Security Bulletin: IBM Domino TLS server Diffie-Hellman key validation vulnerability (CVE-2016-6087)
A vulnerability in the IBM Domino TLS server's Diffie-Hellman parameter validation could potentially be exploited in a small subgroup attack which could result in a less secure connection. An attacker may be able to exploit this vulnerability to obtain user authentication credentials.
DESCRIPTION: IBM Domino could allow an attacker to steal credentials using multiple sessions and large amounts of data using Domino TLS Key Exchange validation.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117918 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
IBM Domino 9.0.1 through 9.0.1 Fix Pack 7 Interim Fix 2
IBM Domino 9.0 through 9.0 Interim Fix 7
IBM Domino 8.5.3 through 8.5.3 Fix Pack 6 Interim Fix 17
IBM Domino 8.5.2 through 8.5.2 Fix Pack 4
IBM Domino 8.5.1 through 8.5.1 Fix Pack 5
CVE-2016-6087 is tracked as SPR# DKEN9WGMYE.
A fix for the issue described above is introduced in Domino 9.0.1 Feature Pack 8. See the technote linked below for fix download links.
|IBM Domino||9.0.1 FP8||http://www.ibm.com/support/docview.wss?uid=swg24037141|
Customers who remain on the following releases may open a Service Request with IBM Support and reference SPR# DKEN9WGMYE for a custom hotfix:
- IBM Domino 9.0.1 through 9.0.1 Fix Pack 7 Interim Fix 2
- IBM Domino 9.0 through 9.0 Interim Fix 7
Q&A for 8.5.x
Q1. Can I get a hotfix for this vulnerability for 8.5.x?
IBM cannot provide an 8.5.x solution for this issue because Domino releases prior to 9.0 lack the cryptographic infrastructure and newer cryptographic libraries that are integral to this fix.
Q2. Are there any suggestions for protecting an 8.5.x server from this issue besides upgrading to 9.x?
Yes, as stated below in the Workarounds and Mitigations section, you can insert a proxy server in front of Domino to handle the web traffic as a temporary workaround.
Workarounds and Mitigations
IBM recommends all clients apply the fix. However, aside from upgrading to 9.0.1 FP8, clients may use a proxy server in front of Domino to handle the web traffic as a temporary workaround.
Get Notified about Future Security Bulletins
ReferencesComplete CVSS v3 Guide
On-line Calculator v3
Related informationIBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
The vulnerability was reported to IBM by Luke Valenta at the University of Pennsylvania
31-May-2017 - Original version published
07-June-2017 - Q&A added for 8.5.x
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.