CVE-2016-8735
Remote Code Execution vulnerability in tomcat-catalina-jmx-remote (Maven)
What is CVE-2016-8735 About?
Apache Tomcat versions before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 are vulnerable to remote code execution when JmxRemoteLifecycleListener is enabled and JMX ports are reachable. This flaw stems from an incomplete patch for CVE-2016-3427, allowing attackers to execute arbitrary code. Exploitation is relatively easy if the JMX ports are exposed and accessible.
Affected Software
- org.apache.tomcat:tomcat-catalina-jmx-remote
- >8.0.0, <8.0.39
- >8.5.0, <8.5.7
- >7.0.0, <7.0.73
- <6.0.48
- >9.0.0.M1, <9.0.0.M12
- org.apache.tomcat:tomcat-catalina
- >8.0.0, <8.0.39
- >8.5.0, <8.5.7
- >7.0.0, <7.0.73
- <6.0.48
- >9.0.0.M1, <9.0.0.M12
Technical Details
This remote code execution (RCE) vulnerability in Apache Tomcat affects versions prior to 6.0.48, 7.0.73, 8.0.39, 8.5.7, and 9.0.0.M12. It specifically occurs when the JmxRemoteLifecycleListener is configured and enabled, and the JMX ports are accessible to attackers. The issue originates from an incomplete or insufficient update following the patch for CVE-2016-3427, which addressed credential type consistency in Oracle products that use JMX. In this scenario, the Tomcat's JmxRemoteLifecycleListener does not properly validate or handle certain JMX credential types, or allows for an authenticated bypass. An attacker with network access to the JMX RMI ports can leverage this weakness to invoke arbitrary methods, upload malicious MBeans, and ultimately achieve remote code execution on the underlying server. This bypasses the intended security controls for JMX authentication, enabling full system compromise.
What is the Impact of CVE-2016-8735?
Successful exploitation may allow attackers to execute arbitrary code on the server, gain full control of the system, install malware, steal sensitive data, and disrupt services.
What is the Exploitability of CVE-2016-8735?
Exploitation of this remote code execution vulnerability has a high likelihood if specific conditions are met. The complexity is moderate, requiring an understanding of JMX protocols and MBean deployment. The primary prerequisites are that the JmxRemoteLifecycleListener must be enabled in the Tomcat configuration, and the JMX ports must be remotely accessible, typically TCP port 1099 and a dynamically allocated RMI port. Authentication is technically required for JMX, but this vulnerability essentially allows for a bypass or weak credential usage, making the authentication requirement effectively negligible for a determined attacker. The attack is remote, meaning an attacker does not need local access. Risk factors that increase exploitability include insufficient firewall rules blocking JMX ports from external networks and default/weak JMX credentials if authentication is still nominally in place. The existence of already published exploits for similar JMX vulnerabilities further lowers the barrier to entry.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| ianxtianxt | Link | PoC for CVE-2016-8735 |
What are the Available Fixes for CVE-2016-8735?
About the Fix from Resolved Security
Available Upgrade Options
- org.apache.tomcat:tomcat-catalina-jmx-remote
- <6.0.48 → Upgrade to 6.0.48
- org.apache.tomcat:tomcat-catalina-jmx-remote
- >7.0.0, <7.0.73 → Upgrade to 7.0.73
- org.apache.tomcat:tomcat-catalina-jmx-remote
- >8.0.0, <8.0.39 → Upgrade to 8.0.39
- org.apache.tomcat:tomcat-catalina-jmx-remote
- >8.5.0, <8.5.7 → Upgrade to 8.5.7
- org.apache.tomcat:tomcat-catalina-jmx-remote
- >9.0.0.M1, <9.0.0.M12 → Upgrade to 9.0.0.M12
- org.apache.tomcat:tomcat-catalina
- <6.0.48 → Upgrade to 6.0.48
- org.apache.tomcat:tomcat-catalina
- >7.0.0, <7.0.73 → Upgrade to 7.0.73
- org.apache.tomcat:tomcat-catalina
- >8.0.0, <8.0.39 → Upgrade to 8.0.39
- org.apache.tomcat:tomcat-catalina
- >8.5.0, <8.5.7 → Upgrade to 8.5.7
- org.apache.tomcat:tomcat-catalina
- >9.0.0.M1, <9.0.0.M12 → Upgrade to 9.0.0.M12
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://usn.ubuntu.com/4557-1
- http://svn.apache.org/viewvc?view=revision&revision=1767676
- https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
- http://svn.apache.org/viewvc?view=revision&revision=1767644
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
- https://security.netapp.com/advisory/ntap-20180607-0001
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
What are Similar Vulnerabilities to CVE-2016-8735?
Similar Vulnerabilities: CVE-2016-3427 , CVE-2014-0096 , CVE-2019-0232 , CVE-2020-1938 , CVE-2020-13935
