Critical severity9.8CISA KEVNVD Advisory· Published Apr 6, 2017· Updated Jun 17, 2026
CVE-2016-8735
CVE-2016-8735
Description
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-catalina-jmx-remoteMaven | < 6.0.48 | 6.0.48 |
org.apache.tomcat:tomcat-catalina-jmx-remoteMaven | >= 7.0.0, < 7.0.73 | 7.0.73 |
org.apache.tomcat:tomcat-catalina-jmx-remoteMaven | >= 8.0.0, < 8.0.39 | 8.0.39 |
org.apache.tomcat:tomcat-catalina-jmx-remoteMaven | >= 8.5.0, < 8.5.7 | 8.5.7 |
org.apache.tomcat:tomcat-catalina-jmx-remoteMaven | >= 9.0.0.M1, < 9.0.0.M12 | 9.0.0.M12 |
org.apache.tomcat:tomcat-catalinaMaven | < 6.0.48 | 6.0.48 |
org.apache.tomcat:tomcat-catalinaMaven | >= 7.0.0, < 7.0.73 | 7.0.73 |
org.apache.tomcat:tomcat-catalinaMaven | >= 8.0.0, < 8.0.39 | 8.0.39 |
org.apache.tomcat:tomcat-catalinaMaven | >= 8.5.0, < 8.5.7 | 8.5.7 |
org.apache.tomcat:tomcat-catalinaMaven | >= 9.0.0.M1, < 9.0.0.M12 | 9.0.0.M12 |
Affected products
65cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*range: <6.0.48
- cpe:2.3:a:apache:tomcat:9.0.0:-:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
- cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:agile_engineering_data_management:6.1.3:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:oracle:agile_engineering_data_management:6.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_engineering_data_management:6.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_application_session_controller:3.7.1:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:communications_application_session_controller:3.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_application_session_controller:3.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:micros_relate_crm_software:10.8:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:micros_relate_crm_software:10.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:micros_relate_crm_software:11.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.0.1:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*Range: <=3.2.8.2223
- cpe:2.3:a:oracle:retail_convenience_and_fuel_pos_software:2.1.132:*:*:*:*:*:*:*
cpe:2.3:a:oracle:transportation_management:6.3.0:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:oracle:transportation_management:6.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:transportation_management:6.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:transportation_management:6.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:transportation_management:6.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:transportation_management:6.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:transportation_management:6.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:transportation_management:6.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
- ghsa-coords14 versionspkg:maven/org.apache.tomcat/tomcat-catalinapkg:maven/org.apache.tomcat/tomcat-catalina-jmx-remotepkg:rpm/suse/tomcat6&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/tomcat6&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSSpkg:rpm/suse/tomcat6&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-TERADATApkg:rpm/suse/tomcat6&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/tomcat6&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2
< 6.0.48+ 13 more
- (no CPE)range: < 6.0.48
- (no CPE)range: < 6.0.48
- (no CPE)range: < 6.0.53-0.56.1
- (no CPE)range: < 6.0.53-0.56.1
- (no CPE)range: < 6.0.53-0.56.1
- (no CPE)range: < 6.0.53-0.56.1
- (no CPE)range: < 6.0.53-0.56.1
- (no CPE)range: < 8.0.32-10.13.2
- (no CPE)range: < 8.0.36-17.1
- (no CPE)range: < 7.0.78-7.13.4
- (no CPE)range: < 8.0.36-17.1
- (no CPE)range: < 7.0.78-7.13.4
- (no CPE)range: < 8.0.32-10.13.2
- (no CPE)range: < 8.0.36-17.1
Patches
Vulnerability mechanics
References
61- svn.apache.org/viewvcnvdBroken LinkPatchWEB
- svn.apache.org/viewvcnvdBroken LinkPatchWEB
- svn.apache.org/viewvcnvdBroken LinkPatchWEB
- svn.apache.org/viewvcnvdBroken LinkPatchWEB
- www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlnvdPatchThird Party AdvisoryWEB
- lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
- lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
- lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
- lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
- lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
- lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
- lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
- lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
- lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
- lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
- lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
- lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
- lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
- www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlnvdPatchThird Party AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2017-0457.htmlnvdThird Party AdvisoryWEB
- seclists.org/oss-sec/2016/q4/502nvdMailing ListMitigationThird Party AdvisoryWEB
- tomcat.apache.org/security-6.htmlnvdRelease NotesVendor AdvisoryWEB
- tomcat.apache.org/security-7.htmlnvdRelease NotesVendor AdvisoryWEB
- tomcat.apache.org/security-8.htmlnvdRelease NotesVendor AdvisoryWEB
- tomcat.apache.org/security-9.htmlnvdRelease NotesVendor AdvisoryWEB
- www.debian.org/security/2016/dsa-3738nvdMailing ListThird Party AdvisoryWEB
- www.securityfocus.com/bid/94463nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- www.securitytracker.com/id/1037331nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- access.redhat.com/errata/RHSA-2017:0455nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2017:0456nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-cw54-59pw-4g8cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-8735ghsaADVISORY
- security.netapp.com/advisory/ntap-20180607-0001/nvdThird Party Advisory
- usn.ubuntu.com/4557-1/nvdThird Party Advisory
- github.com/apache/tomcat/commit/0e83ad3e547fc9a75a258799ef581249b40a82a6ghsaWEB
- github.com/apache/tomcat/commit/292d6ccdc9edbf80859929b0af070b2ea99fa688ghsaWEB
- github.com/apache/tomcat/commit/7e3a037055cca4a17e90b49399fb1bab4dd7c821ghsaWEB
- github.com/apache/tomcat80/commit/0f76016a4ec45635e450ada9c84ff7ee0c5f3799ghsaWEB
- lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20180607-0001ghsaWEB
- usn.ubuntu.com/4557-1ghsaWEB
- web.archive.org/web/20170423095340/http://www.securityfocus.com/bid/94463ghsaWEB
- web.archive.org/web/20170928203901/http://www.securitytracker.com/id/1037331ghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB
News mentions
0No linked articles in our index yet.