PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-3043 IBM CVE debrief

CVE-2016-3043 is an IBM information-disclosure issue tied to HTTP Strict Transport Security not being properly enabled. In affected IBM Security Access Manager deployments, a remote attacker positioned in the network path could use man-in-the-middle techniques to try to obtain sensitive information. The issue was published by the CVE program on 2017-02-01 and is rated medium severity in the supplied record.

Vendor
IBM
Product
CVE-2016-3043
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-01
Original CVE updated
2026-05-13
Advisory published
2017-02-01
Advisory updated
2026-05-13

Who should care

Administrators and security teams responsible for IBM Security Access Manager for Web, IBM Security Access Manager for Mobile, and IBM Security Access Manager 9.0 firmware—especially if the service is reachable over untrusted networks or handles authentication traffic.

Technical summary

The NVD record describes a failure to properly enable HSTS, which can leave HTTPS users exposed to downgrade or SSL-stripping style man-in-the-middle risk. The supplied CVSS vector is CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a network-reachable issue with high attack complexity and high confidentiality impact. NVD lists CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The affected CPEs in the supplied source include IBM Security Access Manager for Web 7.0 firmware, 8.0 firmware, IBM Security Access Manager for Mobile, and IBM Security Access Manager 9.0 firmware; the appliance hardware CPE entries are marked not vulnerable.

Defensive priority

Medium. Prioritize remediation for Internet-facing or authentication-heavy deployments because the impact is confidentiality loss over network traffic.

Recommended defensive actions

  • Apply the IBM fix or update referenced in the vendor advisory as soon as practical.
  • Confirm HSTS is enabled on all relevant user-facing HTTPS endpoints and that reverse proxies, load balancers, or front-end components are not stripping the header.
  • Inventory IBM Security Access Manager for Web, Mobile, and 9.0 firmware deployments to identify any affected instances and compare them against the NVD CPE list.
  • Treat exposed deployments as higher priority if they process login, session, or other sensitive traffic.
  • Use the IBM vendor advisory and NVD record to verify whether your specific appliance or firmware combination is in scope before making changes.

Evidence notes

Source evidence ties the issue to IBM via the NVD record and the IBM PSIRT advisory reference. The NVD metadata states the vulnerability is related to failure to properly enable HTTP Strict Transport Security and lists CWE-200 with CVSS 3.0 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The supplied NVD CPE criteria mark IBM Security Access Manager for Web 7.0 firmware, 8.0 firmware, IBM Security Access Manager for Mobile, and IBM Security Access Manager 9.0 firmware as vulnerable, while the appliance hardware entries are marked not vulnerable. Published date used here is the CVE publication timestamp 2017-02-01, not the later modified timestamp.

Official resources

CVE published 2017-02-01; NVD record modified 2026-05-13. This debrief uses the CVE publication date for disclosure context.