PatchSiren cyber security CVE debrief
CVE-2016-6059 IBM CVE debrief
CVE-2016-6059 is an IBM InfoSphere XML processing weakness that can be abused through XML External Entity (XXE) handling. According to NVD, the issue can lead to sensitive information exposure and denial of service through memory consumption. IBM’s advisory and the NVD record identify affected InfoSphere DataStage and InfoSphere Information Server versions, with a CVSS 3.0 score of 8.1 (High).
- Vendor
- IBM
- Product
- CVE-2016-6059
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-01
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-01
- Advisory updated
- 2026-05-13
Who should care
IBM InfoSphere Information Server and DataStage administrators, application owners that accept or process XML input, and security teams responsible for patching and hardening IBM data integration platforms.
Technical summary
NVD classifies the weakness as CWE-611 (XXE). The CVSS vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, indicating a network-reachable issue that requires low privileges and no user interaction. The impact described in the source material is exposure of highly sensitive information and potential denial of service from resource exhaustion/allocation during XML processing. Affected CPEs listed by NVD include IBM InfoSphere DataStage 11.3, 11.3.1, and 11.5; IBM InfoSphere Information Server 11.3, 11.3.1, and 11.5; and IBM InfoSphere Information Server on Cloud 11.5.
Defensive priority
High. The combination of network reachability, confidentiality impact, and availability impact makes this a meaningful patching and configuration-hardening priority for environments that ingest untrusted XML.
Recommended defensive actions
- Apply the IBM fix or mitigation referenced in the vendor advisory for affected deployments.
- Inventory IBM InfoSphere DataStage, InfoSphere Information Server, and Information Server on Cloud instances for the affected versions listed by NVD.
- Review XML parsing and integration workflows to ensure external entities are disabled or otherwise safely handled where supported.
- Limit access to XML-processing interfaces and service endpoints to trusted networks and authenticated users only.
- Monitor for abnormal memory growth, parser failures, or unexpected data exposure events in XML-handling components.
Evidence notes
This debrief is based only on the supplied NVD record and IBM/related references. The CVE was published on 2017-02-01 and later modified on 2026-05-13; that later modification date is not treated as the issue date. NVD lists the vulnerability as CWE-611 with CVSS 3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. Official references supplied in the corpus include the IBM PSIRT advisory and the NVD/CVE records.
Official resources
-
CVE-2016-6059 CVE record
CVE.org
-
CVE-2016-6059 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Source reference
[email protected] - Technical Description, VDB Entry
Publicly disclosed in the CVE record on 2017-02-01. No Known Exploited Vulnerabilities (KEV) entry was supplied for this CVE.