CVE-2016-8735
Published: 24 November 2016
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
tomcat6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| precise |
Released
(6.0.35-1ubuntu3.9)
|
|
| trusty |
Needed
|
|
| upstream |
Released
(6.0.48)
|
|
| xenial |
Released
(6.0.45+dfsg-1ubuntu0.1)
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1765976 (bp) upstream: http://svn.apache.org/r1767684 |
||
|
tomcat7 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(7.0.73-1)
|
| bionic |
Not vulnerable
(7.0.73-1)
|
|
| cosmic |
Not vulnerable
(7.0.73-1)
|
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| precise |
Does not exist
(precise was needed)
|
|
| trusty |
Released
(7.0.52-1ubuntu0.8)
|
|
| upstream |
Released
(7.0.73)
|
|
| xenial |
Released
(7.0.68-1ubuntu0.3)
|
|
| yakkety |
Ignored
(reached end-of-life)
|
|
| zesty |
Not vulnerable
(7.0.73-1)
|
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1666762 (bp) upstream: http://svn.apache.org/r1767676 |
||
|
tomcat8 Launchpad, Ubuntu, Debian |
artful |
Released
(8.0.38-2ubuntu1)
|
| bionic |
Released
(8.0.38-2ubuntu1)
|
|
| cosmic |
Released
(8.0.38-2ubuntu1)
|
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(8.0.39)
|
|
| xenial |
Released
(8.0.32-1ubuntu1.3)
|
|
| yakkety |
Released
(8.0.37-1ubuntu0.1)
|
|
| zesty |
Released
(8.0.38-2ubuntu1)
|
|
|
Patches: upstream: http://svn.apache.org/r1767656 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |