Overview
Apache Tomcat contains a remote code execution vulnerability in JmxRemoteLifecycleListener due to inconsistent credential handling. Attackers with access to exposed JMX ports can execute arbitrary code remotely. This is a critical vulnerability affecting multiple Tomcat versions across all major release branches. The vulnerability was disclosed on April 6, 2017. CISA has identified CVE-2016-8735 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
Apache Tomcat's JmxRemoteLifecycleListener improperly handles credentials when establishing JMX (Java Management Extensions) remote connections. The vulnerability exists in the configuration and initialization of the JMX remote authentication mechanism. When JMX ports are exposed to untrusted networks, attackers can bypass authentication or establish unauthenticated JMX connections, allowing them to invoke arbitrary methods and execute code with the privileges of the Tomcat process.
The vulnerability is classified as CWE-287 (Improper Authentication) andCWE-94 (Improper Control of Generation of Code (Code Injection)) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows remote attackers to execute arbitrary code with the privileges of the Tomcat process. This can lead to complete system compromise, including data theft, malware installation, lateral movement to other systems, denial of service, and unauthorized access to sensitive application data. The impact is severe as JMX provides access to internal application management and monitoring functions that can be abused for code execution.
Mitigation and workarounds
Update Apache Tomcat to the fixed version. Upgrade from affected versions to: Tomcat 6.0.48+, 7.0.73+, 8.0.39+, 8.5.7+, or 9.0.0.M12+. This can be done by downloading the latest release from apache.org/tomcat and replacing the installation or using package managers for distributions that provide Tomcat packages. The following versions include the necessary fixes: 6.0.48, 7.0.73, 8.0.39, 8.5.7, 9.0.0.M12.
As temporary workarounds: disable jmx remote listener if not required for operations. remove or comment out the jmxremotelifecyclelistener configuration in catalina startup scripts or server.xml configuration; restrict network access to jmx ports using firewall rules. only allow connections from trusted administrative systems or internal networks; isolate tomcat instances on internal networks only, restricting inbound access from untrusted networks, and if jmx must be enabled, configure strong authentication credentials and use jmx over ssl/tls.
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
