QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2016-8735

Back to search

CVE-2016-8735

Published: Apr 6, 2017

Modified: Oct 21, 2025

PUBLISHED

Description

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

VendorProductVersions

Apache Software Foundation

Apache Tomcat

affected
before 6.0.48
affected
7.x before 7.0.73
affected
8.x before 8.0.39
affected
8.5.x before 8.5.7
affected
9.x before 9.0.0.M12

References

1037331
vdb-entry
x_refsource_SECTRACK
94463
vdb-entry
x_refsource_BID
DSA-3738
vendor-advisory
x_refsource_DEBIAN
RHSA-2017:0457
vendor-advisory
x_refsource_REDHAT
RHSA-2017:0455
vendor-advisory
x_refsource_REDHAT
RHSA-2017:0456
vendor-advisory
x_refsource_REDHAT
USN-4557-1
vendor-advisory
x_refsource_UBUNTU

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now