Security Bulletin: Vulnerability in password strength policy affects IBM License Metric Tool v9.x and IBM BigFix Inventory v9.x (CVE-2016-8962)

Summary

IBM License Metric Tool v9.x and IBM BigFix Inventory v9.x does not require strong passwords by default, which makes it easier for attackers to compromise user accounts.

Vulnerability Details

CVEID: CVE-2016-8962**
DESCRIPTION:** IBM BigFix Inventory v9.x does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM License Metric Tool v9.x IBM BigFix Inventory v9.x

Remediation/Fixes

Upgrade to version 9.2.7 or later using the following procedure:

• In IBM Endpoint Manager console, expand IBM BigFix InventoryorIBM License Reporting (ILMT) node underSites node in the tree panel.
• Click Fixlets and Tasks node.Fixlets and Tasks panel will be displayed on the right.
• In the Fixlets and Tasks panel locate _Upgrade to the newest version of IBM BigFix Inventory 9.x _or Upgrade to the newest version IBM License Metric Tool 9.x fixlet and run it against the computer that hosts your server.

Workarounds and Mitigations

None