{ "threat_severity" : "Important", "public_date" : "2016-11-22T00:00:00Z", "bugzilla" : { "description" : "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", "id" : "1397485", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1397485" }, "cvss" : { "cvss_base_score" : "6.8", "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status" : "verified" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-502", "details" : [ "Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.", "The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance." ], "affected_release" : [ { "product_name" : "Red Hat JBoss Web Server 3.1", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0457", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0455", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0455", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "jbcs-httpd24-0:1-3.jbcs.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0455", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0455", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0455", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0455", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "tomcat7-0:7.0.70-16.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0455", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "tomcat8-0:8.0.36-17.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0455", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0455", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0456", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0456", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "jbcs-httpd24-0:1-3.jbcs.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0456", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0456", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0456", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0456", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "tomcat7-0:7.0.70-16.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0456", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "tomcat8-0:8.0.36-17.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0456", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2017-03-07T00:00:00Z", "advisory" : "RHSA-2017:0456", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Not affected", "package_name" : "tomcat5", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "tomcat6", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat JBoss Data Grid 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_grid:6" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Will not fix", "package_name" : "tomcat6", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Will not fix", "package_name" : "tomcat7", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat JBoss Portal 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:6" }, { "product_name" : "Red Hat JBoss Web Server 3", "fix_state" : "Will not fix", "package_name" : "tomcat7", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3" }, { "product_name" : "Red Hat JBoss Web Server 3", "fix_state" : "Will not fix", "package_name" : "tomcat8", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-java-common-tomcat", "cpe" : "cpe:/a:redhat:rhel_software_collections:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-8735\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-8735\nhttps://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48\nhttps://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73\nhttps://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39\nhttps://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog" ], "name" : "CVE-2016-8735", "csaw" : false }