First published: Wed Nov 30 2016(Updated: )
IBM BigFix Remote Control before 9.1.3 does not enable the HSTS protection mechanism, which makes it easier for remote attackers to obtain sensitive information by leveraging use of HTTP.
Credit: psirt@us.ibm.com
Affected Software | Affected Version | How to fix |
---|---|---|
IBM BigFix Remote Control | <=9.1.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2016-2952 has a medium severity rating due to the lack of HSTS protection in IBM BigFix Remote Control.
To mitigate CVE-2016-2952, upgrade IBM BigFix Remote Control to version 9.1.3 or higher.
CVE-2016-2952 can allow remote attackers to intercept sensitive information transmitted over HTTP.
CVE-2016-2952 affects all versions of IBM BigFix Remote Control prior to 9.1.3.
A possible workaround for CVE-2016-2952 is to enforce HTTPS for sensitive transactions until the software can be upgraded.