CVE-2016-6043 IBM CVE debrief

Who should care

IBM Tivoli Storage Manager / Tivoli Storage Manager Operations Center administrators and security teams, especially on systems where multiple local users or shared admin access are possible.

Technical summary

NVD maps this issue to CWE-384 (session fixation) and assigns CVSS 3.0 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is described as a failure to enforce session expiration in Tivoli Storage Manager Operations Center, allowing a local user to take over an existing authenticated session. NVD lists affected IBM Tivoli Storage Manager versions including 6.4.1 through 6.4.2.4 and 7.1 through 7.1.7, with multiple point releases covered in between.

Defensive priority

High — patch and validate quickly on any exposed or shared administration host, because successful abuse can fully compromise the affected session.

Recommended defensive actions

• Confirm whether Tivoli Storage Manager Operations Center is installed and whether any listed vulnerable versions are in use.
• Apply IBM’s vendor fix or mitigations referenced in the IBM advisory cited by NVD.
• Review local access controls on hosts running the Operations Center; restrict shell, console, and shared-admin access to trusted administrators only.
• Log out inactive administrative sessions and verify session timeout behavior after remediation.
• Reassess any service accounts or shared admin workflows that could increase exposure to local session takeover.
• Track the NVD record and IBM advisory for any additional remediation notes or version-specific guidance.

Evidence notes

Supported by the NVD record for CVE-2016-6043, which cites IBM’s vendor advisory and lists the affected Tivoli Storage Manager versions. The NVD entry shows the vulnerability as modified on 2026-05-13, while the CVE publication date is 2017-02-01. The public description states that session expiration was not enforced, enabling local takeover of a previously logged-in user.

Official resources