CVE-2016-8735

CRITICAL KEV NUCLEI

Apache Tomcat , 7.x , 8.x , 8.5.x , 9.x <6.0.48 <7.0.73 <8.0.39 <8.5.7 - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2016-8735 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 12, 2023. A Nuclei detection template is also available.

Description

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

Nuclei Templates (1)

Apache Tomcat - Remote Code Execution via JMX Ports
CRITICALby hnd3884
Shodan: product:"tomcat"

References (37)

Core 37
Core References
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Broken Link, Patch x_refsource_confirm
http://svn.apache.org/viewvc?view=revision&revision=1767676
Release Notes, Vendor Advisory x_refsource_confirm
http://tomcat.apache.org/security-9.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1037331
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/94463
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3738
Release Notes, Vendor Advisory x_refsource_confirm
http://tomcat.apache.org/security-7.html
Broken Link, Patch x_refsource_confirm
http://svn.apache.org/viewvc?view=revision&revision=1767644
Release Notes, Vendor Advisory x_refsource_confirm
http://tomcat.apache.org/security-8.html
Broken Link, Patch x_refsource_confirm
http://svn.apache.org/viewvc?view=revision&revision=1767656
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Release Notes, Vendor Advisory x_refsource_confirm
http://tomcat.apache.org/security-6.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0457.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:0455
Broken Link, Patch x_refsource_confirm
http://svn.apache.org/viewvc?view=revision&revision=1767684
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:0456
Mailing List, Mitigation, Third Party Advisory x_refsource_confirm
http://seclists.org/oss-sec/2016/q4/502
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4557-1/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20180607-0001/

Scores

CVSS v3 9.8
EPSS 0.9380
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2023-05-12
VulnCheck KEV 2023-05-12
InTheWild.io 2023-05-12
ENISA EUVD EUVD-2022-3642
Status published
Products (39)
apache/tomcat 9.0.0 (12 CPE variants)
apache/tomcat < 6.0.48
Apache Software Foundation/Apache Tomcat 7.x before 7.0.73
Apache Software Foundation/Apache Tomcat 8.5.x before 8.5.7
Apache Software Foundation/Apache Tomcat 8.x before 8.0.39
Apache Software Foundation/Apache Tomcat 9.x before 9.0.0.M12
Apache Software Foundation/Apache Tomcat before 6.0.48
canonical/ubuntu_linux 16.04
debian/debian_linux 8.0
netapp/7-mode_transition_tool
... and 29 more
Published Apr 06, 2017
KEV Added May 12, 2023
Tracked Since Feb 18, 2026