Security Bulletin: A vulnerability associated with the default account lockout settings in IBM Security Access Manager for Web has been identified (CVE-2016-3025)

Summary

The default account lockout setting in IBM Security Access Manager for Web could allow a remote attacker to use brute force to discover account credentials.

Vulnerability Details

CVEID: CVE-2016-3025**
DESCRIPTION:** IBM Security Access Manager for Web uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114473 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Security Access Manager for Web 7.0 appliances

IBM Security Access Manager for Web 8.0, all firmware versions

IBM Security Access Manager 9.0, all firmware versions

Remediation/Fixes

IBM has provided patches for all affected versions. Follow the installation instructions in the README files included with the patch.

Workarounds and Mitigations

None.