Security Bulletin: IBM Security Key Lifecycle Manager is affected by weak password policy (CVE-2016-6093)

Summary

IBM Security Key Lifecycle Manager addresses this issue where the product does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.

Vulnerability Details

CVEID: CVE-2016-6093**
DESCRIPTION:** IBM Tivoli Key Lifecycle Manager does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118172 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Security Key Lifecycle Manager: v2.5 - 2.5.0.7

IBM Security Key Lifecycle Manager v2.6 - 2.6.0.2

IBM Tivoli Key Lifecycle Manager v2.0.1 - 2.0.1.8

Remediation/Fixes

Product

| VRMF| Remediation/First Fix
—|—|—
IBM Tivoli Key Lifecycle manager| 2.0.1 - 2.0.1.8| 2.0.1-ISS-TKLM-FP0009
IBM Security Key Lifecycle Manager| 2.5 - 2.5.0.7| 2.5.0-ISS-SKLM-FP0008
IBM Security Key Lifecycle Manager| 2.6- 2.6.0.2| 2.6.0-ISS-SKLM-FP0003

Workarounds and Mitigations

Users can set strong password.