Sign-up

ID

VAR-201702-0367


CVE

CVE-2016-3027


TITLE

IBM Security Access Manager Service disruption in (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2016-007247

DESCRIPTION

IBM Security Access Manager for Web is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. The product enables access management control through integrated appliances for web, mobile and cloud computing. The following versions are affected: IBM Security Access Manager for Web version 8.0.0.0 to version 8.0.1.4, Security Access Manager for Mobile version 8.0.0.0 to version 8.0.1.4, Security Access Manager version 9.0 to version 9.0.1.0

Trust: 1.98

sources: NVD: CVE-2016-3027 // JVNDB: JVNDB-2016-007247 // BID: 96127 // VULHUB: VHN-91846

AFFECTED PRODUCTS

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.1.0

Trust: 1.6

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.0.3

Trust: 1.6

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.1.4

Trust: 1.6

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.0.2

Trust: 1.6

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.0.3

Trust: 1.6

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.0.5

Trust: 1.6

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.0.2

Trust: 1.6

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.1.3

Trust: 1.6

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.1.2

Trust: 1.6

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.0.5

Trust: 1.6

vendor:ibmmodel:security access manager 9.0scope:eqversion:9.0.1.0

Trust: 1.0

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.1.0

Trust: 1.0

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.0.1

Trust: 1.0

vendor:ibmmodel:security access manager 9.0scope:eqversion:9.0.0.1

Trust: 1.0

vendor:ibmmodel:security access manager 9.0scope:eqversion:9.0.0

Trust: 1.0

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.1.4

Trust: 1.0

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.1.3

Trust: 1.0

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.1.2

Trust: 1.0

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.0.1

Trust: 1.0

vendor:ibmmodel:security access manager for mobile the appliancescope: - version: -

Trust: 0.8

vendor:ibmmodel:security access manager for mobile softwarescope:eqversion:8.0

Trust: 0.8

vendor:ibmmodel:security access manager for web the appliancescope: - version: -

Trust: 0.8

vendor:ibmmodel:security access manager for web softwarescope:eqversion:8.0

Trust: 0.8

vendor:ibmmodel:security access manager the appliancescope: - version: -

Trust: 0.8

vendor:ibmmodel:security access manager softwarescope:eqversion:9.0

Trust: 0.8

vendor:ibmmodel:security access manager for webscope:eqversion:8.0.1

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.02

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.0.1.3

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.0.1.2

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.0.1.1

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.0.1.0

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.0.0.5

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.0.0.4

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.0.0.0

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.0

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.1

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.1.3

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.1.2

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.1.1

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.0.5

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.0.4

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.0.2

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.0.1

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.0.0

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0

Trust: 0.3

vendor:ibmmodel:security access managerscope:eqversion:9.0.1.0

Trust: 0.3

vendor:ibmmodel:security access managerscope:eqversion:9.0.0.1

Trust: 0.3

vendor:ibmmodel:security access managerscope:eqversion:9.0

Trust: 0.3

sources: BID: 96127 // JVNDB: JVNDB-2016-007247 // CNNVD: CNNVD-201702-058 // NVD: CVE-2016-3027

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-3027
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-3027
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201702-058
value: MEDIUM

Trust: 0.6

VULHUB: VHN-91846
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-3027
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-91846
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-3027
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.2
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-91846 // JVNDB: JVNDB-2016-007247 // CNNVD: CNNVD-201702-058 // NVD: CVE-2016-3027

PROBLEMTYPE DATA

problemtype:CWE-611

Trust: 1.9

sources: VULHUB: VHN-91846 // JVNDB: JVNDB-2016-007247 // NVD: CVE-2016-3027

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-058

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201702-058

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-007247

PATCH
title:1994440url:http://www-01.ibm.com/support/docview.wss?uid=swg21994440
Trust: 0.8
title:IBM Security Access Manager Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=67444
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-007247 // 
            
            
            
            CNNVD: CNNVD-201702-058

EXTERNAL IDS
db:NVDid:CVE-2016-3027
Trust: 2.8
db:BIDid:96127
Trust: 2.0
db:JVNDBid:JVNDB-2016-007247
Trust: 0.8
db:CNNVDid:CNNVD-201702-058
Trust: 0.7
db:VULHUBid:VHN-91846
Trust: 0.1
sources:
            
            
            VULHUB: VHN-91846 // 
            
            
            
            BID: 96127 // 
            
            
            
            JVNDB: JVNDB-2016-007247 // 
            
            
            
            CNNVD: CNNVD-201702-058 // 
            
            
            
            NVD: CVE-2016-3027

REFERENCES
url:http://www.securityfocus.com/bid/96127
Trust: 1.7
url:http://www.ibm.com/support/docview.wss?uid=swg21994440
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-3027
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-3027
Trust: 0.8
url:http://www.ibm.com/
Trust: 0.3
url:http://www-01.ibm.com/support/docview.wss?uid=swg21994440
Trust: 0.3
sources:
            
            
            VULHUB: VHN-91846 // 
            
            
            
            BID: 96127 // 
            
            
            
            JVNDB: JVNDB-2016-007247 // 
            
            
            
            CNNVD: CNNVD-201702-058 // 
            
            
            
            NVD: CVE-2016-3027

CREDITS
IBM X-Force Ethical Hacking Team: Paul Ionescu, Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitryi Beryoza.
Trust: 0.3
sources:
            
            
            BID: 96127

SOURCES
db:VULHUBid:VHN-91846
db:BIDid:96127
db:JVNDBid:JVNDB-2016-007247
db:CNNVDid:CNNVD-201702-058
db:NVDid:CVE-2016-3027

LAST UPDATE DATE
2024-11-23T22:49:08.819000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-91846date:2020-10-27T00:00:00
db:BIDid:96127date:2017-03-07T05:02:00
db:JVNDBid:JVNDB-2016-007247date:2017-02-16T00:00:00
db:CNNVDid:CNNVD-201702-058date:2020-10-28T00:00:00
db:NVDid:CVE-2016-3027date:2024-11-21T02:49:13.297

SOURCES RELEASE DATE
db:VULHUBid:VHN-91846date:2017-02-01T00:00:00
db:BIDid:96127date:2016-12-14T00:00:00
db:JVNDBid:JVNDB-2016-007247date:2017-02-16T00:00:00
db:CNNVDid:CNNVD-201702-058date:2017-02-06T00:00:00
db:NVDid:CVE-2016-3027date:2017-02-01T20:59:00.643