org.apache.tomcat:tomcat-catalina-jmx-remote@8.5.2 vulnerabilities

latest version

8.5.75
latest non vulnerable version

9.0.14
first published

14 years ago
latest version published

2 years ago
licenses detected
- Apache-2.0
  [0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat-catalina-jmx-remote package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Privilege Escalation org.apache.tomcat:tomcat-catalina-jmx-remote is a maven plugin for Tomcat Remote JMX listener. Affected versions of this package are vulnerable to Privilege Escalation. When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. How to fix Privilege Escalation? Upgrade `org.apache.tomcat:tomcat-catalina-jmx-remote` to version 9.0.14, 8.5.49, 7.0.99 or higher.	[9.0.0.M1,9.0.14) [8.5.0,8.5.49) [,7.0.99)
C Arbitrary Code Execution `org.apache.tomcat:tomcat-catalina-jmx-remote` Affected versions of the package are vulnerable to Remote Code Execution. The `JmxRemoteLifecycleListener` was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used.	[6,6.0.48) [7.0.0,7.0.73) [8,8.0.39) [8.5.0,8.5.8) [9-alpha,9.0.0.M13)

Privilege Escalation

org.apache.tomcat:tomcat-catalina-jmx-remote is a maven plugin for Tomcat Remote JMX listener.

Affected versions of this package are vulnerable to Privilege Escalation. When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.

How to fix Privilege Escalation?

Upgrade org.apache.tomcat:tomcat-catalina-jmx-remote to version 9.0.14, 8.5.49, 7.0.99 or higher.

[9.0.0.M1,9.0.14) [8.5.0,8.5.49) [,7.0.99)

Arbitrary Code Execution

org.apache.tomcat:tomcat-catalina-jmx-remote Affected versions of the package are vulnerable to Remote Code Execution. The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used.

[6,6.0.48) [7.0.0,7.0.73) [8,8.0.39) [8.5.0,8.5.8) [9-alpha,9.0.0.M13)

Go back to all versions of this package

org.apache.tomcat:tomcat-catalina-jmx-remote@8.5.2 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities