CVE-2016-8977 IBM CVE debrief

Who should care

Administrators and security teams responsible for IBM BigFix Inventory 9.x or IBM License Metric Tool 9.2.0 should review this issue, especially if the products are reachable over the network.

Technical summary

NVD classifies the flaw as CWE-200 and assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating a network-reachable issue with no authentication or user interaction required and limited confidentiality impact. The affected CPEs listed by NVD include IBM BigFix Inventory 9.2 and IBM License Metric Tool 9.2.0.

Defensive priority

Medium priority. The issue does not show integrity or availability impact in the NVD vector, but it is externally reachable and requires no privileges, so exposed deployments should be reviewed promptly.

Recommended defensive actions

• Check whether any IBM BigFix Inventory 9.x or License Metric Tool 9.2.0 systems are in use and exposed to untrusted networks.
• Follow the IBM PSIRT advisory linked by NVD for remediation guidance and product-specific fixes or workarounds.
• Restrict access to affected interfaces if immediate patching is not possible.
• Review whether any sensitive information may have been exposed and rotate or harden related credentials and access paths as appropriate.
• Validate that the environment is no longer using the vulnerable affected versions listed in the NVD record.

Evidence notes

This debrief is based on the NVD record for CVE-2016-8977, which lists CWE-200, CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, and affected CPEs for IBM BigFix Inventory 9.2 and IBM License Metric Tool 9.2.0. NVD also references an IBM vendor advisory and a SecurityFocus entry.

Official resources