CVE-2016-2349 - Reset password functionality can be manipulated to accept a blank previous password and reset the password. Please refer to the URL for further details
Versions Affected: 8.1 SP 2, 9.0, 9.0 SP 1and 9.1
This knowledge article may contain information that does not apply to version 21.05 or later which runs in a container environment. Please refer to Article Number 000385088 for more information about troubleshooting BMC products in containers.
Fix: Follow these steps in order
1) Connect to the ARServer you want to fix this for in Developer Studio.
2) Search and open up the Filter named
User Password Change:ConfirmPreviousPassword
This filter is required to check the previous password from the ARserver side.
3) If this Filter is enabled; then nothing else needs to be done.
4) If this is not enabled; enable it and save the filter.
Credit for disclosure: Bhushan Nikam from Network Intelligence (I) Pvt. Ltd.