CVE-2016-3024 IBM CVE debrief

Who should care

Administrators and operators of IBM Security Access Manager for Web or Mobile on shared systems, especially environments where multiple users or processes can access the same local storage.

Technical summary

NVD describes the flaw as local storage of web pages that can be read by another user on the system. The CVSS vector indicates a local attack surface, no privileges required, no user interaction, and limited confidentiality impact only. NVD maps the issue to CWE-200 and lists IBM Security Access Manager 8.0 and 9.0 firmware CPEs as affected, with IBM’s PSIRT advisory referenced for remediation guidance.

Defensive priority

Medium priority: this is a local information disclosure issue with limited confidentiality impact, but it matters on multi-user or shared-host deployments.

Recommended defensive actions

• Review IBM’s PSIRT advisory referenced by NVD for the applicable remediation guidance.
• Apply the vendor patch or upgrade path identified by IBM for your affected Security Access Manager release.
• Treat shared or multi-user deployments as higher risk and verify that locally stored web content is not accessible outside its intended security boundary.
• After remediation, confirm the affected IBM Security Access Manager components are running the corrected release and that local storage permissions remain appropriately restricted.

Evidence notes

This debrief is based on the NVD record for CVE-2016-3024 and the IBM PSIRT advisory reference listed there. The supplied NVD data identifies the issue as CWE-200 with CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N and lists affected IBM Security Access Manager for Web/Mobile firmware CPEs. The corpus does not include the body of the IBM advisory, so fixed version details are not asserted here.

Official resources