CVE-2016-8735

Name	CVE-2016-8735
Description	Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-728-1, DLA-729-1, DSA-3738-1, DSA-3739-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
tomcat6 (PTS)	jessie, jessie (lts)	6.0.45+dfsg-1~deb8u1	fixed
tomcat7 (PTS)	jessie, jessie (lts)	7.0.56-3+really7.0.109-1+deb8u6	fixed
	stretch	7.0.75-1	fixed
tomcat8 (PTS)	jessie, jessie (lts)	8.0.14-1+deb8u28	fixed
	stretch (security)	8.5.54-0+deb9u8	fixed
	stretch (lts), stretch	8.5.54-0+deb9u15	fixed
tomcat9 (PTS)	buster (security), buster, buster (lts)	9.0.31-1~deb10u12	fixed
	bullseye (security), bullseye	9.0.43-2~deb11u10	fixed
	bookworm	9.0.70-2	fixed
	sid, trixie	9.0.95-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
tomcat6	source	wheezy	6.0.45+dfsg-1~deb7u3		DLA-728-1
tomcat6	source	(unstable)	6.0.41-3	low
tomcat7	source	wheezy	7.0.28-4+deb7u7		DLA-729-1
tomcat7	source	jessie	7.0.56-3+deb8u6		DSA-3738-1
tomcat7	source	(unstable)	7.0.72-3
tomcat8	source	jessie	8.0.14-1+deb8u5		DSA-3739-1
tomcat8	source	(unstable)	8.0.39-1
tomcat9	source	(unstable)	(not affected)

Notes

- tomcat9 <not-affected> (Fixed before initial upload to Debian)
Since 7.0.72-3, src:tomcat7 only builds the Servlet API
Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie
Fixed by: http://svn.apache.org/r1767656 (8.0.x)
Fixed by: http://svn.apache.org/r1767676 (7.0.x)
Fixed by: http://svn.apache.org/r1767684 (6.0.x)