CVE-2016-2879 IBM CVE debrief

Who should care

IBM QRadar administrators, SOC teams, and security operations staff running QRadar Security Information and Event Manager 7.2.0 through 7.2.7. It also matters to organizations where local users or delegated admins may have access to the QRadar host.

Technical summary

NVD maps this issue to CWE-326 and gives a CVSS 3.0 vector of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a local attack that requires low privileges. The vulnerability is described as outdated hashing being used for certain passwords, which could allow a local user to recover and decrypt user credentials. NVD lists QRadar SIEM versions 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, and 7.2.7 as vulnerable.

Defensive priority

High priority. The issue is local and requires some privilege, but it can expose credentials with high confidentiality, integrity, and availability impact in a security monitoring product.

Recommended defensive actions

• Confirm whether IBM QRadar Security Information and Event Manager 7.2.0 through 7.2.7 is deployed.
• Apply IBM’s vendor guidance and patch referenced in IBM advisory 1997341.
• Review local user access on QRadar hosts and limit unnecessary shell or administrative access.
• Rotate any credentials that may have been stored or processed on affected systems after remediation.
• Verify the environment is no longer running any affected 7.2.x release after patching.

Evidence notes

The debrief is based only on the supplied NVD and IBM reference data. NVD describes the issue as outdated hashing of certain passwords that may let a local user obtain and decrypt credentials, assigns CWE-326, and lists affected QRadar SIEM versions 7.2.0 through 7.2.7. IBM’s advisory reference is cited in the NVD references as swg21997341.

Official resources