CVE-2016-8735 vulnerability in Apache and Other Products
Published on April 6, 2017

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Known Exploited Vulnerability

This Apache Tomcat Remote Code Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types.

The following remediation steps are recommended / required by June 2, 2023: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2016-8735 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Products Associated with CVE-2016-8735

You can be notified by stack.watch whenever vulnerabilities like CVE-2016-8735 are published in these products:

Apache Tomcat

Canonical Ubuntu Linux

NetApp Snap Creator Framework

NetApp Oncommand Insight

NetApp Oncommand Shift

NetApp 7 Mode Transition Tool

Debian Linux

Red Hat Jboss Enterprise Web Server

Oracle Transportation Management

Oracle Hospitality Guest Access

Oracle Agile Engineering Data Management

Oracle Communications Application Session Controller

Oracle Communications Interactive Session Recorder

Oracle Agile Plm

Oracle Communications Instant Messaging Server

Oracle Micros Relate Crm Software

Oracle Retail Convenience Fuel Pos Software

Oracle Micros Retail Xbri Loss Prevention

Oracle Mysql Enterprise Monitor

Oracle

What versions are vulnerable to CVE-2016-8735?

Apache Tomcat Version 9.0.0 milestone1
Apache Tomcat Version 9.0.0 milestone10
Apache Tomcat Version 9.0.0 milestone11
Apache Tomcat Version 9.0.0 milestone2
Apache Tomcat Version 9.0.0 milestone3
Apache Tomcat Version 9.0.0 milestone4
Apache Tomcat Version 9.0.0 milestone5
Apache Tomcat Version 9.0.0 milestone6
Apache Tomcat Version 9.0.0 milestone7
Apache Tomcat Version 9.0.0 milestone8
Apache Tomcat Version 9.0.0 milestone9
Apache Tomcat Version 9.0.0 -
Apache Tomcat Version 8.5.0 Fixed in Version 8.5.7
Apache Tomcat Version 8.0 Fixed in Version 8.0.39
Apache Tomcat Version 7.0.0 Fixed in Version 7.0.73
Apache Tomcat Fixed in Version 6.0.48

Canonical Ubuntu Linux Version 16.04

NetApp Snap Creator Framework Version -
NetApp Oncommand Insight Version -
NetApp Oncommand Shift Version -
NetApp 7 Mode Transition Tool Version -

Debian Linux Version 8.0

Red Hat Jboss Enterprise Web Server Version 3.0.0

Oracle Transportation Management Version 6.3.2
Oracle Transportation Management Version 6.3.4
Oracle Transportation Management Version 6.3.3
Oracle Transportation Management Version 6.3.1
Oracle Transportation Management Version 6.3.6
Oracle Transportation Management Version 6.3.0
Oracle Transportation Management Version 6.3.5
Oracle Transportation Management Version 6.3.7
Oracle Hospitality Guest Access Version 4.2.0
Oracle Hospitality Guest Access Version 4.2.1
Oracle Agile Engineering Data Management Version 6.1.3
Oracle Agile Engineering Data Management Version 6.2.0
Oracle Communications Application Session Controller Version 3.7.1
Oracle Communications Application Session Controller Version 3.8.0
Oracle Communications Interactive Session Recorder Version 6.0
Oracle Communications Interactive Session Recorder Version 6.1
Oracle Communications Interactive Session Recorder Version 6.2
Oracle Agile Plm Version 9.3.5
Oracle Agile Plm Version 9.3.6
Oracle Communications Instant Messaging Server Version 10.0.1
Oracle Micros Relate Crm Software Version 11.4
Oracle Agile Engineering Data Management Version 6.2.1.0
Oracle Retail Convenience Fuel Pos Software Version 2.1.132
Oracle Micros Relate Crm Software Version 10.8
Oracle Micros Retail Xbri Loss Prevention Version 10.5.0
Oracle Micros Retail Xbri Loss Prevention Version 10.6.0
Oracle Micros Retail Xbri Loss Prevention Version 10.7.7
Oracle Micros Retail Xbri Loss Prevention Version 10.8.0
Oracle Micros Retail Xbri Loss Prevention Version 10.8.1
Oracle Micros Retail Xbri Loss Prevention Version 10.0.1
Oracle Mysql Enterprise Monitor Version 3.4.0 through 3.4.2.4181
Oracle Mysql Enterprise Monitor Version 3.3.0 through 3.3.4.3247
Oracle Mysql Enterprise Monitor Up to Version 3.2.8.2223

CVE-2016-8735 vulnerability in Apache and Other ProductsPublished on April 6, 2017

Known Exploited Vulnerability

Vulnerability Analysis

Products Associated with CVE-2016-8735

What versions are vulnerable to CVE-2016-8735?

CVE-2016-8735 vulnerability in Apache and Other Products
Published on April 6, 2017