CVE-2016-9993 IBM CVE debrief

Who should care

IBM Kenexa LCMS Premier administrators, application owners, and security teams responsible for versions 9.0 through 10.2, especially where the application is reachable by untrusted users or networks.

Technical summary

NVD classifies this issue as CWE-89 (SQL Injection) and lists the vector CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. The published description says an attacker could use specially crafted SQL statements to interact with the backend database. NVD CPE entries mark IBM Kenexa LCMS Premier versions 9.0, 9.1, 9.2, 9.2.1, 9.3, 9.4, 9.5, 10.0, 10.1, and 10.2 as vulnerable. The NVD record links to IBM reference 1992067 as the vendor advisory/patch reference.

Defensive priority

High for exposed IBM Kenexa LCMS Premier deployments. The confidentiality impact is high and the attack can be network-delivered with only low privileges, so remediation should be prioritized for any affected instance still in service.

Recommended defensive actions

• Confirm whether IBM Kenexa LCMS Premier versions 9.0 through 10.2 are deployed anywhere in your environment.
• Review IBM advisory/reference 1992067 and apply the vendor-supplied patch or mitigation guidance if not already done.
• Restrict access to the application and limit which users can reach database-backed functionality until remediation is complete.
• Audit application and database logs for anomalous SQL activity or unexpected data access around the affected components.
• After remediation, validate that the vulnerable versions are no longer reachable and document the fixed state in asset inventory.

Evidence notes

All claims are based on the supplied CVE/NVD corpus and the IBM vendor reference linked from NVD. The CVSS vector, CWE mapping, and vulnerable version list come from the NVD record. No exploit code, reproduction steps, or unsupported remediation claims were added.

Official resources