CVE-2016-8735

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 6.0.0 through 6.0.47 Apache Tomcat versions 7.0.0 through 7.0.72 Apache Tomcat versions 8.0.0 through 8.0.38 Apache Tomcat versions 8.5.0 through 8.5.6 Apache Tomcat versions 9.0.0.M1 through 9.0.0.M11

Description The issue allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. This is due to the listener not being updated for consistency with an Oracle patch that affected credential types. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited. The JmxRemoteLifecycleListener was not updated to account for the fix, leaving Tomcat installations using this listener vulnerable to remote code execution. API Endpoints are not specified, but the issue involves access to JMX ports. Vulnerable parameters or variables are not explicitly mentioned, but the issue is related to credential types.

Recommendations For Apache Tomcat versions 6.0.0 through 6.0.47, update to version 6.0.48 or later. For Apache Tomcat versions 7.0.0 through 7.0.72, update to version 7.0.73 or later. For Apache Tomcat versions 8.0.0 through 8.0.38, update to version 8.0.39 or later. For Apache Tomcat versions 8.5.0 through 8.5.6, update to version 8.5.7 or later. For Apache Tomcat versions 9.0.0.M1 through 9.0.0.M11, update to version 9.0.0.M12 or later. As a temporary workaround, consider disabling the JmxRemoteLifecycleListener until a patch is available. Restrict access to JMX ports to minimize the risk of exploitation.