CVE-2016-9706 IBM CVE debrief

Who should care

IBM Integration Bus and WebSphere Message Broker administrators, application owners running SOAP-based integrations, and security teams responsible for XML parsing and middleware patching should treat this as high priority.

Technical summary

NVD maps the weakness to CWE-611 and lists vulnerable IBM CPEs for Integration Bus 9.0, Integration Bus 10.0, and WebSphere Message Broker 8.0. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H, which indicates a remotely reachable flaw with no authentication or user interaction required and material impact to confidentiality and availability. The vendor reference cited by NVD is IBM support docview reference swg21997918 (IBM Reference #1997918).

Defensive priority

Critical. Prioritize patching and configuration review for any exposed SOAP/XML processing paths in the affected IBM middleware versions.

Recommended defensive actions

• Apply IBM's vendor remediation referenced by NVD in IBM support document swg21997918 (IBM Reference #1997918).
• Inventory systems running IBM Integration Bus 9.0, IBM Integration Bus 10.0, and WebSphere Message Broker 8.0 to confirm exposure.
• Review SOAP flow XML processing paths for XXE risk and ensure external entity handling is addressed according to IBM guidance.
• Treat exposed middleware instances as high risk for denial of service and potential sensitive data exposure until remediated.
• Validate that compensating controls, monitoring, and resource limits are in place to reduce the impact of XML-driven memory exhaustion.

Evidence notes

The NVD record for CVE-2016-9706 lists CWE-611 and marks IBM Integration Bus 9.0/10.0 and WebSphere Message Broker 8.0 as vulnerable. It also cites IBM support docview.wss?uid=swg21997918 as a patch/vendor advisory reference and SecurityFocus BID 96274 as an additional source reference. The CVE was published on 2017-02-15 and the NVD record was last modified on 2026-05-13.

Official resources