TROYANOSYVIRUS
Back to CVEs

CVE-2016-8735

CRITICALCISA KEV
9.8

Description

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

CVE Details

CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published4/6/2017
Last Modified4/21/2026
Sourcekev
Honeypot Sightings0

CISA KEV

VendorApache
ProductTomcat
Vulnerability NameApache Tomcat Remote Code Execution Vulnerability
KEV Date Added2023-05-12
Remediation Due Date2023-06-02
Ransomware UseUnknown

Affected Products

apache:tomcatcanonical:ubuntu_linuxdebian:debian_linuxnetapp:7-mode_transition_toolnetapp:oncommand_insightnetapp:oncommand_shiftnetapp:snap_creator_frameworkoracle:agile_engineering_data_managementoracle:agile_plmoracle:communications_application_session_controlleroracle:communications_instant_messaging_serveroracle:communications_interactive_session_recorderoracle:hospitality_guest_accessoracle:micros_relate_crm_softwareoracle:micros_retail_xbri_loss_preventionoracle:mysql_enterprise_monitororacle:retail_convenience_and_fuel_pos_softwareoracle:transportation_managementredhat:jboss_enterprise_web_server

References

http://rhn.redhat.com/errata/RHSA-2017-0457.html(security@apache.org)
http://seclists.org/oss-sec/2016/q4/502(security@apache.org)
http://svn.apache.org/viewvc?view=revision&revision=1767644(security@apache.org)
http://svn.apache.org/viewvc?view=revision&revision=1767656(security@apache.org)
http://svn.apache.org/viewvc?view=revision&revision=1767676(security@apache.org)
http://svn.apache.org/viewvc?view=revision&revision=1767684(security@apache.org)
http://tomcat.apache.org/security-6.html(security@apache.org)
http://tomcat.apache.org/security-7.html(security@apache.org)
http://tomcat.apache.org/security-8.html(security@apache.org)
http://tomcat.apache.org/security-9.html(security@apache.org)
http://www.debian.org/security/2016/dsa-3738(security@apache.org)
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html(security@apache.org)
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html(security@apache.org)
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html(security@apache.org)
http://www.securityfocus.com/bid/94463(security@apache.org)
http://www.securitytracker.com/id/1037331(security@apache.org)
https://access.redhat.com/errata/RHSA-2017:0455(security@apache.org)
https://access.redhat.com/errata/RHSA-2017:0456(security@apache.org)
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E(security@apache.org)
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E(security@apache.org)
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E(security@apache.org)
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E(security@apache.org)
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E(security@apache.org)
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E(security@apache.org)
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E(security@apache.org)
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E(security@apache.org)
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E(security@apache.org)
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E(security@apache.org)
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E(security@apache.org)
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E(security@apache.org)
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E(security@apache.org)
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E(security@apache.org)
https://security.netapp.com/advisory/ntap-20180607-0001/(security@apache.org)
https://usn.ubuntu.com/4557-1/(security@apache.org)
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html(security@apache.org)
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html(security@apache.org)
http://rhn.redhat.com/errata/RHSA-2017-0457.html(af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/oss-sec/2016/q4/502(af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?view=revision&revision=1767644(af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?view=revision&revision=1767656(af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?view=revision&revision=1767676(af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?view=revision&revision=1767684(af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-6.html(af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-7.html(af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-8.html(af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-9.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2016/dsa-3738(af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/94463(af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1037331(af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2017:0455(af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2017:0456(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E(af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20180607-0001/(af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/4557-1/(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-8735(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.