IBM Support

Security Bulletin: IBM Domino TLS server Diffie-Hellman key validation vulnerability (CVE-2016-6087)

Security Bulletin


A vulnerability in the IBM Domino TLS server's Diffie-Hellman parameter validation could potentially be exploited in a small subgroup attack which could result in a less secure connection. An attacker may be able to exploit this vulnerability to obtain user authentication credentials.

Vulnerability Details

CVEID: CVE-2016-6087
IBM Domino could allow an attacker to steal credentials using multiple sessions and large amounts of data using Domino TLS Key Exchange validation.
CVSS Base Score: 5.9
CVSS Temporal Score: See for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Domino 9.0.1 through 9.0.1 Fix Pack 7 Interim Fix 2
IBM Domino 9.0 through 9.0 Interim Fix 7
IBM Domino 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 17
IBM Domino 8.5.2 through 8.5.2 Fix Pack 4
IBM Domino 8.5.1 through 8.5.1 Fix Pack 5


CVE-2016-6087 is tracked as SPR# DKEN9WGMYE.

A fix for the issue described above is introduced in Domino 9.0.1 Feature Pack 8. See the technote linked below for fix download links.

Product Version Remediation
IBM Domino 9.0.1 FP8

Customers who remain on the following releases may open a Service Request with IBM Support and reference SPR# DKEN9WGMYE for a custom hotfix:
  • IBM Domino 9.0.1 through 9.0.1 Fix Pack 7 Interim Fix 2
  • IBM Domino 9.0 through 9.0 Interim Fix 7

Q&A for 8.5.x

Q1. Can I get a hotfix for this vulnerability for 8.5.x?
IBM cannot provide an 8.5.x solution for this issue because Domino releases prior to 9.0 lack the cryptographic infrastructure and newer cryptographic libraries that are integral to this fix.

Q2. Are there any suggestions for protecting an 8.5.x server from this issue besides upgrading to 9.x?
Yes, as stated below in the Workarounds and Mitigations section, you can insert a proxy server in front of Domino to handle the web traffic as a temporary workaround.

Workarounds and Mitigations

IBM recommends all clients apply the fix. However, aside from upgrading to 9.0.1 FP8, clients may use a proxy server in front of Domino to handle the web traffic as a temporary workaround.

Get Notified about Future Security Bulletins


Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


The vulnerability was reported to IBM by Luke Valenta at the University of Pennsylvania

Change History

31-May-2017 - Original version published
07-June-2017 - Q&A added for 8.5.x

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.


According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: IBM Domino

Software version: 8.5.1, 8.5.2, 8.5.3, 9.0, 9.0.1

Operating system(s): Platform Independent

Reference #: 2002808

Modified date: 07 June 2017