Cyber Resilience

CVE-2016-3427

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 21 April 2016

Published
21 April 2016
Modified
22 April 2026
KEV Added
12 May 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9329 99.8th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-3427 is a critical-severity Improper Access Control (CWE-284) vulnerability in Redhat Enterprise Linux Eus. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2016-3427 is an unspecified vulnerability affecting Oracle Java SE 6u113, 7u99, and 8u77, Java SE Embedded 8u77, and JRockit R28.3.9. It is tied to the JMX component and carries a CVSS 3.1 base score of 9.8, reflecting the potential for complete loss of confidentiality, integrity, and availability. The associated CWEs point to improper access control with no further technical detail provided in the advisory.

Remote attackers can exploit the flaw over the network without authentication or user interaction. Successful exploitation grants the ability to fully compromise the confidentiality, integrity, and availability of affected Java installations, consistent with the high-impact metrics in the CVSS vector.

The listed references consist of OpenSUSE security announcements that address the issue through updated Java packages; practitioners should apply the corresponding patches or newer Java releases to eliminate the exposure. No information on observed in-the-wild exploitation is supplied in the source data.

EU & UK References

Vulnerability details

Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.

CWE(s)
KEV Date Added
12 May 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
jdk
1.6.0, 1.7.0, 1.8.0
oracle
jre
1.6.0, 1.7.0, 1.8.0
oracle
jrockit
r28.3.9
oracle
linux
5, 6, 7
canonical
ubuntu linux
12.04, 14.04, 15.10, 16.04
debian
debian linux
8.0
netapp
e-series santricity management plug-ins
all versions
netapp
e-series santricity storage manager
all versions
netapp
e-series santricity web services
all versions
netapp
oncommand balance
all versions
+28 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches to eliminate the known JMX flaw in affected Java versions.

prevent

Enforces access-control decisions on the JMX interface, blocking the unauthenticated remote exploitation path described in the CVE.

prevent

Restricts network access to JMX ports and management interfaces, limiting exposure of the vulnerable component to untrusted remote actors.

References