⚠ Actively exploited

Added to CISA KEV on 2023-05-12. Federal agencies required to patch by 2023-06-02. Required action: Apply updates per vendor instructions..

CVE-2016-3427

CWE-284 — Improper Access Control CWE-502 — Deserialization of Untrusted Data20 documents13 sources

Severity

9.8CRITICAL

EPSS

94.0%

top 0.10%

CISA KEV

KEV

Added 2023-05-12

Due 2023-06-02

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apache Cassandra Netapp Storagegrid Apache Software Foundation Apache Tomcat +25 more

Timeline

PublishedApr 21

KEV addedMay 12

KEV dueJun 2

CISA Required Action: Apply updates per vendor instructions.

Description

Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages25 packages

▶NVDoracle/jrockitr28.3.9

▶NVDoracle/jdk1.6.0, 1.7.0, 1.8.0+2

▶NVDoracle/jre1.6.0, 1.7.0, 1.8.0+2

▶NVDoracle/linux5, 6, 7+2

▶NVDapache/cassandra2.1.0 — 2.1.22+4

Also affects: Debian Linux 8.0, Ubuntu Linux 12.04, 14.04, 15.10, 16.04, Enterprise Linux 6.7, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: lists.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-php4-mj74-f79r: Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28↗2022-05-13

▶

GHSA

Apache Tomcat Improper Access Control vulnerability↗2022-05-13

▶

OSV

openjdk-8 vulnerabilities↗2016-05-05

▶

OSV

openjdk-7 vulnerabilities↗2016-05-05

▶

CVEList

CVE-2016-3427: Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28↗2016-04-21

▶

💥Exploits & PoCs

Nuclei

Apache Tomcat - Remote Code Execution via JMX Ports

▶

📋Vendor Advisories

CISA

Oracle Java SE and JRockit Unspecified Vulnerability↗2023-05-12

▶

CISA

Apache Tomcat Remote Code Execution Vulnerability↗2023-05-12

▶

Red Hat

tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener↗2016-11-22

▶

Ubuntu

OpenJDK 6 vulnerabilities↗2016-05-10

▶

Ubuntu

OpenJDK 8 vulnerabilities↗2016-05-05

▶

💬Community

Bugzilla

CVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener↗2016-11-22

▶

Bugzilla

CVE-2016-3427 OpenJDK: unrestricted deserialization of authentication credentials (JMX, 8144430)↗2016-04-18

▶