CVE-2016-8735

critical

Apache ⚠️ CISA KEV — Exploited in the Wild

CVSS v3 Base Score

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

93.8%

Exploitation probability in 30 days

Top 0% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Confidentiality

High

Integrity

High

Availability

High

Published: April 6, 2017 (3325 days ago)

Last Modified: April 21, 2026

Vendor: Apache

Source: NVD

⚠️ CISA Known Exploited Vulnerability

Added to KEV: 2023-05-12

Remediation Due: 2023-06-02 (⚠ 1078d overdue)

Description

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

CWE

NVD-CWE-noinfo

Affected Products

apache tomcatcanonical ubuntu linuxnetapp 7-mode transition toolnetapp oncommand insightnetapp oncommand shiftnetapp snap creator frameworkdebian debian linuxredhat jboss enterprise web serveroracle agile engineering data managementoracle agile plm

References

🔗 rhn.redhat.com 🔗 seclists.org 🔗 svn.apache.org 🔗 svn.apache.org 🔗 svn.apache.org

CVE-2016-8735

⚠️ CISA Known Exploited Vulnerability

Vulnerability Report

Description

CWE

Affected Products

References