Think you have a false positive on this rule?

Sid 1-46071

Message

SERVER-APACHE Apache Tomcat Java JmxRemoteLifecycleListener unauthorized serialized object attempt

Summary

This event is generated when attacker attempts to exploit an Apache Tomcat remote code execution vulnerability.

Impact

Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

CVE-2016-8735:

CVSS base score 9.8

CVSS impact score 5.9

CVSS exploitability score 3.9

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

CVE-2016-8735: Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

Affected systems

  • apache tomcat 6.0.0
  • apache tomcat 6.0.1
  • apache tomcat 6.0.2
  • apache tomcat 6.0.3
  • apache tomcat 6.0.4
  • apache tomcat 6.0.5
  • apache tomcat 6.0.6
  • apache tomcat 6.0.7
  • apache tomcat 6.0.8
  • apache tomcat 6.0.9
  • apache tomcat 6.0.10
  • apache tomcat 6.0.11
  • apache tomcat 6.0.12
  • apache tomcat 6.0.13
  • apache tomcat 6.0.14
  • apache tomcat 6.0.15
  • apache tomcat 6.0.16
  • apache tomcat 6.0.17
  • apache tomcat 6.0.18
  • apache tomcat 6.0.19
  • apache tomcat 6.0.20
  • apache tomcat 6.0.21
  • apache tomcat 6.0.22
  • apache tomcat 6.0.23
  • apache tomcat 6.0.24
  • apache tomcat 6.0.25
  • apache tomcat 6.0.26
  • apache tomcat 6.0.27
  • apache tomcat 6.0.28
  • apache tomcat 6.0.29
  • apache tomcat 6.0.30
  • apache tomcat 6.0.31
  • apache tomcat 6.0.32
  • apache tomcat 6.0.33
  • apache tomcat 6.0.34
  • apache tomcat 6.0.35
  • apache tomcat 6.0.36
  • apache tomcat 6.0.37
  • apache tomcat 6.0.38
  • apache tomcat 6.0.39
  • apache tomcat 6.0.40
  • apache tomcat 6.0.41
  • apache tomcat 6.0.42
  • apache tomcat 6.0.43
  • apache tomcat 6.0.44
  • apache tomcat 6.0.45
  • apache tomcat 6.0.46
  • apache tomcat 6.0.47
  • apache tomcat 7.0.0
  • apache tomcat 7.0.1
  • apache tomcat 7.0.2
  • apache tomcat 7.0.3
  • apache tomcat 7.0.4
  • apache tomcat 7.0.5
  • apache tomcat 7.0.6
  • apache tomcat 7.0.7
  • apache tomcat 7.0.8
  • apache tomcat 7.0.9
  • apache tomcat 7.0.10
  • apache tomcat 7.0.11
  • apache tomcat 7.0.12
  • apache tomcat 7.0.13
  • apache tomcat 7.0.14
  • apache tomcat 7.0.15
  • apache tomcat 7.0.16
  • apache tomcat 7.0.17
  • apache tomcat 7.0.18
  • apache tomcat 7.0.19
  • apache tomcat 7.0.20
  • apache tomcat 7.0.21
  • apache tomcat 7.0.22
  • apache tomcat 7.0.23
  • apache tomcat 7.0.24
  • apache tomcat 7.0.25
  • apache tomcat 7.0.26
  • apache tomcat 7.0.27
  • apache tomcat 7.0.28
  • apache tomcat 7.0.29
  • apache tomcat 7.0.30
  • apache tomcat 7.0.31
  • apache tomcat 7.0.32
  • apache tomcat 7.0.33
  • apache tomcat 7.0.34
  • apache tomcat 7.0.35
  • apache tomcat 7.0.36
  • apache tomcat 7.0.37
  • apache tomcat 7.0.38
  • apache tomcat 7.0.39
  • apache tomcat 7.0.40
  • apache tomcat 7.0.41
  • apache tomcat 7.0.42
  • apache tomcat 7.0.43
  • apache tomcat 7.0.44
  • apache tomcat 7.0.45
  • apache tomcat 7.0.46
  • apache tomcat 7.0.47
  • apache tomcat 7.0.48
  • apache tomcat 7.0.49
  • apache tomcat 7.0.50
  • apache tomcat 7.0.51
  • apache tomcat 7.0.52
  • apache tomcat 7.0.53
  • apache tomcat 7.0.54
  • apache tomcat 7.0.55
  • apache tomcat 7.0.56
  • apache tomcat 7.0.57
  • apache tomcat 7.0.58
  • apache tomcat 7.0.59
  • apache tomcat 7.0.60
  • apache tomcat 7.0.61
  • apache tomcat 7.0.62
  • apache tomcat 7.0.63
  • apache tomcat 7.0.64
  • apache tomcat 7.0.65
  • apache tomcat 7.0.66
  • apache tomcat 7.0.67
  • apache tomcat 7.0.68
  • apache tomcat 7.0.69
  • apache tomcat 7.0.70
  • apache tomcat 7.0.71
  • apache tomcat 7.0.72
  • apache tomcat 8.0.0
  • apache tomcat 8.0.1
  • apache tomcat 8.0.2
  • apache tomcat 8.0.3
  • apache tomcat 8.0.4
  • apache tomcat 8.0.5
  • apache tomcat 8.0.6
  • apache tomcat 8.0.7
  • apache tomcat 8.0.8
  • apache tomcat 8.0.9
  • apache tomcat 8.0.10
  • apache tomcat 8.0.11
  • apache tomcat 8.0.12
  • apache tomcat 8.0.13
  • apache tomcat 8.0.14
  • apache tomcat 8.0.15
  • apache tomcat 8.0.16
  • apache tomcat 8.0.17
  • apache tomcat 8.0.18
  • apache tomcat 8.0.19
  • apache tomcat 8.0.20
  • apache tomcat 8.0.21
  • apache tomcat 8.0.22
  • apache tomcat 8.0.23
  • apache tomcat 8.0.24
  • apache tomcat 8.0.25
  • apache tomcat 8.0.26
  • apache tomcat 8.0.27
  • apache tomcat 8.0.28
  • apache tomcat 8.0.29
  • apache tomcat 8.0.30
  • apache tomcat 8.0.31
  • apache tomcat 8.0.32
  • apache tomcat 8.0.33
  • apache tomcat 8.0.34
  • apache tomcat 8.0.35
  • apache tomcat 8.0.36
  • apache tomcat 8.0.37
  • apache tomcat 8.0.38
  • apache tomcat 8.5.0
  • apache tomcat 8.5.1
  • apache tomcat 8.5.2
  • apache tomcat 8.5.3
  • apache tomcat 8.5.4
  • apache tomcat 8.5.5
  • apache tomcat 8.5.6
  • apache tomcat 9.0.0

Ease of attack

Medium

False positives

Not known

False negatives

Not known

Corrective action

Update Apache Tomcat

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • github.com/frohoff/ysoserial
  • tomcat.apache.org/security-6.html