CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2016-8735

CVSS 9.8v3.1pub. 2017-04-06upd. 2026-04-21

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Tomcat

    APP
    Apache
    9.0.0< 6.0.487.0.0 – 7.0.73 (bez)8.0 – 8.0.39 (bez)8.5.0 – 8.5.7 (bez)
  • Canonical Ubuntu

    OS
    Canonical
    16.04
  • Debian

    OS
    Debian
    8.0
  • Netapp 7 Mode Transition Tool

    APP
    Netapp
    wszystkie wersje
  • Netapp Oncommand Insight

    APP
    Netapp
    wszystkie wersje
  • Netapp Oncommand Shift

    APP
    Netapp
    wszystkie wersje
  • Netapp Snap Creator Framework

    APP
    Netapp
    wszystkie wersje
  • Oracle Agile Engineering Data Management

    APP
    Oracle
    6.1.36.2.06.2.1.0
  • Oracle Agile Plm

    APP
    Oracle
    9.3.59.3.6
  • Oracle Communications Application Session Controller

    APP
    Oracle
    3.7.13.8.0
  • Oracle Communications Instant Messaging Server

    APP
    Oracle
    10.0.1
  • Oracle Communications Interactive Session Recorder

    APP
    Oracle
    6.06.16.2
  • Oracle Hospitality Guest Access

    APP
    Oracle
    4.2.04.2.1
  • Oracle Micros Relate Crm Software

    APP
    Oracle
    10.811.4
  • Oracle Micros Retail Xbri Loss Prevention

    APP
    Oracle
    10.0.110.5.010.6.010.7.710.8.010.8.1
  • Oracle MySQL Enterprise Monitor

    APP
    Oracle
    3.3.0 – 3.3.4.3247≤ 3.2.8.22233.4.0 – 3.4.2.4181
  • Oracle Retail Convenience And Fuel Pos Software

    APP
    Oracle
    2.1.132
  • Oracle Transportation Management

    APP
    Oracle
    6.3.06.3.16.3.26.3.36.3.46.3.56.3.66.3.7
  • Red Hat Jboss Enterprise Web Server

    APP
    Redhat
    3.0.0

CISA KEV — detailsi

Vendori
Apache
Producti
Tomcat
Added to KEVi
May 12, 2023
Remediation deadline (US Federal)i
June 2, 2023(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 2 czerwca 2023
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki