CVE-2016-8735
Publication date 24 November 2016
Last updated 21 August 2024
Ubuntu priority
Cvss 3 Severity Score
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
Status
Package | Ubuntu Release | Status |
---|---|---|
tomcat6 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial |
Fixed 6.0.45+dfsg-1ubuntu0.1
|
|
14.04 LTS trusty | Ignored end of ESM support, was needed | |
tomcat7 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Fixed 7.0.68-1ubuntu0.3
|
|
14.04 LTS trusty |
Fixed 7.0.52-1ubuntu0.8
|
|
tomcat8 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic |
Fixed 8.0.38-2ubuntu1
|
|
16.04 LTS xenial |
Fixed 8.0.32-1ubuntu1.3
|
|
14.04 LTS trusty | Not in release | |
Patch details
Package | Patch details |
---|---|
tomcat6 | |
tomcat7 | |
tomcat8 |
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 · Critical |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-3177-1
- Tomcat vulnerabilities
- 23 January 2017
- USN-4557-1
- Tomcat vulnerabilities
- 30 September 2020