What is the severity of CVE-2016-8735?

CVE-2016-8735 has been rated as critical due to its potential for remote code execution.

How do I fix CVE-2016-8735?

To mitigate CVE-2016-8735, upgrade Apache Tomcat to version 6.0.48 or later, or apply necessary security patches.

What versions of Apache Tomcat are affected by CVE-2016-8735?

CVE-2016-8735 affects Apache Tomcat versions from 6.0.0 to 6.0.47, as well as multiple versions of 7.x, 8.x, and 9.x.

What is the attack vector for CVE-2016-8735?

The attack vector for CVE-2016-8735 involves an attacker gaining access to JMX ports exposed by the JmxRemoteLifecycleListener.

What kind of vulnerabilities are associated with CVE-2016-8735?

CVE-2016-8735 is associated with remote code execution vulnerabilities related to improper handling of management extensions in Apache Tomcat.

Vulnerability/
CVE-2016-8735

Exploited

critical

9.8

CWE

284

22/11/2016

6/4/2017

13/5/2022

13/3/2025

CVE-2016-8735: Apache Tomcat Remote Code Execution Vulnerability

First published: Tue Nov 22 2016(Updated: )

Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types.

Credit: security@apache.org security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
redhat/tomcat	<6.0.48	6.0.48
redhat/tomcat	<7.0.73	7.0.73
redhat/tomcat	<8.0.39	8.0.39
redhat/tomcat	<8.5.8	8.5.8
maven/org.apache.tomcat:tomcat-catalina-jmx-remote	>=9.0.0.M1<9.0.0.M12	9.0.0.M12
maven/org.apache.tomcat:tomcat-catalina-jmx-remote	>=8.5.0<8.5.7	8.5.7
maven/org.apache.tomcat:tomcat-catalina-jmx-remote	>=8.0.0<8.0.39	8.0.39
maven/org.apache.tomcat:tomcat-catalina-jmx-remote	>=7.0.0<7.0.73	7.0.73
maven/org.apache.tomcat:tomcat-catalina-jmx-remote	<6.0.48	6.0.48
maven/org.apache.tomcat:tomcat-catalina	>=9.0.0.M1<9.0.0.M12	9.0.0.M12
maven/org.apache.tomcat:tomcat-catalina	>=8.5.0<8.5.7	8.5.7
maven/org.apache.tomcat:tomcat-catalina	>=8.0.0<8.0.39	8.0.39
maven/org.apache.tomcat:tomcat-catalina	>=7.0.0<7.0.73	7.0.73
maven/org.apache.tomcat:tomcat-catalina	<6.0.48	6.0.48
Tomcat
Tomcat	=6.0.0
Tomcat	=6.0.1
Tomcat	=6.0.2
Tomcat	=6.0.3
Tomcat	=6.0.4
Tomcat	=6.0.5
Tomcat	=6.0.6
Tomcat	=6.0.7
Tomcat	=6.0.8
Tomcat	=6.0.9
Tomcat	=6.0.10
Tomcat	=6.0.11
Tomcat	=6.0.12
Tomcat	=6.0.13
Tomcat	=6.0.14
Tomcat	=6.0.15
Tomcat	=6.0.16
Tomcat	=6.0.17
Tomcat	=6.0.18
Tomcat	=6.0.19
Tomcat	=6.0.20
Tomcat	=6.0.21
Tomcat	=6.0.22
Tomcat	=6.0.23
Tomcat	=6.0.24
Tomcat	=6.0.25
Tomcat	=6.0.26
Tomcat	=6.0.27
Tomcat	=6.0.28
Tomcat	=6.0.29
Tomcat	=6.0.30
Tomcat	=6.0.31
Tomcat	=6.0.32
Tomcat	=6.0.33
Tomcat	=6.0.34
Tomcat	=6.0.35
Tomcat	=6.0.36
Tomcat	=6.0.37
Tomcat	=6.0.38
Tomcat	=6.0.39
Tomcat	=6.0.40
Tomcat	=6.0.41
Tomcat	=6.0.42
Tomcat	=6.0.43
Tomcat	=6.0.44
Tomcat	=6.0.45
Tomcat	=6.0.46
Tomcat	=6.0.47
Tomcat	=7.0.0
Tomcat	=7.0.1
Tomcat	=7.0.2
Tomcat	=7.0.3
Tomcat	=7.0.4
Tomcat	=7.0.5
Tomcat	=7.0.6
Tomcat	=7.0.7
Tomcat	=7.0.8
Tomcat	=7.0.9
Tomcat	=7.0.10
Tomcat	=7.0.11
Tomcat	=7.0.12
Tomcat	=7.0.13
Tomcat	=7.0.14
Tomcat	=7.0.15
Tomcat	=7.0.16
Tomcat	=7.0.17
Tomcat	=7.0.18
Tomcat	=7.0.19
Tomcat	=7.0.20
Tomcat	=7.0.21
Tomcat	=7.0.22
Tomcat	=7.0.23
Tomcat	=7.0.24
Tomcat	=7.0.25
Tomcat	=7.0.26
Tomcat	=7.0.27
Tomcat	=7.0.28
Tomcat	=7.0.29
Tomcat	=7.0.30
Tomcat	=7.0.31
Tomcat	=7.0.32
Tomcat	=7.0.33
Tomcat	=7.0.34
Tomcat	=7.0.35
Tomcat	=7.0.36
Tomcat	=7.0.37
Tomcat	=7.0.38
Tomcat	=7.0.39
Tomcat	=7.0.40
Tomcat	=7.0.41
Tomcat	=7.0.42
Tomcat	=7.0.43
Tomcat	=7.0.44
Tomcat	=7.0.45
Tomcat	=7.0.46
Tomcat	=7.0.47
Tomcat	=7.0.48
Tomcat	=7.0.49
Tomcat	=7.0.50
Tomcat	=7.0.51
Tomcat	=7.0.52
Tomcat	=7.0.53
Tomcat	=7.0.54
Tomcat	=7.0.55
Tomcat	=7.0.56
Tomcat	=7.0.57
Tomcat	=7.0.58
Tomcat	=7.0.59
Tomcat	=7.0.60
Tomcat	=7.0.61
Tomcat	=7.0.62
Tomcat	=7.0.63
Tomcat	=7.0.64
Tomcat	=7.0.65
Tomcat	=7.0.66
Tomcat	=7.0.67
Tomcat	=7.0.68
Tomcat	=7.0.69
Tomcat	=7.0.70
Tomcat	=7.0.71
Tomcat	=7.0.72
Tomcat	=8.0.0
Tomcat	=8.0.1
Tomcat	=8.0.2
Tomcat	=8.0.3
Tomcat	=8.0.4
Tomcat	=8.0.5
Tomcat	=8.0.6
Tomcat	=8.0.7
Tomcat	=8.0.8
Tomcat	=8.0.9
Tomcat	=8.0.10
Tomcat	=8.0.11
Tomcat	=8.0.12
Tomcat	=8.0.13
Tomcat	=8.0.14
Tomcat	=8.0.15
Tomcat	=8.0.16
Tomcat	=8.0.17
Tomcat	=8.0.18
Tomcat	=8.0.19
Tomcat	=8.0.20
Tomcat	=8.0.21
Tomcat	=8.0.22
Tomcat	=8.0.23
Tomcat	=8.0.24
Tomcat	=8.0.25
Tomcat	=8.0.26
Tomcat	=8.0.27
Tomcat	=8.0.28
Tomcat	=8.0.29
Tomcat	=8.0.30
Tomcat	=8.0.31
Tomcat	=8.0.32
Tomcat	=8.0.33
Tomcat	=8.0.34
Tomcat	=8.0.35
Tomcat	=8.0.36
Tomcat	=8.0.37
Tomcat	=8.0.38
Tomcat	=8.5.0
Tomcat	=8.5.1
Tomcat	=8.5.2
Tomcat	=8.5.3
Tomcat	=8.5.4
Tomcat	=8.5.5
Tomcat	=8.5.6
Tomcat	=9.0.0-m1
Tomcat	=9.0.0-m10
Tomcat	=9.0.0-m11
Tomcat	=9.0.0-m2
Tomcat	=9.0.0-m3
Tomcat	=9.0.0-m4
Tomcat	=9.0.0-m5
Tomcat	=9.0.0-m6
Tomcat	=9.0.0-m7
Tomcat	=9.0.0-m8
Tomcat	=9.0.0-m9
debian/tomcat9		9.0.43-2~deb11u10 9.0.43-2~deb11u11 9.0.70-2 9.0.95-1
Tomcat	<6.0.48
Tomcat	>=7.0.0<7.0.73
Tomcat	>=8.0<8.0.39
Tomcat	>=8.5.0<8.5.7
Tomcat	=9.0.0
Tomcat	=9.0.0-milestone1
Tomcat	=9.0.0-milestone10
Tomcat	=9.0.0-milestone11
Tomcat	=9.0.0-milestone2
Tomcat	=9.0.0-milestone3
Tomcat	=9.0.0-milestone4
Tomcat	=9.0.0-milestone5
Tomcat	=9.0.0-milestone6
Tomcat	=9.0.0-milestone7
Tomcat	=9.0.0-milestone8
Tomcat	=9.0.0-milestone9
Ubuntu	=16.04
NetApp 7-Mode Transition Tool
NetApp OnCommand Insight
NetApp OnCommand Shift
NetApp Snap Creator Framework
Debian Linux	=8.0
Red Hat JBoss Enterprise Web Server	=3.0.0
Oracle Agile Engineering Data Management	=6.1.3
Oracle Agile Engineering Data Management	=6.2.0
Oracle Agile Engineering Data Management	=6.2.1.0
Oracle Agile Product Lifecycle Management Framework	=9.3.5
Oracle Agile Product Lifecycle Management Framework	=9.3.6
Oracle Communications Application Session Controller	=3.7.1
Oracle Communications Application Session Controller	=3.8.0
Oracle Communications Instant Messaging Server	=10.0.1
Oracle Communications Interactive Session Recorder	=6.0
Oracle Communications Interactive Session Recorder	=6.1
Oracle Communications Interactive Session Recorder	=6.2
Oracle Hospitality Guest Access	=4.2.0
Oracle Hospitality Guest Access	=4.2.1
Oracle Micros Relate Customer Relationship Management Software	=10.8
Oracle Micros Relate Customer Relationship Management Software	=11.4
Oracle MICROS Retail XBRi Loss Prevention	=10.0.1
Oracle MICROS Retail XBRi Loss Prevention	=10.5.0
Oracle MICROS Retail XBRi Loss Prevention	=10.6.0
Oracle MICROS Retail XBRi Loss Prevention	=10.7.7
Oracle MICROS Retail XBRi Loss Prevention	=10.8.0
Oracle MICROS Retail XBRi Loss Prevention	=10.8.1
MySQL Enterprise Monitor	<=3.2.8.2223
MySQL Enterprise Monitor	>=3.3.0<=3.3.4.3247
MySQL Enterprise Monitor	>=3.4.0<=3.4.2.4181
Oracle Retail Convenience Store Back Office	=2.1.132
Oracle Transportation Execution	=6.3.0
Oracle Transportation Execution	=6.3.1
Oracle Transportation Execution	=6.3.2
Oracle Transportation Execution	=6.3.3
Oracle Transportation Execution	=6.3.4
Oracle Transportation Execution	=6.3.5
Oracle Transportation Execution	=6.3.6
Oracle Transportation Execution	=6.3.7

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2016-8735?
CVE-2016-8735 has been rated as critical due to its potential for remote code execution.
How do I fix CVE-2016-8735?
To mitigate CVE-2016-8735, upgrade Apache Tomcat to version 6.0.48 or later, or apply necessary security patches.
What versions of Apache Tomcat are affected by CVE-2016-8735?
CVE-2016-8735 affects Apache Tomcat versions from 6.0.0 to 6.0.47, as well as multiple versions of 7.x, 8.x, and 9.x.
What is the attack vector for CVE-2016-8735?
The attack vector for CVE-2016-8735 involves an attacker gaining access to JMX ports exposed by the JmxRemoteLifecycleListener.
What kind of vulnerabilities are associated with CVE-2016-8735?
CVE-2016-8735 is associated with remote code execution vulnerabilities related to improper handling of management extensions in Apache Tomcat.

agent/type
agent/first-publish-date
collector/launchpad-cve
source/Launchpad
agent/weakness
agent/title
agent/author
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2016-8735
agent/software-canonical-lookup
collector/github-advisory-latest
source/GitHub
alias/GHSA-cw54-59pw-4g8c
agent/severity
collector/github-advisory
agent/remedy
agent/references
agent/trending
agent/source
collector/mitre-cve
source/MITRE
collector/usn-cve
source/Ubuntu
agent/description
agent/event
exploited/true
collector/cisa-known-exploited
source/CISA
agent/software-canonical-lookup-request
collector/nvd-index
collector/security-tracker-debian
source/Debian
agent/last-modified-date
collector/nvd-api
source/NVD
agent/softwarecombine
agent/tags
collector/nvd-cve
package-manager/redhat
package-manager/maven
vendor/apache
canonical/tomcat
version/tomcat/6.0.0
version/tomcat/6.0.1
version/tomcat/6.0.2
version/tomcat/6.0.3
version/tomcat/6.0.4
version/tomcat/6.0.5
version/tomcat/6.0.6
version/tomcat/6.0.7
version/tomcat/6.0.8
version/tomcat/6.0.9
version/tomcat/6.0.10
version/tomcat/6.0.11
version/tomcat/6.0.12
version/tomcat/6.0.13
version/tomcat/6.0.14
version/tomcat/6.0.15
version/tomcat/6.0.16
version/tomcat/6.0.17
version/tomcat/6.0.18
version/tomcat/6.0.19
version/tomcat/6.0.20
version/tomcat/6.0.21
version/tomcat/6.0.22
version/tomcat/6.0.23
version/tomcat/6.0.24
version/tomcat/6.0.25
version/tomcat/6.0.26
version/tomcat/6.0.27
version/tomcat/6.0.28
version/tomcat/6.0.29
version/tomcat/6.0.30
version/tomcat/6.0.31
version/tomcat/6.0.32
version/tomcat/6.0.33
version/tomcat/6.0.34
version/tomcat/6.0.35
version/tomcat/6.0.36
version/tomcat/6.0.37
version/tomcat/6.0.38
version/tomcat/6.0.39
version/tomcat/6.0.40
version/tomcat/6.0.41
version/tomcat/6.0.42
version/tomcat/6.0.43
version/tomcat/6.0.44
version/tomcat/6.0.45
version/tomcat/6.0.46
version/tomcat/6.0.47
version/tomcat/7.0.0
version/tomcat/7.0.1
version/tomcat/7.0.2
version/tomcat/7.0.3
version/tomcat/7.0.4
version/tomcat/7.0.5
version/tomcat/7.0.6
version/tomcat/7.0.7
version/tomcat/7.0.8
version/tomcat/7.0.9
version/tomcat/7.0.10
version/tomcat/7.0.11
version/tomcat/7.0.12
version/tomcat/7.0.13
version/tomcat/7.0.14
version/tomcat/7.0.15
version/tomcat/7.0.16
version/tomcat/7.0.17
version/tomcat/7.0.18
version/tomcat/7.0.19
version/tomcat/7.0.20
version/tomcat/7.0.21
version/tomcat/7.0.22
version/tomcat/7.0.23
version/tomcat/7.0.24
version/tomcat/7.0.25
version/tomcat/7.0.26
version/tomcat/7.0.27
version/tomcat/7.0.28
version/tomcat/7.0.29
version/tomcat/7.0.30
version/tomcat/7.0.31
version/tomcat/7.0.32
version/tomcat/7.0.33
version/tomcat/7.0.34
version/tomcat/7.0.35
version/tomcat/7.0.36
version/tomcat/7.0.37
version/tomcat/7.0.38
version/tomcat/7.0.39
version/tomcat/7.0.40
version/tomcat/7.0.41
version/tomcat/7.0.42
version/tomcat/7.0.43
version/tomcat/7.0.44
version/tomcat/7.0.45
version/tomcat/7.0.46
version/tomcat/7.0.47
version/tomcat/7.0.48
version/tomcat/7.0.49
version/tomcat/7.0.50
version/tomcat/7.0.51
version/tomcat/7.0.52
version/tomcat/7.0.53
version/tomcat/7.0.54
version/tomcat/7.0.55
version/tomcat/7.0.56
version/tomcat/7.0.57
version/tomcat/7.0.58
version/tomcat/7.0.59
version/tomcat/7.0.60
version/tomcat/7.0.61
version/tomcat/7.0.62
version/tomcat/7.0.63
version/tomcat/7.0.64
version/tomcat/7.0.65
version/tomcat/7.0.66
version/tomcat/7.0.67
version/tomcat/7.0.68
version/tomcat/7.0.69
version/tomcat/7.0.70
version/tomcat/7.0.71
version/tomcat/7.0.72
version/tomcat/8.0.0
version/tomcat/8.0.1
version/tomcat/8.0.2
version/tomcat/8.0.3
version/tomcat/8.0.4
version/tomcat/8.0.5
version/tomcat/8.0.6
version/tomcat/8.0.7
version/tomcat/8.0.8
version/tomcat/8.0.9
version/tomcat/8.0.10
version/tomcat/8.0.11
version/tomcat/8.0.12
version/tomcat/8.0.13
version/tomcat/8.0.14
version/tomcat/8.0.15
version/tomcat/8.0.16
version/tomcat/8.0.17
version/tomcat/8.0.18
version/tomcat/8.0.19
version/tomcat/8.0.20
version/tomcat/8.0.21
version/tomcat/8.0.22
version/tomcat/8.0.23
version/tomcat/8.0.24
version/tomcat/8.0.25
version/tomcat/8.0.26
version/tomcat/8.0.27
version/tomcat/8.0.28
version/tomcat/8.0.29
version/tomcat/8.0.30
version/tomcat/8.0.31
version/tomcat/8.0.32
version/tomcat/8.0.33
version/tomcat/8.0.34
version/tomcat/8.0.35
version/tomcat/8.0.36
version/tomcat/8.0.37
version/tomcat/8.0.38
version/tomcat/8.5.0
version/tomcat/8.5.1
version/tomcat/8.5.2
version/tomcat/8.5.3
version/tomcat/8.5.4
version/tomcat/8.5.5
version/tomcat/8.5.6
version/tomcat/9.0.0-m1
version/tomcat/9.0.0-m10
version/tomcat/9.0.0-m11
version/tomcat/9.0.0-m2
version/tomcat/9.0.0-m3
version/tomcat/9.0.0-m4
version/tomcat/9.0.0-m5
version/tomcat/9.0.0-m6
version/tomcat/9.0.0-m7
version/tomcat/9.0.0-m8
version/tomcat/9.0.0-m9
package-manager/debian
version/tomcat/8.0
version/tomcat/9.0.0
version/tomcat/9.0.0-milestone1
version/tomcat/9.0.0-milestone10
version/tomcat/9.0.0-milestone11
version/tomcat/9.0.0-milestone2
version/tomcat/9.0.0-milestone3
version/tomcat/9.0.0-milestone4
version/tomcat/9.0.0-milestone5
version/tomcat/9.0.0-milestone6
version/tomcat/9.0.0-milestone7
version/tomcat/9.0.0-milestone8
version/tomcat/9.0.0-milestone9
vendor/canonical
canonical/ubuntu
version/ubuntu/16.04
vendor/netapp
canonical/netapp 7-mode transition tool
canonical/netapp oncommand insight
canonical/netapp oncommand shift
canonical/netapp snap creator framework
vendor/debian
canonical/debian linux
version/debian linux/8.0
vendor/redhat
canonical/red hat jboss enterprise web server
version/red hat jboss enterprise web server/3.0.0
vendor/oracle
canonical/oracle agile engineering data management
version/oracle agile engineering data management/6.1.3
version/oracle agile engineering data management/6.2.0
version/oracle agile engineering data management/6.2.1.0
canonical/oracle agile product lifecycle management framework
version/oracle agile product lifecycle management framework/9.3.5
version/oracle agile product lifecycle management framework/9.3.6
canonical/oracle communications application session controller
version/oracle communications application session controller/3.7.1
version/oracle communications application session controller/3.8.0
canonical/oracle communications instant messaging server
version/oracle communications instant messaging server/10.0.1
canonical/oracle communications interactive session recorder
version/oracle communications interactive session recorder/6.0
version/oracle communications interactive session recorder/6.1
version/oracle communications interactive session recorder/6.2
canonical/oracle hospitality guest access
version/oracle hospitality guest access/4.2.0
version/oracle hospitality guest access/4.2.1
canonical/oracle micros relate customer relationship management software
version/oracle micros relate customer relationship management software/10.8
version/oracle micros relate customer relationship management software/11.4
canonical/oracle micros retail xbri loss prevention
version/oracle micros retail xbri loss prevention/10.0.1
version/oracle micros retail xbri loss prevention/10.5.0
version/oracle micros retail xbri loss prevention/10.6.0
version/oracle micros retail xbri loss prevention/10.7.7
version/oracle micros retail xbri loss prevention/10.8.0
version/oracle micros retail xbri loss prevention/10.8.1
canonical/mysql enterprise monitor
version/mysql enterprise monitor/3.2.8.2223
version/mysql enterprise monitor/3.3.0
version/mysql enterprise monitor/3.3.4.3247
version/mysql enterprise monitor/3.4.0
version/mysql enterprise monitor/3.4.2.4181
canonical/oracle retail convenience store back office
version/oracle retail convenience store back office/2.1.132
canonical/oracle transportation execution
version/oracle transportation execution/6.3.0
version/oracle transportation execution/6.3.1
version/oracle transportation execution/6.3.2
version/oracle transportation execution/6.3.3
version/oracle transportation execution/6.3.4
version/oracle transportation execution/6.3.5
version/oracle transportation execution/6.3.6
version/oracle transportation execution/6.3.7

CVE-2016-8735: Apache Tomcat Remote Code Execution Vulnerability

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2016-8735?

How do I fix CVE-2016-8735?

What versions of Apache Tomcat are affected by CVE-2016-8735?

What is the attack vector for CVE-2016-8735?

What kind of vulnerabilities are associated with CVE-2016-8735?

Company

Resources

Contact