CVE-2016-8735

CVSS 9.8 CRITICALEPSS 90.3%● KEV

In short

Apache Tomcat allows attackers to run malicious code remotely if JMX monitoring is enabled and the attacker can access the JMX ports. This happens because Tomcat didn't properly secure credential handling in its monitoring feature, leaving it vulnerable to unauthorized commands.

Technical detail

Remote code execution vulnerability in Apache Tomcat's JmxRemoteLifecycleListener affects versions prior to 6.0.48, 7.0.73, 8.0.39, 8.5.7, and 9.0.0.M12. Requires JMX ports to be accessible and JmxRemoteLifecycleListener enabled; the vulnerability stems from inconsistent credential type validation against Oracle's CVE-2016-3427 patch. An unauthenticated attacker with network access to JMX ports can achieve arbitrary code execution on the server.

Summary generated and translated by AI from the official description.

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Apache Software Foundation · Apache Tomcat

public PoCs found — 1

githubgithub.com/ianxtianxt/CVE-2016-8735★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References