CVE-2016-3427
9.8 CRITICAL
📋 TL;DR
This critical vulnerability in Oracle Java's JMX (Java Management Extensions) component allows remote attackers to execute arbitrary code, potentially compromising confidentiality, integrity, and availability of affected systems. It affects multiple Java versions across desktop, embedded, and server deployments. Attackers can exploit this without authentication via network-accessible JMX endpoints.
💻 Affected Systems
Products:
- Oracle Java SE
- Java SE Embedded
- JRockit
Versions: Java SE 6u113, 7u99, 8u77; Java SE Embedded 8u77; JRockit R28.3.9
Operating Systems: All platforms running affected Java versions
Default Config Vulnerable:
⚠️ Yes
Notes: Any system with JMX enabled (often default in server deployments) is vulnerable. Desktop Java installations may also be affected if JMX is enabled.
📦 What is this software?
Cassandra by Apache
Cassandra by Apache
Cassandra by Apache
Cassandra by Apache
Cassandra by Apache
E Series Santricity Management Plug Ins by Netapp
View all CVEs affecting E Series Santricity Management Plug Ins →
E Series Santricity Storage Manager by Netapp
View all CVEs affecting E Series Santricity Storage Manager →
E Series Santricity Web Services by Netapp
Jdk by Oracle
Jdk by Oracle
Jdk by Oracle
Jre by Oracle
Jre by Oracle
Jre by Oracle
Jrockit by Oracle
Leap by Opensuse
Linux by Oracle
Linux by Oracle
Linux by Oracle
Linux Enterprise Module For Legacy by Suse
View all CVEs affecting Linux Enterprise Module For Legacy →
Linux Enterprise Software Development Kit by Suse
View all CVEs affecting Linux Enterprise Software Development Kit →
Linux Enterprise Software Development Kit by Suse
View all CVEs affecting Linux Enterprise Software Development Kit →
Opensuse by Opensuse
Opensuse by Opensuse
Satellite by Redhat
Satellite by Redhat
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to data theft, ransomware deployment, or integration into botnets
Likely Case
Remote code execution allowing attackers to install malware, exfiltrate data, or pivot to other systems
If Mitigated
Limited impact if JMX is disabled or properly firewalled, though other attack vectors may exist
🌐 Internet-Facing: HIGH - Exploitable remotely without authentication, CVSS 9.8 indicates critical severity
🏢 Internal Only: HIGH - Even internally, this allows lateral movement and privilege escalation
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
LIKELY
Unauthenticated Exploit:
⚠️ Yes
Complexity:
LOW
The vulnerability is in JMX which is designed for remote management, making exploitation straightforward. Public references suggest active exploitation was occurring.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Java SE 6u115, 7u101, 8u91 (or later versions)
Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2016.html
Restart Required: Yes
Instructions:
1. Download latest Java version from Oracle
2. Uninstall old Java version
3. Install patched version
4. Restart all Java applications and services
🔧 Temporary Workarounds
Disable JMX
allDisable Java Management Extensions to remove attack surface
Set com.sun.management.jmxremote=false in JVM arguments
Remove -Dcom.sun.management.jmxremote from startup scripts
Firewall JMX Ports
linuxBlock network access to JMX ports (default 1099, 7091)
iptables -A INPUT -p tcp --dport 1099 -j DROP
iptables -A INPUT -p tcp --dport 7091 -j DROP
🧯 If You Can't Patch
- Disable JMX completely on all affected systems
- Implement strict network segmentation and firewall rules to block JMX ports (1099, 7091) from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check Java version with 'java -version'. If version matches affected range (6u113, 7u99, 8u77) and JMX is enabled, system is vulnerable.Check Version:
java -version 2>&1 | grep 'version'Verify Fix Applied:
Verify Java version is 6u115+, 7u101+, or 8u91+ with 'java -version'. Check that JMX is disabled or properly secured.📡 Detection & Monitoring
Log Indicators:
- Unusual JMX connection attempts
- Java process spawning unexpected child processes
- Authentication failures on JMX ports
Network Indicators:
- Unexpected connections to port 1099 or 7091
- JMX traffic from untrusted sources
- Anomalous Java RMI traffic
SIEM Query:
source_port=1099 OR source_port=7091 OR dest_port=1099 OR dest_port=7091 | stats count by src_ip, dest_ip🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00022.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00042.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00058.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00059.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00061.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00067.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00002.html
- http://rhn.redhat.com/errata/RHSA-2016-0650.html
- http://rhn.redhat.com/errata/RHSA-2016-0651.html
- http://rhn.redhat.com/errata/RHSA-2016-0675.html
- http://rhn.redhat.com/errata/RHSA-2016-0676.html
- http://rhn.redhat.com/errata/RHSA-2016-0677.html
- http://rhn.redhat.com/errata/RHSA-2016-0678.html
- http://rhn.redhat.com/errata/RHSA-2016-0679.html
- http://rhn.redhat.com/errata/RHSA-2016-0701.html
- http://rhn.redhat.com/errata/RHSA-2016-0702.html
- http://rhn.redhat.com/errata/RHSA-2016-0708.html
- http://rhn.redhat.com/errata/RHSA-2016-0716.html
- http://rhn.redhat.com/errata/RHSA-2016-0723.html
- http://rhn.redhat.com/errata/RHSA-2016-1039.html
- http://www.debian.org/security/2016/dsa-3558
- http://www.openwall.com/lists/oss-security/2020/08/31/1
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.securityfocus.com/bid/86421
- http://www.securitytracker.com/id/1035596
- http://www.securitytracker.com/id/1037331
- http://www.ubuntu.com/usn/USN-2963-1
- http://www.ubuntu.com/usn/USN-2964-1
- http://www.ubuntu.com/usn/USN-2972-1
- https://access.redhat.com/errata/RHSA-2016:1430
- https://access.redhat.com/errata/RHSA-2017:1216
- https://kc.mcafee.com/corporate/index?page=content&id=SB10159
- https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r5f48b16573a11fdf0b557cc3d1d71423ecde8ee771c29f32334fa948%40%3Cdev.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rc3abf40b06c511d5693baf707d6444bf7745e6a1e343e6f530a12258%40%3Cuser.cassandra.apache.org%3E
- https://security.gentoo.org/glsa/201606-18
- https://security.netapp.com/advisory/ntap-20160420-0001/
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00022.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00042.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00058.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00059.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00061.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00067.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00002.html
- http://rhn.redhat.com/errata/RHSA-2016-0650.html
- http://rhn.redhat.com/errata/RHSA-2016-0651.html
- http://rhn.redhat.com/errata/RHSA-2016-0675.html
- http://rhn.redhat.com/errata/RHSA-2016-0676.html
- http://rhn.redhat.com/errata/RHSA-2016-0677.html
- http://rhn.redhat.com/errata/RHSA-2016-0678.html
- http://rhn.redhat.com/errata/RHSA-2016-0679.html
- http://rhn.redhat.com/errata/RHSA-2016-0701.html
- http://rhn.redhat.com/errata/RHSA-2016-0702.html
- http://rhn.redhat.com/errata/RHSA-2016-0708.html
- http://rhn.redhat.com/errata/RHSA-2016-0716.html
- http://rhn.redhat.com/errata/RHSA-2016-0723.html
- http://rhn.redhat.com/errata/RHSA-2016-1039.html
- http://www.debian.org/security/2016/dsa-3558
- http://www.openwall.com/lists/oss-security/2020/08/31/1
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.securityfocus.com/bid/86421
- http://www.securitytracker.com/id/1035596
- http://www.securitytracker.com/id/1037331
- http://www.ubuntu.com/usn/USN-2963-1
- http://www.ubuntu.com/usn/USN-2964-1
- http://www.ubuntu.com/usn/USN-2972-1
- https://access.redhat.com/errata/RHSA-2016:1430
- https://access.redhat.com/errata/RHSA-2017:1216
- https://kc.mcafee.com/corporate/index?page=content&id=SB10159
- https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r5f48b16573a11fdf0b557cc3d1d71423ecde8ee771c29f32334fa948%40%3Cdev.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rc3abf40b06c511d5693baf707d6444bf7745e6a1e343e6f530a12258%40%3Cuser.cassandra.apache.org%3E
- https://security.gentoo.org/glsa/201606-18
- https://security.netapp.com/advisory/ntap-20160420-0001/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3427
