CVE-2016-8735

HIGH

Description

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

ID	Name	Product	Family	Severity
141092	Ubuntu 16.04 LTS : Tomcat vulnerabilities (USN-4557-1)	Nessus	Ubuntu Local Security Checks	high
700668	Apache Tomcat 6.0.x < 6.0.48 / 7.0.x < 7.0.73 / 8.0.x < 8.0.39 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
112192	Apache ActiveMQ 5.x < 5.15.5 Multiple Vulnerabilities	Nessus	CGI abuses	high
103971	Oracle Database Multiple Vulnerabilities (October 2017 CPU)	Nessus	Databases	high
99930	Oracle Secure Global Desktop Multiple Vulnerabilities (April 2017 CPU) (SWEET32)	Nessus	Misc.	high
97596	RHEL 7 : Red Hat JBoss Web Server 3.1.0 (RHSA-2017:0456)	Nessus	Red Hat Local Security Checks	high
97595	RHEL 6 : Red Hat JBoss Web Server 3.1.0 (RHSA-2017:0455)	Nessus	Red Hat Local Security Checks	high
96978	Ubuntu 12.04 LTS / 14.04 LTS : tomcat6, tomcat7 regression (USN-3177-2) (httpoxy)	Nessus	Ubuntu Local Security Checks	high
9906	Apache Tomcat 8.5.x < 8.5.8 / 9.0.0.x < 9.0.0.M13 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
96720	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : tomcat6, tomcat7, tomcat8 vulnerabilities (USN-3177-1) (httpoxy)	Nessus	Ubuntu Local Security Checks	high
96364	FreeBSD : tomcat -- multiple vulnerabilities (0b9af110-d529-11e6-ae1b-002590263bf5)	Nessus	FreeBSD Local Security Checks	high
96018	Debian DSA-3739-1 : tomcat8 - security update	Nessus	Debian Local Security Checks	high
96017	Debian DSA-3738-1 : tomcat7 - security update	Nessus	Debian Local Security Checks	high
95904	Fedora 24 : 1:tomcat (2016-a98c560116)	Nessus	Fedora Local Security Checks	high
95898	Amazon Linux AMI : tomcat8 (ALAS-2016-778)	Nessus	Amazon Linux Local Security Checks	high
95897	Amazon Linux AMI : tomcat7 (ALAS-2016-777)	Nessus	Amazon Linux Local Security Checks	high
95896	Amazon Linux AMI : tomcat6 (ALAS-2016-776)	Nessus	Amazon Linux Local Security Checks	high
95830	Fedora 23 : 1:tomcat (2016-9c33466fbb)	Nessus	Fedora Local Security Checks	high
95829	Fedora 25 : 1:tomcat (2016-98cca07999)	Nessus	Fedora Local Security Checks	high
95791	openSUSE Security Update : tomcat (openSUSE-2016-1456)	Nessus	SuSE Local Security Checks	high
95790	openSUSE Security Update : tomcat (openSUSE-2016-1455)	Nessus	SuSE Local Security Checks	high
95455	Debian DLA-729-1 : tomcat7 security update	Nessus	Debian Local Security Checks	high
95454	Debian DLA-728-1 : tomcat6 security update	Nessus	Debian Local Security Checks	high
95438	Apache Tomcat 6.0.x < 6.0.48 / 7.0.x < 7.0.73 / 8.0.x < 8.0.39 / 8.5.x < 8.5.8 / 9.0.x < 9.0.0.M13 Multiple Vulnerabilities	Nessus	Web Servers	high

CVE-2016-8735

HIGH

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high