Cyber Resilience

CVE-2016-8735

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 06 April 2017

Published
06 April 2017
Modified
21 April 2026
KEV Added
12 May 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9380 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-8735 is a critical-severity an unspecified weakness vulnerability in Apache Tomcat. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

The vulnerability is a remote code execution flaw in Apache Tomcat versions prior to 6.0.48, 7.0.73, 8.0.39, 8.5.7, and 9.0.0.M12. It stems from the JmxRemoteLifecycleListener component, which was not updated to align with the credential type handling changes introduced by the Oracle patch for CVE-2016-3427, allowing unsafe deserialization or credential processing over JMX.

An unauthenticated attacker who can reach the JMX ports exposed by a Tomcat instance using this listener can exploit the issue to execute arbitrary code on the server. The flaw requires no user interaction and carries a CVSS 3.1 base score of 9.8 due to its network-accessible nature and full impact on confidentiality, integrity, and availability.

Advisories such as Red Hat RHSA-2017-0457 and the Apache SVN revisions (1767644, 1767656, 1767676) direct users to upgrade to the fixed Tomcat releases. They also recommend disabling or restricting access to JMX ports when the listener is not required, along with applying the corresponding Oracle JVM patches for consistent credential handling.

EU & UK References

Vulnerability details

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener…

more

wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

CWE(s)
KEV Date Added
12 May 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
tomcat
9.0.0 · ≤ 6.0.48 · 7.0.0 — 7.0.73 · 8.0 — 8.0.39
canonical
ubuntu linux
16.04
netapp
7-mode transition tool
all versions
netapp
oncommand insight
all versions
netapp
oncommand shift
all versions
netapp
snap creator framework
all versions
debian
debian linux
8.0
redhat
jboss enterprise web server
3.0.0
oracle
agile engineering data management
6.1.3, 6.2.0, 6.2.1.0
oracle
agile plm
9.3.5, 9.3.6
+9 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Restricts network access to JMX ports so that unauthenticated attackers cannot reach the vulnerable JmxRemoteLifecycleListener.

prevent

Enforces access-control policy on the JMX management interface, blocking the unauthenticated remote-code-execution path described in the CVE.

prevent

Requires prompt application of the Tomcat and Oracle JVM patches that eliminate the unsafe credential-handling flaw.

References