CVE-2016-8735
Published: 06 April 2017
Summary
CVE-2016-8735 is a critical-severity an unspecified weakness vulnerability in Apache Tomcat. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
The vulnerability is a remote code execution flaw in Apache Tomcat versions prior to 6.0.48, 7.0.73, 8.0.39, 8.5.7, and 9.0.0.M12. It stems from the JmxRemoteLifecycleListener component, which was not updated to align with the credential type handling changes introduced by the Oracle patch for CVE-2016-3427, allowing unsafe deserialization or credential processing over JMX.
An unauthenticated attacker who can reach the JMX ports exposed by a Tomcat instance using this listener can exploit the issue to execute arbitrary code on the server. The flaw requires no user interaction and carries a CVSS 3.1 base score of 9.8 due to its network-accessible nature and full impact on confidentiality, integrity, and availability.
Advisories such as Red Hat RHSA-2017-0457 and the Apache SVN revisions (1767644, 1767656, 1767676) direct users to upgrade to the fixed Tomcat releases. They also recommend disabling or restricting access to JMX ports when the listener is not required, along with applying the corresponding Oracle JVM patches for consistent credential handling.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-3642
Vulnerability details
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener…
more
wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
- CWE(s)
- KEV Date Added
- 12 May 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Restricts network access to JMX ports so that unauthenticated attackers cannot reach the vulnerable JmxRemoteLifecycleListener.
Enforces access-control policy on the JMX management interface, blocking the unauthenticated remote-code-execution path described in the CVE.
Requires prompt application of the Tomcat and Oracle JVM patches that eliminate the unsafe credential-handling flaw.