CVE-2016-8735
Published: 24 November 2016
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
Priority
Status
Package | Release | Status |
---|---|---|
tomcat6
Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
precise |
Released
(6.0.35-1ubuntu3.9)
|
|
trusty |
Needed
|
|
upstream |
Released
(6.0.48)
|
|
xenial |
Released
(6.0.45+dfsg-1ubuntu0.1)
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
Patches:
upstream: http://svn.apache.org/viewvc?view=revision&revision=1765976 upstream: http://svn.apache.org/r1767684 |
||
tomcat7
Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(7.0.73-1)
|
bionic |
Not vulnerable
(7.0.73-1)
|
|
cosmic |
Not vulnerable
(7.0.73-1)
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
precise |
Ignored
(end of life)
|
|
trusty |
Released
(7.0.52-1ubuntu0.8)
|
|
upstream |
Released
(7.0.73)
|
|
xenial |
Released
(7.0.68-1ubuntu0.3)
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Not vulnerable
(7.0.73-1)
|
|
Patches:
upstream: http://svn.apache.org/viewvc?view=revision&revision=1666762 upstream: http://svn.apache.org/r1767676 |
||
tomcat8
Launchpad, Ubuntu, Debian |
artful |
Released
(8.0.38-2ubuntu1)
|
bionic |
Released
(8.0.38-2ubuntu1)
|
|
cosmic |
Released
(8.0.38-2ubuntu1)
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(8.0.39)
|
|
xenial |
Released
(8.0.32-1ubuntu1.3)
|
|
yakkety |
Released
(8.0.37-1ubuntu0.1)
|
|
zesty |
Released
(8.0.38-2ubuntu1)
|
|
Patches:
upstream: http://svn.apache.org/r1767656 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |