CVE-2016-8735
Published: 24 November 2016
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
tomcat6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| precise |
Released
(6.0.35-1ubuntu3.9)
|
|
| trusty |
Needed
|
|
| upstream |
Released
(6.0.48)
|
|
| xenial |
Released
(6.0.45+dfsg-1ubuntu0.1)
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1765976 upstream: http://svn.apache.org/r1767684 |
||
|
tomcat7 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(7.0.73-1)
|
| bionic |
Not vulnerable
(7.0.73-1)
|
|
| cosmic |
Not vulnerable
(7.0.73-1)
|
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Released
(7.0.52-1ubuntu0.8)
|
|
| upstream |
Released
(7.0.73)
|
|
| xenial |
Released
(7.0.68-1ubuntu0.3)
|
|
| yakkety |
Ignored
(end of life)
|
|
| zesty |
Not vulnerable
(7.0.73-1)
|
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1666762 upstream: http://svn.apache.org/r1767676 |
||
|
tomcat8 Launchpad, Ubuntu, Debian |
artful |
Released
(8.0.38-2ubuntu1)
|
| bionic |
Released
(8.0.38-2ubuntu1)
|
|
| cosmic |
Released
(8.0.38-2ubuntu1)
|
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(8.0.39)
|
|
| xenial |
Released
(8.0.32-1ubuntu1.3)
|
|
| yakkety |
Released
(8.0.37-1ubuntu0.1)
|
|
| zesty |
Released
(8.0.38-2ubuntu1)
|
|
|
Patches: upstream: http://svn.apache.org/r1767656 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |