CVE-2016-8735 — CRITICAL (9.8)

Q: How severe is CVE-2016-8735?

CVE-2016-8735 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2016-8735?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Canonical Ubuntu Linux, Netapp 7-Mode Transition Tool, Netapp Oncommand Insight, Netapp Oncommand Shift.

Vulnerability Description

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Tomcat	< 6.0.48
Canonical	Ubuntu Linux	16.04
Netapp	7-Mode Transition Tool	-
Netapp	Oncommand Insight	-
Netapp	Oncommand Shift	-
Netapp	Snap Creator Framework	-
Debian	Debian Linux	8.0
Redhat	Jboss Enterprise Web Server	3.0.0
Oracle	Agile Engineering Data Management	6.1.3
Oracle	Agile Plm	9.3.5
Oracle	Communications Application Session Controller	3.7.1
Oracle	Communications Instant Messaging Server	10.0.1
Oracle	Communications Interactive Session Recorder	6.0
Oracle	Hospitality Guest Access	4.2.0
Oracle	Micros Relate Crm Software	10.8
Oracle	Micros Retail Xbri Loss Prevention	10.0.1
Oracle	Mysql Enterprise Monitor	<= 3.2.8.2223
Oracle	Retail Convenience And Fuel Pos Software	2.1.132
Oracle	Transportation Management	6.3.0

References

http://rhn.redhat.com/errata/RHSA-2017-0457.htmlThird Party Advisory
http://seclists.org/oss-sec/2016/q4/502Mailing ListMitigationThird Party Advisory
http://svn.apache.org/viewvc?view=revision&revision=1767644Broken LinkPatch
http://svn.apache.org/viewvc?view=revision&revision=1767656Broken LinkPatch
http://svn.apache.org/viewvc?view=revision&revision=1767676Broken LinkPatch
http://svn.apache.org/viewvc?view=revision&revision=1767684Broken LinkPatch
http://tomcat.apache.org/security-6.htmlRelease NotesVendor Advisory
http://tomcat.apache.org/security-7.htmlRelease NotesVendor Advisory
http://tomcat.apache.org/security-8.htmlRelease NotesVendor Advisory
http://tomcat.apache.org/security-9.htmlRelease NotesVendor Advisory
http://www.debian.org/security/2016/dsa-3738Mailing ListThird Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlPatchThird Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatchThird Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlPatchThird Party Advisory
http://www.securityfocus.com/bid/94463Broken LinkThird Party AdvisoryVDB Entry

FAQ

What is CVE-2016-8735?

CVE-2016-8735 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an atta...

How severe is CVE-2016-8735?

CVE-2016-8735 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2016-8735?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Canonical Ubuntu Linux, Netapp 7-Mode Transition Tool, Netapp Oncommand Insight, Netapp Oncommand Shift.