CVE-2016-8735 Scanner
CVE-2016-8735 Scanner - Remote Code Execution vulnerability in Apache Tomcat
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
11 days 19 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
Apache Tomcat is an open-source implementation of the Java Servlet, JavaServer Pages, Java Expression Language, and Java WebSocket technologies. It is widely used in enterprise environments to serve Java applications. Tomcat is developed and maintained by the Apache Software Foundation and is used by various companies and individual developers around the world. The software is renowned for its robustness and its ability to handle large-scale applications. Tomcat is compatible with major operating systems and is often used in conjunction with other Apache products. Its modular architecture allows developers to extend its functionalities through various plugins and extensions.
Remote Code Execution (RCE) is a critical vulnerability that allows attackers to run arbitrary code on a remote system. This particular vulnerability in Apache Tomcat arises from failure in handling credentials when the JmxRemoteLifecycleListener is used and JMX ports are exposed to attackers. If exploited, it can lead to an unauthorized access and control over the Tomcat server. This vulnerability is severe because it can be executed remotely and does not require any user interaction. RCE vulnerabilities are often exploited by attackers to install malware, extract sensitive data, or disrupt service. The presence of this vulnerability highlights the critical importance of properly configuring and securing JMX ports.
The vulnerability exists in the Apache Tomcat when certain JMX ports are left exposed, which occurs due to inconsistent credential type handling. This inconsistency was not aligned with the CVE-2016-3427 Oracle patch and can be exploited by attackers with the right access to JMX ports. Specifically, the vulnerability allows remote attackers to exploit unsafe deserialization in Apache Tomcat, thereby enabling them to execute arbitrary code. Attackers typically locate the "UnicastRef2" and extract the rmiServerPort before launching the exploit. This is achieved by sending crafted serialized payloads over the compromised JMX port. The attack involves multiple steps including the initial handshake and the sending of exploit code to achieve successful execution.
When this vulnerability in Apache Tomcat is exploited, it can lead to severe consequences. Attackers with access to execute this RCE can take control of the affected server, leading to potential data breaches and service disruptions. They may install malicious programs or alter server configurations deliberately to damage the system or steal sensitive information. Additionally, this vulnerability could be leveraged in concert with other attacks, further increasing potential harms. Exploited servers might also be used as a foothold for further internal network exploitation, posing a significant security threat to organizations.