Arbitrary Code Execution Affecting org.apache.tomcat:tomcat-catalina-jmx-remote Open this link in a new tab package, versions [6,6.0.48) [7.0.0,7.0.73) [8,8.0.39) [8.5.0,8.5.8) [9-alpha,9.0.0.M13)


0.0
critical
  • Attack Complexity

    Low

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGAPACHETOMCAT-30919

  • published

    23 Nov 2016

  • disclosed

    23 Nov 2016

  • credit

    Pierre Ernst

Overview

org.apache.tomcat:tomcat-catalina-jmx-remote Affected versions of the package are vulnerable to Remote Code Execution. The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used.

References