CVE-2016-8735
critical-risk
Published 2017-04-06
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
Do I need to act?
!
93.8% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
+
Fix available
Upgrade to: fe0424f91a9f0af2f6422fe83bfaa769d92aa131, b5205c92f41dfd9a67f78bc783db7b022e38226c
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (20)
References (73)
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-0457.html
Mailing List
http://seclists.org/oss-sec/2016/q4/502
Release Notes
http://tomcat.apache.org/security-6.html
Release Notes
http://tomcat.apache.org/security-7.html
Release Notes
http://tomcat.apache.org/security-8.html
Release Notes
http://tomcat.apache.org/security-9.html
Mailing List
http://www.debian.org/security/2016/dsa-3738
Broken Link
http://www.securityfocus.com/bid/94463
Broken Link
http://www.securitytracker.com/id/1037331
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0455
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0456
and 53 more references
85
/ 100
critical-risk
Severity
32/34 · Critical
Exploitability
27/34 · High
Exposure
26/34 · High