PatchSiren cyber security CVE debrief
CVE-2016-8974 IBM CVE debrief
CVE-2016-8974 is an XML External Entity (XXE) flaw in IBM Rational Rhapsody Design Manager that can be triggered when processing XML data. IBM’s advisory, referenced by NVD, indicates the issue can expose highly sensitive information or consume available memory, creating a denial-of-service condition. NVD classifies the weakness as CWE-611 and rates the issue High severity.
- Vendor
- IBM
- Product
- CVE-2016-8974
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-23
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-23
- Advisory updated
- 2026-05-13
Who should care
Security teams, administrators, and application owners running IBM Rational Rhapsody Design Manager 4.0, 5.0, or 6.0 family releases, especially if the product accepts XML input from less-trusted sources.
Technical summary
NVD lists affected IBM Rational Rhapsody Design Manager versions as 4.0, 4.0.1 through 4.0.7, 5.0, 5.0.1 through 5.0.2, and 6.0, 6.0.1 through 6.0.2. The vulnerability is categorized as CWE-611 (XXE). The CVSS v3.0 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, indicating network reachability, low attack complexity, low privileges, no user interaction, high confidentiality impact, and high availability impact.
Defensive priority
High. The combination of remote reachability, data exposure risk, and potential memory exhaustion makes this worth prioritizing for patching or mitigation on any exposed deployment.
Recommended defensive actions
- Review IBM advisory reference swg21997798 and apply the vendor-provided fix or patch for the affected release line.
- Inventory IBM Rational Rhapsody Design Manager instances and confirm whether any 4.0, 5.0, or 6.0 family versions listed by NVD are in use.
- If XML processing is configurable, disable external entity resolution and other XXE-prone parser features where supported.
- Limit access to XML-upload or XML-processing functionality to trusted users and networks until remediation is complete.
- Monitor affected systems for abnormal memory growth, parser errors, or repeated service failures consistent with XML parsing abuse.
- Validate remediation in a non-production environment before rolling changes to production.
Evidence notes
Source data from NVD identifies the issue as CWE-611 and provides the CVSS v3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. NVD also lists vulnerable CPEs for IBM Rational Rhapsody Design Manager 4.0, 5.0, and 6.0 family releases. The NVD reference section points to IBM support advisory swg21997798 as the vendor mitigation reference. The supplied data shows the CVE was published on 2017-02-23 and does not mark it as a CISA KEV entry.
Official resources
-
CVE-2016-8974 CVE record
CVE.org
-
CVE-2016-8974 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Publicly disclosed in NVD on 2017-02-23. The supplied data does not indicate inclusion in CISA KEV.