⚠ Actively exploited

Added to CISA KEV on 2023-05-12. Federal agencies required to patch by 2023-06-02. Required action: Apply updates per vendor instructions..

CVE-2016-8735

CWE-284 — Improper Access Control CWE-502 — Deserialization of Untrusted Data17 documents12 sources

Severity

9.8CRITICAL

EPSS

93.8%

top 0.14%

CISA KEV

KEV

Added 2023-05-12

Due 2023-06-02

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apache Tomcat Oracle Mysql Enterprise Monitor Apache Software Foundation Apache Tomcat +13 more

Timeline

PublishedApr 6

KEV addedMay 12

KEV dueJun 2

Latest updateJan 30

CISA Required Action: Apply updates per vendor instructions.

Description

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages19 packages

▶Mavenorg.apache.tomcat:tomcat-catalina-jmx-remote7.0.0 — 7.0.73+4

▶NVDapache/tomcat7.0.0 — 7.0.73+4

▶Mavenorg.apache.tomcat:tomcat-catalina7.0.0 — 7.0.73+4

▶CVEListV5apache_software_foundation/apache_tomcat5 versions+4

▶Ubuntutomcat7< 7.0.52-1ubuntu0.8+1

Also affects: Debian Linux 8.0, Ubuntu Linux 16.04

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

GHSA

Apache Tomcat Improper Access Control vulnerability↗2022-05-13

▶

OSV

Apache Tomcat Improper Access Control vulnerability↗2022-05-13

▶

CVEList

CVE-2016-8735: Remote code execution is possible with Apache Tomcat before 6↗2017-04-06

▶

OSV

CVE-2016-8735: Remote code execution is possible with Apache Tomcat before 6↗2016-11-24

▶

VulnCheck

Apache Tomcat Remote Code Execution Vulnerability↗2016

▶

💥Exploits & PoCs

Nuclei

Apache Tomcat - Remote Code Execution via JMX Ports

▶

📋Vendor Advisories

Ubuntu

Tomcat vulnerability↗2025-01-30

▶

CISA

Apache Tomcat Remote Code Execution Vulnerability↗2023-05-12

▶

Ubuntu

Tomcat vulnerabilities↗2020-09-30

▶

Ubuntu

Tomcat vulnerabilities↗2017-01-23

▶

Red Hat

tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener↗2016-11-22

▶

💬Community

Bugzilla

CVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener↗2016-11-22

▶

Bugzilla

CVE-2016-6816 CVE-2016-8735 tomcat: various flaws [epel-6]↗2016-11-22

▶

Bugzilla

CVE-2016-6816 CVE-2016-6817 CVE-2016-8735 tomcat: various flaws [fedora-all]↗2016-11-22

▶