CVE-2016-8735 is a vulnerability in Apache Tomcat
Published on April 6, 2017

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Known Exploited Vulnerability

This Apache Tomcat Remote Code Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types.

The following remediation steps are recommended / required by June 2, 2023: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2016-8735 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

What is an Authorization Vulnerability?

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVE-2016-8735 has been classified to as an Authorization vulnerability or weakness.

Products Associated with CVE-2016-8735

You can be notified by stack.watch whenever vulnerabilities like CVE-2016-8735 are published in these products:

Apache Tomcat

What versions of Tomcat are vulnerable to CVE-2016-8735?

Apache Tomcat Version 6.0.33
Apache Tomcat Version 6.0.39
Apache Tomcat Version 6.0.6
Apache Tomcat Version 6.0.11
Apache Tomcat Version 6.0.34
Apache Tomcat Version 6.0.47
Apache Tomcat Version 6.0.22
Apache Tomcat Version 6.0.25
Apache Tomcat Version 6.0.7
Apache Tomcat Version 6.0.4
Apache Tomcat Version 6.0.15
Apache Tomcat Version 6.0.42
Apache Tomcat Version 6.0.44
Apache Tomcat Version 6.0.20
Apache Tomcat Version 6.0.21
Apache Tomcat Version 6.0.10
Apache Tomcat Version 6.0.31
Apache Tomcat Version 6.0.29
Apache Tomcat Version 6.0.3
Apache Tomcat Version 6.0.9
Apache Tomcat Version 6.0.24
Apache Tomcat Version 6.0.38
Apache Tomcat Version 6.0.23
Apache Tomcat Version 6.0.37
Apache Tomcat Version 6.0.17
Apache Tomcat Version 6.0.32
Apache Tomcat Version 6.0.28
Apache Tomcat Version 6.0.0
Apache Tomcat Version 6.0.14
Apache Tomcat Version 6.0.45
Apache Tomcat Version 6.0.41
Apache Tomcat Version 6.0.1
Apache Tomcat Version 6.0.12
Apache Tomcat Version 6.0.18
Apache Tomcat Version 6.0.46
Apache Tomcat Version 6.0.43
Apache Tomcat Version 6.0.5
Apache Tomcat Version 6.0.30
Apache Tomcat Version 6.0.2
Apache Tomcat Version 6.0.13
Apache Tomcat Version 6.0.40
Apache Tomcat Version 6.0.26
Apache Tomcat Version 6.0.19
Apache Tomcat Version 6.0.27
Apache Tomcat Version 6.0.35
Apache Tomcat Version 6.0.16
Apache Tomcat Version 6.0.36
Apache Tomcat Version 6.0.8

Apache Tomcat Version 7.0.49
Apache Tomcat Version 7.0.12
Apache Tomcat Version 7.0.62
Apache Tomcat Version 7.0.53
Apache Tomcat Version 7.0.20
Apache Tomcat Version 7.0.34
Apache Tomcat Version 7.0.58
Apache Tomcat Version 7.0.8
Apache Tomcat Version 7.0.55
Apache Tomcat Version 7.0.1
Apache Tomcat Version 7.0.2
Apache Tomcat Version 7.0.5
Apache Tomcat Version 7.0.51
Apache Tomcat Version 7.0.63
Apache Tomcat Version 7.0.22
Apache Tomcat Version 7.0.39
Apache Tomcat Version 7.0.26
Apache Tomcat Version 7.0.46
Apache Tomcat Version 7.0.72
Apache Tomcat Version 7.0.71
Apache Tomcat Version 7.0.28
Apache Tomcat Version 7.0.59
Apache Tomcat Version 7.0.65
Apache Tomcat Version 7.0.0
Apache Tomcat Version 7.0.50
Apache Tomcat Version 7.0.6
Apache Tomcat Version 7.0.18
Apache Tomcat Version 7.0.14
Apache Tomcat Version 7.0.48
Apache Tomcat Version 7.0.11
Apache Tomcat Version 7.0.67
Apache Tomcat Version 7.0.23
Apache Tomcat Version 7.0.66
Apache Tomcat Version 7.0.44
Apache Tomcat Version 7.0.69
Apache Tomcat Version 7.0.7
Apache Tomcat Version 7.0.52
Apache Tomcat Version 7.0.42
Apache Tomcat Version 7.0.60
Apache Tomcat Version 7.0.37
Apache Tomcat Version 7.0.29
Apache Tomcat Version 7.0.45
Apache Tomcat Version 7.0.68
Apache Tomcat Version 7.0.13
Apache Tomcat Version 7.0.47
Apache Tomcat Version 7.0.41
Apache Tomcat Version 7.0.31
Apache Tomcat Version 7.0.30
Apache Tomcat Version 7.0.15
Apache Tomcat Version 7.0.19
Apache Tomcat Version 7.0.16
Apache Tomcat Version 7.0.10
Apache Tomcat Version 7.0.36
Apache Tomcat Version 7.0.25
Apache Tomcat Version 7.0.54
Apache Tomcat Version 7.0.35
Apache Tomcat Version 7.0.61
Apache Tomcat Version 7.0.57
Apache Tomcat Version 7.0.43
Apache Tomcat Version 7.0.32
Apache Tomcat Version 7.0.38
Apache Tomcat Version 7.0.21
Apache Tomcat Version 7.0.27
Apache Tomcat Version 7.0.24
Apache Tomcat Version 7.0.17
Apache Tomcat Version 7.0.40
Apache Tomcat Version 7.0.9
Apache Tomcat Version 7.0.4
Apache Tomcat Version 7.0.3
Apache Tomcat Version 7.0.56
Apache Tomcat Version 7.0.64
Apache Tomcat Version 7.0.70
Apache Tomcat Version 7.0.33

Apache Tomcat Version 8.0.4
Apache Tomcat Version 8.0.10
Apache Tomcat Version 8.0.30
Apache Tomcat Version 8.0.0
Apache Tomcat Version 8.0.17
Apache Tomcat Version 8.0.7
Apache Tomcat Version 8.0.26
Apache Tomcat Version 8.0.2
Apache Tomcat Version 8.0.20
Apache Tomcat Version 8.0.31
Apache Tomcat Version 8.0.5
Apache Tomcat Version 8.0.1
Apache Tomcat Version 8.0.19
Apache Tomcat Version 8.0.12
Apache Tomcat Version 8.0.27
Apache Tomcat Version 8.0.15
Apache Tomcat Version 8.0.22
Apache Tomcat Version 8.0.29
Apache Tomcat Version 8.0.11
Apache Tomcat Version 8.0.24
Apache Tomcat Version 8.0.36
Apache Tomcat Version 8.0.23
Apache Tomcat Version 8.0.33
Apache Tomcat Version 8.0.6
Apache Tomcat Version 8.0.21
Apache Tomcat Version 8.0.32
Apache Tomcat Version 8.0.25
Apache Tomcat Version 8.0.18
Apache Tomcat Version 8.0.35
Apache Tomcat Version 8.0.3
Apache Tomcat Version 8.0.38
Apache Tomcat Version 8.0.13
Apache Tomcat Version 8.0.14
Apache Tomcat Version 8.0.9
Apache Tomcat Version 8.0.16
Apache Tomcat Version 8.0.8
Apache Tomcat Version 8.0.34
Apache Tomcat Version 8.0.28
Apache Tomcat Version 8.0.37

Apache Tomcat Version 8.5.2
Apache Tomcat Version 8.5.4
Apache Tomcat Version 8.5.0
Apache Tomcat Version 8.5.5
Apache Tomcat Version 8.5.3
Apache Tomcat Version 8.5.6
Apache Tomcat Version 8.5.1