06-27 19:23:35
(2 months ago)
Apache Tomcat Remote Code Execution Vulnerability (CISA - Known Exploited Vulnerabilities Catalog)
Description
Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types.
Required Action
Apply updates per vendor instructions.
Known to be Used in Ransomware Campaigns
Unknown
Notes
https://tomcat.apache.org/security-9.html; https://nvd.nist.gov/vuln/detail/CVE-2016-8735
Vendor
Apache
Product
Tomcat
In CISA Catalog from
2023-05-12
(16 months ago)
Due Date
2023-06-02
(15 months ago)

Affected Products

Apache

Canonical

Debian

Netapp

Oracle

Redhat

Configuration #1

    CPE23 From Up To
  Apache Tomcat prior 6.0.48 version cpe:2.3:a:apache:tomcat < 6.0.48
  Apache Tomcat from 7.0.0 version and prior 7.0.73 version cpe:2.3:a:apache:tomcat >= 7.0.0 < 7.0.73
  Apache Tomcat from 8.0 version and prior 8.0.39 version cpe:2.3:a:apache:tomcat >= 8.0 < 8.0.39
  Apache Tomcat from 8.5.0 version and prior 8.5.7 version cpe:2.3:a:apache:tomcat >= 8.5.0 < 8.5.7
  Apache Tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:-
  Apache Tomcat 9.0.0 Milestone1 cpe:2.3:a:apache:tomcat:9.0.0:milestone1
  Apache Tomcat 9.0.0 Milestone10 cpe:2.3:a:apache:tomcat:9.0.0:milestone10
  Apache Tomcat 9.0.0 Milestone11 cpe:2.3:a:apache:tomcat:9.0.0:milestone11
  Apache Tomcat 9.0.0 Milestone2 cpe:2.3:a:apache:tomcat:9.0.0:milestone2
  Apache Tomcat 9.0.0 Milestone3 cpe:2.3:a:apache:tomcat:9.0.0:milestone3
  Apache Tomcat 9.0.0 Milestone4 cpe:2.3:a:apache:tomcat:9.0.0:milestone4
  Apache Tomcat 9.0.0 Milestone5 cpe:2.3:a:apache:tomcat:9.0.0:milestone5
  Apache Tomcat 9.0.0 Milestone6 cpe:2.3:a:apache:tomcat:9.0.0:milestone6
  Apache Tomcat 9.0.0 Milestone7 cpe:2.3:a:apache:tomcat:9.0.0:milestone7
  Apache Tomcat 9.0.0 Milestone8 cpe:2.3:a:apache:tomcat:9.0.0:milestone8
  Apache Tomcat 9.0.0 Milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone9

Configuration #2

    CPE23 From Up To
  Canonical Ubuntu Linux 16.04 cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm

Configuration #3

    CPE23 From Up To
  Netapp 7-mode Transition Tool cpe:2.3:a:netapp:7-mode_transition_tool:-
  Netapp Oncommand Insight cpe:2.3:a:netapp:oncommand_insight:-
  Netapp Oncommand Shift cpe:2.3:a:netapp:oncommand_shift:-
  Netapp Snap Creator Framework cpe:2.3:a:netapp:snap_creator_framework:-

Configuration #4

    CPE23 From Up To
  Debian Linux 8.0 cpe:2.3:o:debian:debian_linux:8.0

Configuration #5

    CPE23 From Up To
  Redhat Jboss Enterprise Web Server 3.0.0 cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0

Configuration #6

    CPE23 From Up To
  Oracle Agile Engineering Data Management 6.1.3 cpe:2.3:a:oracle:agile_engineering_data_management:6.1.3
  Oracle Agile Engineering Data Management 6.2.0 cpe:2.3:a:oracle:agile_engineering_data_management:6.2.0
  Oracle Agile Engineering Data Management 6.2.1.0 cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0
  Oracle Agile Plm 9.3.5 cpe:2.3:a:oracle:agile_plm:9.3.5
  Oracle Agile Plm 9.3.6 cpe:2.3:a:oracle:agile_plm:9.3.6
  Oracle Communications Application Session Controller 3.7.1 cpe:2.3:a:oracle:communications_application_session_controller:3.7.1
  Oracle Communications Application Session Controller 3.8.0 cpe:2.3:a:oracle:communications_application_session_controller:3.8.0
  Oracle Communications Instant Messaging Server 10.0.1 cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1
  Oracle Communications Interactive Session Recorder 6.0 cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0
  Oracle Communications Interactive Session Recorder 6.1 cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1
  Oracle Communications Interactive Session Recorder 6.2 cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2
  Oracle Hospitality Guest Access 4.2.0 cpe:2.3:a:oracle:hospitality_guest_access:4.2.0
  Oracle Hospitality Guest Access 4.2.1 cpe:2.3:a:oracle:hospitality_guest_access:4.2.1
  Oracle Micros Relate Crm Software 10.8 cpe:2.3:a:oracle:micros_relate_crm_software:10.8
  Oracle Micros Relate Crm Software 11.4 cpe:2.3:a:oracle:micros_relate_crm_software:11.4
  Oracle Micros Retail Xbri Loss Prevention 10.0.1 cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.0.1
  Oracle Micros Retail Xbri Loss Prevention 10.5.0 cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.5.0
  Oracle Micros Retail Xbri Loss Prevention 10.6.0 cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.6.0
  Oracle Micros Retail Xbri Loss Prevention 10.7.7 cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.7.7
  Oracle Micros Retail Xbri Loss Prevention 10.8.0 cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.8.0
  Oracle Micros Retail Xbri Loss Prevention 10.8.1 cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.8.1
  Oracle Mysql Enterprise Monitor 3.2.8.2223 and prior versions cpe:2.3:a:oracle:mysql_enterprise_monitor <= 3.2.8.2223
  Oracle Mysql Enterprise Monitor from 3.3.0 version and 3.3.4.3247 and prior versions cpe:2.3:a:oracle:mysql_enterprise_monitor >= 3.3.0 <= 3.3.4.3247
  Oracle Mysql Enterprise Monitor from 3.4.0 version and 3.4.2.4181 and prior versions cpe:2.3:a:oracle:mysql_enterprise_monitor >= 3.4.0 <= 3.4.2.4181
  Oracle Retail Convenience And Fuel Pos Software 2.1.132 cpe:2.3:a:oracle:retail_convenience_and_fuel_pos_software:2.1.132
  Oracle Transportation Management 6.3.0 cpe:2.3:a:oracle:transportation_management:6.3.0
  Oracle Transportation Management 6.3.1 cpe:2.3:a:oracle:transportation_management:6.3.1
  Oracle Transportation Management 6.3.2 cpe:2.3:a:oracle:transportation_management:6.3.2
  Oracle Transportation Management 6.3.3 cpe:2.3:a:oracle:transportation_management:6.3.3
  Oracle Transportation Management 6.3.4 cpe:2.3:a:oracle:transportation_management:6.3.4
  Oracle Transportation Management 6.3.5 cpe:2.3:a:oracle:transportation_management:6.3.5
  Oracle Transportation Management 6.3.6 cpe:2.3:a:oracle:transportation_management:6.3.6
  Oracle Transportation Management 6.3.7 cpe:2.3:a:oracle:transportation_management:6.3.7