PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-9009 IBM CVE debrief

CVE-2016-9009 is a low-severity IBM WebSphere MQ 8.0 vulnerability that can let an authenticated user with authority to create a cluster object cause a denial of service to MQ clustering. The published NVD record assigns a CVSS 3.0 base score of 3.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L), indicating limited impact but a real availability risk for clustered MQ deployments.

Vendor
IBM
Product
CVE-2016-9009
CVSS
LOW 3.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-24
Original CVE updated
2026-05-13
Advisory published
2017-02-24
Advisory updated
2026-05-13

Who should care

IBM WebSphere MQ 8.0 administrators, middleware/platform teams, and security teams that manage MQ cluster permissions or operate clustered messaging environments should review this issue. It matters most where authenticated users can create cluster objects or where MQ clustering availability is business-critical.

Technical summary

NVD lists IBM WebSphere MQ 8.0 as vulnerable, including the 8.0.0.0 through 8.0.0.5 CPE entries. The weakness is described as an authenticated-user denial-of-service condition against MQ clustering, with no confidentiality or integrity impact indicated in the CVSS vector. NVD maps the issue to CWE-20 and CWE-264.

Defensive priority

Low, but address during routine maintenance or the next vendor patch cycle if you rely on MQ clustering. The issue requires authenticated access with specific authority, and the documented impact is availability-only; however, clustered messaging outages can still be operationally significant.

Recommended defensive actions

  • Review IBM’s vendor advisory for the affected MQ 8.0 release line and apply the remediation guidance it provides.
  • Audit which users or service accounts have authority to create cluster objects, and restrict that permission to the minimum necessary.
  • Monitor MQ cluster administration activity for unexpected or excessive cluster object creation attempts.
  • Validate whether your MQ 8.0 deployment falls within the vulnerable CPE scope identified by NVD (8.0 through 8.0.0.5).
  • Schedule remediation through standard change management if MQ clustering supports critical workloads.

Evidence notes

Source corpus states: IBM WebSphere MQ 8.0 could allow an authenticated user with authority to create a cluster object to cause a denial of service to MQ clustering (IBM Reference #1998647). NVD published the CVE on 2017-02-24 and modified the record on 2026-05-13. NVD references IBM’s support advisory and a SecurityFocus BID entry. The NVD CVSS vector is CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L.

Official resources

CVE-2016-9009 was published by NVD on 2017-02-24. The NVD record was later modified on 2026-05-13; that modification date does not change the original vulnerability publication date.