CVE-2016-8967 IBM CVE debrief

Who should care

Administrators and security teams responsible for IBM BigFix Inventory 9.2 and the related IBM License Metric Tool 9.2.0 deployments should care, especially where multiple local users or shared administrative access exist.

Technical summary

The NVD record states that IBM BigFix Inventory v9 9.2 stores user credentials in plain text, allowing a local user to read them. The CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating a local, low-privilege confidentiality exposure with no direct integrity or availability impact. NVD also associates the issue with IBM License Metric Tool 9.2.0 in its CPE criteria and lists CWE-255.

Defensive priority

Medium. The issue does not require remote access, but it can expose credentials to any attacker or insider who can obtain local access on an affected system.

Recommended defensive actions

• Review the IBM advisory referenced by NVD for vendor guidance on remediation or mitigation.
• Restrict local access to affected systems and minimize the number of users with shell or interactive access.
• Identify deployments matching the affected NVD CPEs: IBM BigFix Inventory 9.2 and IBM License Metric Tool 9.2.0.
• Rotate any credentials that may have been stored in clear text on affected systems.
• Validate that sensitive secrets are not stored in readable files on the host and review local permissions around application data and configuration locations.

Evidence notes

Evidence is drawn from the NVD record for CVE-2016-8967, which describes clear-text credential storage readable by a local user and assigns CVSS 3.0 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The record references IBM PSIRT guidance and a SecurityFocus entry, and the CPE criteria mark IBM BigFix Inventory 9.2 and IBM License Metric Tool 9.2.0 as vulnerable. CWE-255 is listed as the primary weakness.

Official resources