Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasnt updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Tomcat | Apache | * | 6.0.48 (excluding) |
| Tomcat | Apache | 7.0.0 (including) | 7.0.73 (excluding) |
| Tomcat | Apache | 8.0 (including) | 8.0.39 (excluding) |
| Tomcat | Apache | 8.5.0 (including) | 8.5.7 (excluding) |
| Tomcat | Apache | 9.0.0 (including) | 9.0.0 (including) |
| Tomcat | Apache | 9.0.0-milestone1 (including) | 9.0.0-milestone1 (including) |
| Tomcat | Apache | 9.0.0-milestone10 (including) | 9.0.0-milestone10 (including) |
| Tomcat | Apache | 9.0.0-milestone11 (including) | 9.0.0-milestone11 (including) |
| Tomcat | Apache | 9.0.0-milestone2 (including) | 9.0.0-milestone2 (including) |
| Tomcat | Apache | 9.0.0-milestone3 (including) | 9.0.0-milestone3 (including) |
| Tomcat | Apache | 9.0.0-milestone4 (including) | 9.0.0-milestone4 (including) |
| Tomcat | Apache | 9.0.0-milestone5 (including) | 9.0.0-milestone5 (including) |
| Tomcat | Apache | 9.0.0-milestone6 (including) | 9.0.0-milestone6 (including) |
| Tomcat | Apache | 9.0.0-milestone7 (including) | 9.0.0-milestone7 (including) |
| Tomcat | Apache | 9.0.0-milestone8 (including) | 9.0.0-milestone8 (including) |
| Tomcat | Apache | 9.0.0-milestone9 (including) | 9.0.0-milestone9 (including) |
| Red Hat JBoss Web Server 3.1 | RedHat | * | |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | jbcs-httpd24-0:1-3.jbcs.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | tomcat7-0:7.0.70-16.ep7.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | tomcat8-0:8.0.36-17.ep7.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | tomcat-native-0:1.2.8-9.redhat_9.ep7.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | jbcs-httpd24-0:1-3.jbcs.el7 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | tomcat7-0:7.0.70-16.ep7.el7 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | tomcat8-0:8.0.36-17.ep7.el7 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | tomcat-native-0:1.2.8-9.redhat_9.ep7.el7 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7 | * |
| Tomcat6 | Ubuntu | esm-apps/xenial | * |
| Tomcat6 | Ubuntu | esm-infra-legacy/trusty | * |
| Tomcat6 | Ubuntu | precise | * |
| Tomcat6 | Ubuntu | trusty | * |
| Tomcat6 | Ubuntu | trusty/esm | * |
| Tomcat6 | Ubuntu | upstream | * |
| Tomcat6 | Ubuntu | xenial | * |
| Tomcat7 | Ubuntu | esm-apps/xenial | * |
| Tomcat7 | Ubuntu | esm-infra-legacy/trusty | * |
| Tomcat7 | Ubuntu | precise | * |
| Tomcat7 | Ubuntu | trusty | * |
| Tomcat7 | Ubuntu | trusty/esm | * |
| Tomcat7 | Ubuntu | upstream | * |
| Tomcat7 | Ubuntu | xenial | * |
| Tomcat7 | Ubuntu | yakkety | * |
| Tomcat8 | Ubuntu | artful | * |
| Tomcat8 | Ubuntu | bionic | * |
| Tomcat8 | Ubuntu | cosmic | * |
| Tomcat8 | Ubuntu | esm-apps/bionic | * |
| Tomcat8 | Ubuntu | esm-infra/xenial | * |
| Tomcat8 | Ubuntu | upstream | * |
| Tomcat8 | Ubuntu | xenial | * |
| Tomcat8 | Ubuntu | yakkety | * |
| Tomcat8 | Ubuntu | zesty | * |
References
- http://rhn.redhat.com/errata/RHSA-2017-0457.html
- http://seclists.org/oss-sec/2016/q4/502
- http://svn.apache.org/viewvc?view=revision\u0026revision=1767644
- http://svn.apache.org/viewvc?view=revision\u0026revision=1767656
- http://svn.apache.org/viewvc?view=revision\u0026revision=1767676
- http://svn.apache.org/viewvc?view=revision\u0026revision=1767684
- http://tomcat.apache.org/security-6.html
- http://tomcat.apache.org/security-7.html
- http://tomcat.apache.org/security-8.html
- http://tomcat.apache.org/security-9.html
- http://www.debian.org/security/2016/dsa-3738
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/bid/94463
- http://www.securitytracker.com/id/1037331
- https://access.redhat.com/errata/RHSA-2017:0455
- https://access.redhat.com/errata/RHSA-2017:0456
- https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- https://security.netapp.com/advisory/ntap-20180607-0001/
- https://usn.ubuntu.com/4557-1/
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- http://rhn.redhat.com/errata/RHSA-2017-0457.html
- http://seclists.org/oss-sec/2016/q4/502
- http://svn.apache.org/viewvc?view=revision\u0026revision=1767644
- http://svn.apache.org/viewvc?view=revision\u0026revision=1767656
- http://svn.apache.org/viewvc?view=revision\u0026revision=1767676
- http://svn.apache.org/viewvc?view=revision\u0026revision=1767684
- http://tomcat.apache.org/security-6.html
- http://tomcat.apache.org/security-7.html
- http://tomcat.apache.org/security-8.html
- http://tomcat.apache.org/security-9.html
- http://www.debian.org/security/2016/dsa-3738
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/bid/94463
- http://www.securitytracker.com/id/1037331
- https://access.redhat.com/errata/RHSA-2017:0455
- https://access.redhat.com/errata/RHSA-2017:0456
- https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- https://security.netapp.com/advisory/ntap-20180607-0001/
- https://usn.ubuntu.com/4557-1/
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-8735