CVE-2016-9994 IBM CVE debrief

Who should care

IBM Kenexa LCMS Premier administrators, application owners, database administrators, and security teams responsible for 9.x and 10.0 deployments should review this issue. Prioritize systems exposed to authenticated users or any workflow that accepts untrusted input into database-backed queries.

Technical summary

NVD classifies this as CWE-89 (SQL injection). The CVSS vector is CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, indicating network exploitable impact with low-privileged access and no user interaction. The vulnerable product coverage in NVD includes IBM Kenexa LCMS Premier 9.0, 9.1, 9.2, 9.2.1, 9.3, 9.4, 9.5, and 10.0. The IBM PSIRT reference linked in NVD is the vendor advisory/patch reference for remediation.

Defensive priority

High

Recommended defensive actions

• Review IBM’s PSIRT advisory referenced by NVD (IBM Reference #1976805) and apply the vendor-recommended patch or mitigation.
• Inventory IBM Kenexa LCMS Premier installations and confirm whether any affected 9.x or 10.0 instances are in use.
• Restrict access to the application and monitor for unusual database activity, especially inputs that may reach SQL queries.
• Validate that any remediation is deployed across all environments, including test and staging systems, to prevent reintroduction of the vulnerable version.
• Add or review input validation, parameterized queries, and server-side query handling in custom integrations or extensions around the application.

Evidence notes

Primary evidence comes from the official NVD record and the IBM vendor advisory reference linked there. NVD identifies the weakness as CWE-89 and provides the CVSS 3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. The source corpus lists IBM Kenexa LCMS Premier versions 9.0, 9.1, 9.2, 9.2.1, 9.3, 9.4, 9.5, and 10.0 as vulnerable, while the CVE description specifically mentions 9.0 and 10.0.0.

Official resources