On November 22, 2016, Apache’s official security team published a remote code execution vulnerability in Apache Tomcat. The vulnerability is related to Oracle’s previously fixed mxRemoteLifecycleListener deserialization vulnerability (CVE-2016-3427) and results from JmxRemoteLifecycleListener.
See the following for more information about the vulnerability.
Apache Tomcat remote code execution vulnerability
The vulnerability is caused by Oracle’s previously fixed JmxRemoteLifecycleListener deserialization vulnerability (CVE-2016-3427). Tomcat also uses JmxRemoteLifecycleListener but is not upgraded in a timely manner, leading to the remote code execution vulnerability.
The vulnerability allows a hacker to implement remote command execution. In severe cases, service interruption or data leakage may occur.
Condition and method of exploitation
The JmxRemoteLifecycleListener listening port is enabled externally for remote exploits.
- Apache Tomcat 9.0.0.M1 to 9.0.0.M11
- Apache Tomcat 8.5.0 to 8.5.6
- Apache Tomcat 8.0.0.RC1 to 8.0.38
- Apache Tomcat 7.0.0 to 7.0.72
- Apache Tomcat 6.0.0 to 6.0.47
Detect the vulnerability by using any of the following methods:
Manually check whether Ports 10001 and 10002 are enabled and published on the Internet.
Check whether JmxRemoteLifecycleListener is enabled in Tomcat.
Check whether the server.xml file contains the following content:
rmiRegistryPortPlatform="10001" rmiServerPortPlatform="10002" />
Note: The PoC test mode is not recommended.
How to fix or mitigate
Disable JmxRemoteLifecycleListener, or control the network access to the jmx JmxRemoteLifecycleListener remote port. In addition, add strict authentication methods.
Upgrade to the latest version which has been officially released:
- Apache Tomcat 9.0.0.M13 or later (the vulnerability is also fixed in Apache Tomcat 9.0.0.M12, which is not released)
- Apache Tomcat 8.5.8 or later (the vulnerability is also fixed in Apache Tomcat 8.5.7, which is not released)
- Apache Tomcat 8.0.39 or later
- Apache Tomcat 7.0.73 or later
- Apache Tomcat 6.0.48 or later