### [CVE-2016-8735](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735)
![](https://img.shields.io/static/v1?label=Product&message=Apache%20Tomcat&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=7.x%20before%207.0.73%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=8.5.x%20before%208.5.7%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=8.x%20before%208.0.39%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=9.x%20before%209.0.0.M12%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=before%206.0.48%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Remote%20code%20execution&color=brightgreen)

### Description

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

### POC

#### Reference
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

#### Github
- https://github.com/20142995/nuclei-templates
- https://github.com/20142995/pocsuite3
- https://github.com/7hang/cyber-security-interview
- https://github.com/ARPSyndicate/cve-scores
- https://github.com/ARPSyndicate/cvemon
- https://github.com/AdeliaNitzsche/Java-Deserialization-Cheat-Sheet
- https://github.com/BrittanyKuhn/javascript-tutorial
- https://github.com/Drun1baby/CVE-Reproduction-And-Analysis
- https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
- https://github.com/Ostorlab/KEV
- https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors
- https://github.com/PalindromeLabs/Java-Deserialization-CVEs
- https://github.com/QChiLan/jexboss
- https://github.com/SexyBeast233/SecBooks
- https://github.com/ZTK-009/RedTeamer
- https://github.com/bibortone/Jexboss
- https://github.com/brunsu/woodswiki
- https://github.com/c002/Java-Application-Exploits
- https://github.com/cyb3r-w0lf/nuclei-template-collection
- https://github.com/dusbot/cpe2cve
- https://github.com/ecomtech-oss/pisc
- https://github.com/fengjixuchui/RedTeamer
- https://github.com/gyanaa/https-github.com-joaomatosf-jexboss
- https://github.com/ilmari666/cybsec
- https://github.com/joaomatosf/jexboss
- https://github.com/klausware/Java-Deserialization-Cheat-Sheet
- https://github.com/m3n0sd0n4ld/uCVE
- https://github.com/milkdevil/jexboss
- https://github.com/mishmashclone/GrrrDog-Java-Deserialization-Cheat-Sheet
- https://github.com/okostine-panw/pc_scripts
- https://github.com/oneplus-x/jok3r
- https://github.com/password520/RedTeamer
- https://github.com/pmihsan/Jex-Boss
- https://github.com/qashqao/jexboss
- https://github.com/safe6Sec/PentestNote
- https://github.com/samokat-oss/pisc
- https://github.com/superfish9/pt
- https://github.com/syadg123/exboss
- https://github.com/tanjiti/sec_profile
- https://github.com/trganda/dockerv
- https://github.com/woods-sega/woodswiki