CVE-2016-6104 IBM CVE debrief

Who should care

Administrators and security teams responsible for IBM Tivoli Key Lifecycle Manager / IBM Security Key Lifecycle Manager deployments in the affected 2.5 and 2.6 series should prioritize this issue, especially where administrative interfaces or upload-capable functions are exposed.

Technical summary

NVD describes the weakness as improper validation of file extensions, mapped to CWE-434 (unrestricted upload of file with dangerous type). The affected products listed in NVD include IBM Security Key Lifecycle Manager 2.5.0 through 2.5.0.7 and 2.6.0 through 2.6.0.2. The CVSS 3.0 vector is AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network reachability, low attack complexity, no user interaction, but high privileges required and potentially high impact.

Defensive priority

High

Recommended defensive actions

• Apply the IBM remediation referenced in the vendor advisory linked from NVD (ref-4).
• Inventory IBM Key Lifecycle Manager deployments and confirm whether any listed 2.5.x or 2.6.x builds are in use.
• Restrict access to administrative and file-upload functionality to trusted administrators only.
• Review application and system logs for unexpected uploads, extension mismatches, or other anomalous file activity.
• Remove or isolate affected systems until patched if the upload feature cannot be tightly controlled.

Evidence notes

The CVE description states that IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 could allow arbitrary file upload due to improper validation of file extensions, which could allow arbitrary code execution. NVD further lists affected IBM Security Key Lifecycle Manager versions in the 2.5.x and 2.6.x series and maps the issue to CWE-434. The NVD CVSS vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) supports a high-severity assessment with required privileges but no user interaction.

Official resources