CVE-2016-8735
CRITICALCVSS 9.8/10Actively ExploitedEPSS 90.34%
Last modified
CVE-2016-8735 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.. CISA has confirmed active exploitation in the wild. EPSS estimates a 90.34% chance of exploitation in the next 30 days.
Description
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by .
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Tomcat | < 6.0.48 |
| Apache | Tomcat | >= 7.0.0, < 7.0.73 |
| Apache | Tomcat | >= 8.0, < 8.0.39 |
| Apache | Tomcat | >= 8.5.0, < 8.5.7 |
| Apache | Tomcat | 9.0.0 |
| Canonical | Ubuntu Linux | 16.04 |
| Netapp | 7-Mode Transition Tool | All versions |
| Netapp | Oncommand Insight | All versions |
| Netapp | Oncommand Shift | All versions |
| Netapp | Snap Creator Framework | All versions |
| Debian | Debian Linux | 8.0 |
| Redhat | Jboss Enterprise Web Server | 3.0.0 |
| Oracle | Agile Engineering Data Management | 6.1.3 |
| Oracle | Agile Engineering Data Management | 6.2.0 |
| Oracle | Agile Engineering Data Management | 6.2.1.0 |
| Oracle | Agile Plm | 9.3.5 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Communications Application Session Controller | 3.7.1 |
| Oracle | Communications Application Session Controller | 3.8.0 |
| Oracle | Communications Instant Messaging Server | 10.0.1 |
| Oracle | Communications Interactive Session Recorder | 6.0 |
| Oracle | Communications Interactive Session Recorder | 6.1 |
| Oracle | Communications Interactive Session Recorder | 6.2 |
| Oracle | Hospitality Guest Access | 4.2.0 |
| Oracle | Hospitality Guest Access | 4.2.1 |
| Oracle | Micros Relate Crm Software | 10.8 |
| Oracle | Micros Relate Crm Software | 11.4 |
| Oracle | Micros Retail Xbri Loss Prevention | 10.0.1 |
| Oracle | Micros Retail Xbri Loss Prevention | 10.5.0 |
| Oracle | Micros Retail Xbri Loss Prevention | 10.6.0 |
| Oracle | Micros Retail Xbri Loss Prevention | 10.7.7 |
| Oracle | Micros Retail Xbri Loss Prevention | 10.8.0 |
| Oracle | Micros Retail Xbri Loss Prevention | 10.8.1 |
| Oracle | Mysql Enterprise Monitor | <= 3.2.8.2223 |
| Oracle | Mysql Enterprise Monitor | >= 3.3.0, <= 3.3.4.3247 |
| Oracle | Mysql Enterprise Monitor | >= 3.4.0, <= 3.4.2.4181 |
| Oracle | Retail Convenience And Fuel Pos Software | 2.1.132 |
| Oracle | Transportation Management | 6.3.0 |
| Oracle | Transportation Management | 6.3.1 |
| Oracle | Transportation Management | 6.3.2 |
| Oracle | Transportation Management | 6.3.3 |
| Oracle | Transportation Management | 6.3.4 |
| Oracle | Transportation Management | 6.3.5 |
| Oracle | Transportation Management | 6.3.6 |
| Oracle | Transportation Management | 6.3.7 |
References
- http://rhn.redhat.com/errata/RHSA-2017-0457.htmlThird Party Advisory
- http://seclists.org/oss-sec/2016/q4/502Mailing List, Mitigation, Third Party Advisory
- http://svn.apache.org/viewvc?view=revision&revision=1767644Broken Link, Patch
- http://svn.apache.org/viewvc?view=revision&revision=1767656Broken Link, Patch
- http://svn.apache.org/viewvc?view=revision&revision=1767676Broken Link, Patch
- http://svn.apache.org/viewvc?view=revision&revision=1767684Broken Link, Patch
- http://tomcat.apache.org/security-6.htmlRelease Notes, Vendor Advisory
- http://tomcat.apache.org/security-7.htmlRelease Notes, Vendor Advisory
- http://tomcat.apache.org/security-8.htmlRelease Notes, Vendor Advisory
- http://tomcat.apache.org/security-9.htmlRelease Notes, Vendor Advisory
- http://www.debian.org/security/2016/dsa-3738Mailing List, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlPatch, Third Party Advisory
- http://www.securityfocus.com/bid/94463Broken Link, Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1037331Broken Link, Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2017:0455Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:0456Third Party Advisory
- https://security.netapp.com/advisory/ntap-20180607-0001/Third Party Advisory
- https://usn.ubuntu.com/4557-1/Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2017-0457.htmlThird Party Advisory
- http://seclists.org/oss-sec/2016/q4/502Mailing List, Mitigation, Third Party Advisory
- http://svn.apache.org/viewvc?view=revision&revision=1767644Broken Link, Patch
- http://svn.apache.org/viewvc?view=revision&revision=1767656Broken Link, Patch
- http://svn.apache.org/viewvc?view=revision&revision=1767676Broken Link, Patch
- http://svn.apache.org/viewvc?view=revision&revision=1767684Broken Link, Patch
- http://tomcat.apache.org/security-6.htmlRelease Notes, Vendor Advisory
- http://tomcat.apache.org/security-7.htmlRelease Notes, Vendor Advisory
- http://tomcat.apache.org/security-8.htmlRelease Notes, Vendor Advisory
- http://tomcat.apache.org/security-9.htmlRelease Notes, Vendor Advisory
- http://www.debian.org/security/2016/dsa-3738Mailing List, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatch, Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlPatch, Third Party Advisory
- http://www.securityfocus.com/bid/94463Broken Link, Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1037331Broken Link, Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2017:0455Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:0456Third Party Advisory
- https://security.netapp.com/advisory/ntap-20180607-0001/Third Party Advisory
- https://usn.ubuntu.com/4557-1/Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-8735US Government Resource
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2016-8735?
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
How severe is CVE-2016-8735?
CVE-2016-8735 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 90.34% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
How do I fix CVE-2016-8735?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2016-8735?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST