External risk intelligence

Apache Tomcat Remote Code Execution Via JMX Port

CVE advisoryKnown Exploit

CVE-2016-8735

Remote code execution is possible in Apache Tomcat when the JmxRemoteLifecycleListener is used and JMX ports are reachable. This vulnerability could allow attackers to execute arbitrary code, impacting system integrity and potentially leading to unauthorized access. Organizations using affected versions should review t

2Halo Surface Signal

Remote Code Execution

Apache Tomcat

before 6.0.487.0.0 to before 7.0.738.0 to before 8.0.398.5.0 to before 8.5.79.0.016.048.03.0.06.1.36.2.06.2.1.09.3.59.3.63.7.13.8.010.0.16.06.16.24.2.04.2.1;...

External exposure likelihood

Halo Surface Signal score for CVE-2016-8735

The vulnerability requires the JmxRemoteLifecycleListener to be specifically enabled and the JMX port to be reachable. While these ports can be exposed in some environments, JMX is typically intended for internal management and monitoring, and exposing it directly to the public internet is a non-standard configuration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

The Apache Tomcat remote code execution vulnerability arises when the JmxRemoteLifecycleListener is enabled and accessible to attackers. This flaw allows for unauthorized code execution on affected systems. The primary impact is the potential for attackers to gain control over systems, leading to data breaches, service disruption, and reputational damage.

  • Vulnerable component: Apache Tomcat's JmxRemoteLifecycleListener.
  • Core weakness: Inconsistent security updates with Oracle's patches.
  • Main business impact: Unauthorized code execution and system compromise.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability if the JmxRemoteLifecycleListener is enabled within Apache Tomcat and the Java Management Extension (JMX) ports are accessible. This setup could allow an attacker to execute arbitrary code on the affected system. The vulnerability arises from an inconsistency in how the JmxRemoteLifecycleListener handled credentials compared to a related Oracle security patch.

  • JMX ports are exposed.
  • Attacker achieves remote code execution.
  • Attacker gains control or impact.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk to organizations utilizing Apache Tomcat with the JmxRemoteLifecycleListener enabled and accessible JMX ports. Attackers with the necessary technical skill could exploit this to gain unauthorized remote code execution, leading to potential data compromise or system disruption. Organizations should treat this as a high-priority issue requiring immediate attention to mitigate business risk.

  • Attackers with moderate skill.
  • JMX ports must be reachable.
  • High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Apache Tomcat could allow attackers to execute arbitrary code if the JmxRemoteLifecycleListener is enabled and JMX ports are accessible. Organizations using affected versions should take immediate steps to identify and mitigate risks associated with this vulnerability to protect their systems and data.

  • Find assets using vulnerable Tomcat versions.
  • Limit JMX port exposure.
  • Update Tomcat and confirm remediation.

Frequently asked questions

What is Apache Tomcat and what is it used for?

Apache Tomcat is an open-source web server and servlet container that implements the Java Servlet, JSP, and Expression Language technologies. It's used to serve Java-based web applications and is a common choice for developers building dynamic web content.

What is CVE-2016-8735 and what type of weakness does it represent?

CVE-2016-8735 is a critical vulnerability in Apache Tomcat that allows for remote code execution. It is primarily a deserialization vulnerability (CWE-502), stemming from an issue with how the JmxRemoteLifecycleListener handled credential types, which was not aligned with an Oracle security patch.

What conditions allow an attacker to exploit CVE-2016-8735?

An attacker can exploit this vulnerability if the JmxRemoteLifecycleListener is enabled in Apache Tomcat and if they can reach the Java Management Extension (JMX) ports. The vulnerability is not triggered if these preconditions are not met.

Who should be concerned about this vulnerability based on its access?

Organizations using affected versions of Apache Tomcat with the JmxRemoteLifecycleListener enabled and exposed JMX ports should be concerned. This vulnerability has a network attack vector, meaning it can be exploited over the internet, making its potential impact wide-ranging.

What are the first steps to address this CVE in Apache Tomcat?

The primary step is to upgrade Apache Tomcat to a version that includes the fix for CVE-2016-8735. Organizations should consult the vendor's security advisories for the specific version recommendations and apply the necessary updates.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified