CVE-2016-6105 IBM CVE debrief

Who should care

Administrators and security teams responsible for IBM Tivoli Key Lifecycle Manager deployments, especially systems running the affected 2.5 and 2.6 release lines listed in NVD.

Technical summary

NVD maps this issue to CWE-284 (Improper Access Control) and assigns CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N (8.2 HIGH). The vulnerability affects multiple IBM Security Key Lifecycle Manager 2.5.x and 2.6.x versions in the supplied CPE list, and the core failure is that a critical protected resource/functionality does not perform an authentication check, enabling anonymous access.

Defensive priority

High. The vulnerability is network-reachable, requires no privileges or user interaction, and can expose protected functionality. Prioritize any exposed IBM Tivoli Key Lifecycle Manager instance in the affected release families.

Recommended defensive actions

• Apply IBM’s vendor guidance and patching referenced in the IBM PSIRT advisory for this CVE.
• Inventory IBM Tivoli Key Lifecycle Manager deployments and verify whether they are on the affected 2.5.x or 2.6.x versions listed by NVD.
• Restrict network exposure to the management interface until the vendor fix is confirmed applied.
• Verify that protected resources and administrative functions are not reachable without authentication after remediation.
• Review access logs for unexpected anonymous requests to Key Lifecycle Manager endpoints.

Evidence notes

Primary evidence comes from the official NVD CVE entry and the CVE record. NVD states the vulnerability is an authentication/access-control failure (CWE-284) and includes affected IBM Security Key Lifecycle Manager CPEs for 2.5.x and 2.6.x. IBM’s referenced support document is tagged as a patch/vendor advisory in the NVD references. No KEV enrichment was supplied.

Official resources