CVE-2016-8735 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Arbitrary code execution
Description	The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-84	tomcat6	6.0.47-1	6.0.48-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
23 Nov 2016	ASA-201611-22	AVG-84	tomcat6	High	multiple issues

References
https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48 http://www.openwall.com/lists/oss-security/2016/11/22/16

Notes
This issue has been rated as high rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used.

Notes

This issue has been rated as high rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used.