edit-icon download-icon

[Vulnerability notice] CVE-2016-8735: Remote code execution vulnerability in Apache Tomcat

Last Updated: Apr 08, 2018

On November 22, 2016, Apache’s official security team published a remote code execution vulnerability in Apache Tomcat. The vulnerability is related to Oracle’s previously fixed mxRemoteLifecycleListener deserialization vulnerability (CVE-2016-3427) and results from JmxRemoteLifecycleListener.

See the following for more information about the vulnerability.


CVE identifier

CVE-2016-8735

Vulnerability name

Apache Tomcat remote code execution vulnerability

Vulnerability description

The vulnerability is caused by Oracle’s previously fixed JmxRemoteLifecycleListener deserialization vulnerability (CVE-2016-3427). Tomcat also uses JmxRemoteLifecycleListener but is not upgraded in a timely manner, leading to the remote code execution vulnerability.

The vulnerability allows a hacker to implement remote command execution. In severe cases, service interruption or data leakage may occur.

Condition and method of exploitation

The JmxRemoteLifecycleListener listening port is enabled externally for remote exploits.

Affected scope

  • Apache Tomcat 9.0.0.M1 to 9.0.0.M11
  • Apache Tomcat 8.5.0 to 8.5.6
  • Apache Tomcat 8.0.0.RC1 to 8.0.38
  • Apache Tomcat 7.0.0 to 7.0.72
  • Apache Tomcat 6.0.0 to 6.0.47

Vulnerability detection

Detect the vulnerability by using any of the following methods:

  • Manually check whether Ports 10001 and 10002 are enabled and published on the Internet.

  • Check whether JmxRemoteLifecycleListener is enabled in Tomcat.

  • Check whether the server.xml file contains the following content:

    1. <Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener"
    2. rmiRegistryPortPlatform="10001" rmiServerPortPlatform="10002" />

Note: The PoC test mode is not recommended.

How to fix or mitigate

  • Disable JmxRemoteLifecycleListener, or control the network access to the jmx JmxRemoteLifecycleListener remote port. In addition, add strict authentication methods.

  • Upgrade to the latest version which has been officially released:

    • Apache Tomcat 9.0.0.M13 or later (the vulnerability is also fixed in Apache Tomcat 9.0.0.M12, which is not released)
    • Apache Tomcat 8.5.8 or later (the vulnerability is also fixed in Apache Tomcat 8.5.7, which is not released)
    • Apache Tomcat 8.0.39 or later
    • Apache Tomcat 7.0.73 or later
    • Apache Tomcat 6.0.48 or later

Reference

[1]. http://seclists.org/oss-sec/2016/q4/502
[2]. http://engineering.pivotal.io/post/java-deserialization-jmx/
[3]. http://tomcat.apache.org/security-6.html
[4]. http://tomcat.apache.org/security-8.html
[5]. http://tomcat.apache.org/security-7.html

Thank you! We've received your feedback.