IBM Security Bulletin: IBM Security Key Lifecycle Manager is affected by exposure of sensitive data due to missing HTTP Strict-Transport-Security Header (CVE-2016-6116)

IBM Security Key Lifecycle Manager is missing the HTTP Strict Transport Security header. Users can navigate by mistake to the unencrypted version of the web application or accept invalid certificates. This leads to sensitive data being sent unencrypted over the wire. IBM Security Key Lifecycle Manager addresses this vulnerability with this CVE-2016-6116.

CVE(s): CVE-2016-6116

Affected product(s) and affected version(s):

IBM Security Key Lifecycle Manager: v2.5 – 2.5.0.7

IBM Security Key Lifecycle Manager v2.6 – 2.6.0.2

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2jXjpTs
X-Force Database: http://ift.tt/2kVr6HF



from IBM Product Security Incident Response Team http://ift.tt/2jXmO4E