CVE-2016-8735: Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if…

critical9.8CVSS 3.1

AVNACLPRNUINSUCHIHAH

KEVITWEXPLOIT

CISA Known Exploited Vulnerabilitydue 2023-06-02

Exploited in the wild

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

Affected

43 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	tomcat	< 6.0.48	6.0.48
apache	tomcat	—	—
apache	tomcat	—	—
apache	tomcat	>= 7.0.0 < 7.0.73	7.0.73
apache	tomcat	>= 8.0 < 8.0.39	8.0.39
apache	tomcat	>= 8.5.0 < 8.5.7	8.5.7
canonical	ubuntu_linux	—	—
debian	debian_linux	—	—
debian	tomcat9	—	—
oracle	agile_engineering_data_management	—	—
oracle	agile_engineering_data_management	—	—
oracle	agile_engineering_data_management	—	—
oracle	agile_plm	—	—
oracle	agile_plm	—	—
oracle	communications_application_session_controller	—	—
oracle	communications_application_session_controller	—	—
oracle	communications_instant_messaging_server	—	—
oracle	communications_interactive_session_recorder	—	—
oracle	communications_interactive_session_recorder	—	—
oracle	communications_interactive_session_recorder	—	—
oracle	hospitality_guest_access	—	—
oracle	hospitality_guest_access	—	—
oracle	micros_relate_crm_software	—	—
oracle	micros_relate_crm_software	—	—
oracle	micros_retail_xbri_loss_prevention	—	—

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

ghsa9.8CRITICAL

osv9.8CRITICAL

vulncheck9.8CRITICAL

cisa9.8CRITICAL