Aperçu
Apache Tomcat contains a remote code execution vulnerability in JmxRemoteLifecycleListener due to inconsistent credential handling. Attackers with access to exposed JMX ports can execute arbitrary code remotely. This is a critical vulnerability affecting multiple Tomcat versions across all major release branches. La vulnérabilité a été divulguée le April 6, 2017. CISA a identifié CVE-2016-8735 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
Apache Tomcat's JmxRemoteLifecycleListener improperly handles credentials when establishing JMX (Java Management Extensions) remote connections. The vulnerability exists in the configuration and initialization of the JMX remote authentication mechanism. When JMX ports are exposed to untrusted networks, attackers can bypass authentication or establish unauthenticated JMX connections, allowing them to invoke arbitrary methods and execute code with the privileges of the Tomcat process.
La vulnérabilité est classifiée comme CWE-287 (Improper Authentication) etCWE-94 (Improper Control of Generation of Code (Code Injection)) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Successful exploitation allows remote attackers to execute arbitrary code with the privileges of the Tomcat process. This can lead to complete system compromise, including data theft, malware installation, lateral movement to other systems, denial of service, and unauthorized access to sensitive application data. The impact is severe as JMX provides access to internal application management and monitoring functions that can be abused for code execution.
Mitigation et contournements
Update Apache Tomcat to the fixed version. Upgrade from affected versions to: Tomcat 6.0.48+, 7.0.73+, 8.0.39+, 8.5.7+, or 9.0.0.M12+. This can be done by downloading the latest release from apache.org/tomcat and replacing the installation or using package managers for distributions that provide Tomcat packages. Les versions suivantes incluent les correctifs nécessaires : 6.0.48, 7.0.73, 8.0.39, 8.5.7, 9.0.0.M12.
Comme contournements temporaires : disable jmx remote listener if not required for operations. remove or comment out the jmxremotelifecyclelistener configuration in catalina startup scripts or server.xml configuration; restrict network access to jmx ports using firewall rules. only allow connections from trusted administrative systems or internal networks; isolate tomcat instances on internal networks only, restricting inbound access from untrusted networks, et if jmx must be enabled, configure strong authentication credentials and use jmx over ssl/tls.
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
