Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2016-8735

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

Published

2017-04-06T21:59:00.243

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	tomcat	< 6.0.48	Yes
Application	apache	tomcat	< 7.0.73	Yes
Application	apache	tomcat	< 8.0.39	Yes
Application	apache	tomcat	< 8.5.7	Yes
Application	apache	tomcat	9.0.0	Yes
Application	apache	tomcat	9.0.0	Yes
Application	apache	tomcat	9.0.0	Yes
Application	apache	tomcat	9.0.0	Yes
Application	apache	tomcat	9.0.0	Yes
Application	apache	tomcat	9.0.0	Yes
Application	apache	tomcat	9.0.0	Yes
Application	apache	tomcat	9.0.0	Yes
Application	apache	tomcat	9.0.0	Yes
Application	apache	tomcat	9.0.0	Yes
Application	apache	tomcat	9.0.0	Yes
Application	apache	tomcat	9.0.0	Yes
Operating System	canonical	ubuntu_linux	16.04	Yes
Application	netapp	7-mode_transition_tool	-	Yes
Application	netapp	oncommand_insight	-	Yes
Application	netapp	oncommand_shift	-	Yes
Application	netapp	snap_creator_framework	-	Yes
Operating System	debian	debian_linux	8.0	Yes
Application	redhat	jboss_enterprise_web_server	3.0.0	Yes
Application	oracle	agile_engineering_data_management	6.1.3	Yes
Application	oracle	agile_engineering_data_management	6.2.0	Yes
Application	oracle	agile_engineering_data_management	6.2.1.0	Yes
Application	oracle	agile_plm	9.3.5	Yes
Application	oracle	agile_plm	9.3.6	Yes
Application	oracle	communications_application_session_controller	3.7.1	Yes
Application	oracle	communications_application_session_controller	3.8.0	Yes
Application	oracle	communications_instant_messaging_server	10.0.1	Yes
Application	oracle	communications_interactive_session_recorder	6.0	Yes
Application	oracle	communications_interactive_session_recorder	6.1	Yes
Application	oracle	communications_interactive_session_recorder	6.2	Yes
Application	oracle	hospitality_guest_access	4.2.0	Yes
Application	oracle	hospitality_guest_access	4.2.1	Yes
Application	oracle	micros_relate_crm_software	10.8	Yes
Application	oracle	micros_relate_crm_software	11.4	Yes
Application	oracle	micros_retail_xbri_loss_prevention	10.0.1	Yes
Application	oracle	micros_retail_xbri_loss_prevention	10.5.0	Yes
Application	oracle	micros_retail_xbri_loss_prevention	10.6.0	Yes
Application	oracle	micros_retail_xbri_loss_prevention	10.7.7	Yes
Application	oracle	micros_retail_xbri_loss_prevention	10.8.0	Yes
Application	oracle	micros_retail_xbri_loss_prevention	10.8.1	Yes
Application	oracle	mysql_enterprise_monitor	≤ 3.2.8.2223	Yes
Application	oracle	mysql_enterprise_monitor	≤ 3.3.4.3247	Yes
Application	oracle	mysql_enterprise_monitor	≤ 3.4.2.4181	Yes
Application	oracle	retail_convenience_and_fuel_pos_software	2.1.132	Yes
Application	oracle	transportation_management	6.3.0	Yes
Application	oracle	transportation_management	6.3.1	Yes
Application	oracle	transportation_management	6.3.2	Yes
Application	oracle	transportation_management	6.3.3	Yes
Application	oracle	transportation_management	6.3.4	Yes
Application	oracle	transportation_management	6.3.5	Yes
Application	oracle	transportation_management	6.3.6	Yes
Application	oracle	transportation_management	6.3.7	Yes

References

http://rhn.redhat.com/errata/RHSA-2017-0457.html Third Party Advisory ([email protected])
http://seclists.org/oss-sec/2016/q4/502 Mailing List, Mitigation, Third Party Advisory ([email protected])
http://svn.apache.org/viewvc?view=revision&revision=1767644 Patch, Broken Link ([email protected])
http://svn.apache.org/viewvc?view=revision&revision=1767656 Patch, Broken Link ([email protected])
http://svn.apache.org/viewvc?view=revision&revision=1767676 Patch, Broken Link ([email protected])
http://svn.apache.org/viewvc?view=revision&revision=1767684 Patch, Broken Link ([email protected])
http://tomcat.apache.org/security-6.html Release Notes, Vendor Advisory ([email protected])
http://tomcat.apache.org/security-7.html Release Notes, Vendor Advisory ([email protected])
http://tomcat.apache.org/security-8.html Release Notes, Vendor Advisory ([email protected])
http://tomcat.apache.org/security-9.html Release Notes, Vendor Advisory ([email protected])
http://www.debian.org/security/2016/dsa-3738 Mailing List, Third Party Advisory ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html Patch, Third Party Advisory ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html Patch, Third Party Advisory ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html Patch, Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/94463 Broken Link, Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id/1037331 Broken Link, Third Party Advisory, VDB Entry ([email protected])
https://access.redhat.com/errata/RHSA-2017:0455 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2017:0456 Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch ([email protected])
https://security.netapp.com/advisory/ntap-20180607-0001/ Third Party Advisory ([email protected])
https://usn.ubuntu.com/4557-1/ Third Party Advisory ([email protected])
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Patch, Third Party Advisory ([email protected])
http://rhn.redhat.com/errata/RHSA-2017-0457.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/oss-sec/2016/q4/502 Mailing List, Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?view=revision&revision=1767644 Patch, Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?view=revision&revision=1767656 Patch, Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?view=revision&revision=1767676 Patch, Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?view=revision&revision=1767684 Patch, Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-6.html Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-7.html Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-8.html Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-9.html Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2016/dsa-3738 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/94463 Broken Link, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1037331 Broken Link, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2017:0455 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2017:0456 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20180607-0001/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/4557-1/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)