CVE-2016-8735

Known Exploited (CISA KEV)CRITICAL

9.8

CVSS Severity Score

EPSS Score43.3920%

EPSS Percentile96.52th

PublishedApr 6, 2017

Last ModifiedApr 21, 2026

Vulnerability Description

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

Affected Platforms (CPE)

📦

Apache

Tomcat

< 6.0.48

📦

Apache

Tomcat

>= 7.0.0 and < 7.0.73

📦

Apache

Tomcat

>= 8.0 and < 8.0.39

📦

Apache

Tomcat

>= 8.5.0 and < 8.5.7

📦

Apache

Tomcat

= 9.0.0

📦

Apache

Tomcat

= 9.0.0

📦

Apache

Tomcat

= 9.0.0

📦

Apache

Tomcat

= 9.0.0

📦

Apache

Tomcat

= 9.0.0

📦

Apache

Tomcat

= 9.0.0

📦

Apache

Tomcat

= 9.0.0

📦

Apache

Tomcat

= 9.0.0

📦

Apache

Tomcat

= 9.0.0

📦

Apache

Tomcat

= 9.0.0

📦

Apache

Tomcat

= 9.0.0

📦

Apache

Tomcat

= 9.0.0

💻

Canonical

Ubuntu Linux

= 16.04

📦

Netapp

7 Mode Transition Tool

All versions

📦

Netapp

Oncommand Insight

All versions

📦

Netapp

Oncommand Shift

All versions

📦

Netapp

Snap Creator Framework

All versions

💻

Debian

Debian Linux

= 8.0

📦

Redhat

Jboss Enterprise Web Server

= 3.0.0

📦

Oracle

Agile Engineering Data Management

= 6.1.3

📦

Oracle

Agile Engineering Data Management

= 6.2.0

📦

Oracle

Agile Engineering Data Management

= 6.2.1.0

📦

Oracle

Agile Plm

= 9.3.5

📦

Oracle

Agile Plm

= 9.3.6

📦

Oracle

Communications Application Session Controller

= 3.7.1

📦

Oracle

Communications Application Session Controller

= 3.8.0

📦

Oracle

Communications Instant Messaging Server

= 10.0.1

📦

Oracle

Communications Interactive Session Recorder

= 6.0

📦

Oracle

Communications Interactive Session Recorder

= 6.1

📦

Oracle

Communications Interactive Session Recorder

= 6.2

📦

Oracle

Hospitality Guest Access

= 4.2.0

📦

Oracle

Hospitality Guest Access

= 4.2.1

📦

Oracle

Micros Relate Crm Software

= 10.8

📦

Oracle

Micros Relate Crm Software

= 11.4

📦

Oracle

Micros Retail Xbri Loss Prevention

= 10.0.1

📦

Oracle

Micros Retail Xbri Loss Prevention

= 10.5.0

📦

Oracle

Micros Retail Xbri Loss Prevention

= 10.6.0

📦

Oracle

Micros Retail Xbri Loss Prevention

= 10.7.7

📦

Oracle

Micros Retail Xbri Loss Prevention

= 10.8.0

📦

Oracle

Micros Retail Xbri Loss Prevention

= 10.8.1

📦

Oracle

Mysql Enterprise Monitor

<= 3.2.8.2223

📦

Oracle

Mysql Enterprise Monitor

>= 3.3.0 and <= 3.3.4.3247

📦

Oracle

Mysql Enterprise Monitor

>= 3.4.0 and <= 3.4.2.4181

📦

Oracle

Retail Convenience And Fuel Pos Software

= 2.1.132

📦

Oracle

Transportation Management

= 6.3.0

📦

Oracle

Transportation Management

= 6.3.1

📦

Oracle

Transportation Management

= 6.3.2

📦

Oracle

Transportation Management

= 6.3.3

📦

Oracle

Transportation Management

= 6.3.4

📦

Oracle

Transportation Management

= 6.3.5

📦

Oracle

Transportation Management

= 6.3.6

📦

Oracle

Transportation Management

= 6.3.7

References & Advisories

🔗 http://rhn.redhat.com/errata/RHSA-2017-0457.html

🔗 http://seclists.org/oss-sec/2016/q4/502

🔗 http://svn.apache.org/viewvc?view=revision&revision=1767644

🔗 http://svn.apache.org/viewvc?view=revision&revision=1767656

🔗 http://svn.apache.org/viewvc?view=revision&revision=1767676

🔗 http://svn.apache.org/viewvc?view=revision&revision=1767684

🔗 http://tomcat.apache.org/security-6.html

🔗 http://tomcat.apache.org/security-7.html

Vulnerability Description

Affected Platforms (CPE)

Tomcat

Tomcat

Tomcat

Tomcat

Tomcat

Tomcat

Tomcat

Tomcat

Tomcat

Tomcat

Tomcat

Tomcat

Tomcat

Tomcat

Tomcat

Tomcat

Ubuntu Linux

7 Mode Transition Tool

Oncommand Insight

Oncommand Shift

Snap Creator Framework

Debian Linux

Jboss Enterprise Web Server

Agile Engineering Data Management

Agile Engineering Data Management

Agile Engineering Data Management

Agile Plm

Agile Plm

Communications Application Session Controller

Communications Application Session Controller

Communications Instant Messaging Server

Communications Interactive Session Recorder

Communications Interactive Session Recorder

Communications Interactive Session Recorder

Hospitality Guest Access

Hospitality Guest Access

Micros Relate Crm Software

Micros Relate Crm Software

Micros Retail Xbri Loss Prevention

Micros Retail Xbri Loss Prevention

Micros Retail Xbri Loss Prevention

Micros Retail Xbri Loss Prevention

Micros Retail Xbri Loss Prevention

Micros Retail Xbri Loss Prevention

Mysql Enterprise Monitor

Mysql Enterprise Monitor

Mysql Enterprise Monitor

Retail Convenience And Fuel Pos Software

Transportation Management

Transportation Management

Transportation Management

Transportation Management

Transportation Management

Transportation Management

Transportation Management

Transportation Management

References & Advisories

Related Vulnerabilities