Your submission was sent successfully! Close

CVE-2016-8735

Published: 24 November 2016

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
tomcat6
Launchpad, Ubuntu, Debian
Upstream
Released (6.0.48)
Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (6.0.45+dfsg-1ubuntu0.1)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1765976 (bp)
Upstream: http://svn.apache.org/r1767684
tomcat7
Launchpad, Ubuntu, Debian
Upstream
Released (7.0.73)
Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(7.0.73-1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (7.0.68-1ubuntu0.3)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (7.0.52-1ubuntu0.8)
Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1666762 (bp)
Upstream: http://svn.apache.org/r1767676
tomcat8
Launchpad, Ubuntu, Debian
Upstream
Released (8.0.39)
Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (8.0.38-2ubuntu1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (8.0.32-1ubuntu1.3)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://svn.apache.org/r1767656