CVE-2016-8735

State: PUBLISHED · Published: 2017-04-06 · Updated: 2025-10-21 · Assigner: apache

Description

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

CWE

(none)

Affected

Apache Software Foundation / Apache Tomcat — v=before 6.0.48 [affected]; v=7.x before 7.0.73 [affected]; v=8.x before 8.0.39 [affected]; v=8.5.x before 8.5.7 [affected]; v=9.x before 9.0.0.M12 [affected]

CVSS

(none)

References

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html x_refsource_CONFIRM
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html x_refsource_CONFIRM
http://svn.apache.org/viewvc?view=revision&revision=1767676 x_refsource_CONFIRM
http://tomcat.apache.org/security-9.html x_refsource_CONFIRM
http://www.securitytracker.com/id/1037331 vdb-entry, x_refsource_SECTRACK
http://www.securityfocus.com/bid/94463 vdb-entry, x_refsource_BID
http://www.debian.org/security/2016/dsa-3738 vendor-advisory, x_refsource_DEBIAN
http://tomcat.apache.org/security-7.html x_refsource_CONFIRM
http://svn.apache.org/viewvc?view=revision&revision=1767644 x_refsource_CONFIRM
http://tomcat.apache.org/security-8.html x_refsource_CONFIRM
http://svn.apache.org/viewvc?view=revision&revision=1767656 x_refsource_CONFIRM
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20180607-0001/ x_refsource_CONFIRM
http://tomcat.apache.org/security-6.html x_refsource_CONFIRM
http://rhn.redhat.com/errata/RHSA-2017-0457.html vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:0455 vendor-advisory, x_refsource_REDHAT
http://svn.apache.org/viewvc?view=revision&revision=1767684 x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2017:0456 vendor-advisory, x_refsource_REDHAT
http://seclists.org/oss-sec/2016/q4/502 x_refsource_CONFIRM
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html x_refsource_MISC
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html x_refsource_MISC
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://usn.ubuntu.com/4557-1/ vendor-advisory, x_refsource_UBUNTU

Source

cvelistV5-main/cves/2016/8xxx/CVE-2016-8735.json