CVE-2016-8954 IBM CVE debrief

Who should care

IBM dashDB Local administrators, Docker/container operators, database administrators, and security teams responsible for systems running dashDB Local versions 1.0.0 through 1.3.1.

Technical summary

NVD lists the vulnerability under IBM dashDB Local and identifies affected versions 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0, and 1.3.1. The weakness is documented as hard-coded credentials (CWE-798), which can permit remote access to the Docker container or the database without requiring prior authorization. The NVD CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

Urgent. The combination of remote exposure, no required privileges, and full CIA impact makes this a high-priority remediation item for any environment that still runs affected dashDB Local releases.

Recommended defensive actions

• Apply IBM's published patch or follow the IBM support advisory for remediation.
• Inventory deployments to confirm whether any instance is running dashDB Local versions 1.0.0 through 1.3.1.
• Restrict network exposure to the Docker container and database until remediation is complete.
• Review access logs and container configuration for any unexpected use of default or embedded credentials.
• After remediation, validate that no hard-coded credentials remain in production images, scripts, or configuration artifacts.

Evidence notes

The NVD record for CVE-2016-8954 cites IBM advisory and third-party references, marks the vulnerability as modified in the official database, and lists the weakness as CWE-798. The supplied record identifies the impacted IBM dashDB Local versions and includes the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The CVE was published on 2017-02-08; the later 2026-05-13 timestamp is the NVD record modification date, not the original disclosure date.

Official resources