PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-0270 IBM CVE debrief

CVE-2016-0270 covers an IBM Domino TLS AES-GCM issue in affected 9.0.1 release lines. Per NVD and the IBM PSIRT references, random nonce generation in AES-GCM could make it easier for a remote attacker to obtain an authentication key and spoof data by exploiting nonce reuse within a session and a "forbidden attack." The CVE is rated medium severity and is network-exploitable, but with high attack complexity.

Vendor
IBM
Product
CVE-2016-0270
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-08
Original CVE updated
2026-05-13
Advisory published
2017-02-08
Advisory updated
2026-05-13

Who should care

IBM Domino and IBM Notes administrators, especially those running the affected 9.0.1 Fix Pack 3 Interim Fix 2 through Fix Pack 5 Interim Fix 1 range, and teams responsible for TLS configuration, patch management, and certificate/crypto review in IBM messaging environments.

Technical summary

NVD lists affected IBM CPEs for Domino 9.0.1.3/9.0.1.4/9.0.1.5, Notes 9.0.1.3/9.0.1.4/9.0.1.5, and Client Application Access 1.0.0.1. The weakness is described as random nonce generation when TLS uses AES-GCM, which can undermine the security assumptions of GCM and contribute to key recovery and spoofing risk if nonce reuse occurs. NVD assigns CVSS 3.0 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N and CWE-200.

Defensive priority

Medium priority. Patch or mitigate promptly if you run the affected IBM Domino/Notes versions and use TLS with AES-GCM, but the attack complexity is high and the supplied data does not indicate KEV listing or active exploitation.

Recommended defensive actions

  • Inventory IBM Domino, Notes, and Client Application Access deployments to confirm whether any systems match the affected versions listed by NVD.
  • Apply the IBM PSIRT remediation referenced in the vendor advisories for the affected release line.
  • Review TLS configuration and ensure affected systems are updated before relying on AES-GCM in production.
  • Validate that internal tracking does not confuse CVE-2016-0270 with similar nonce-reuse issues in other vendors' products.
  • Reassess exposure for any services that may accept remote TLS connections from untrusted networks.

Evidence notes

Timing is based on the CVE publish date supplied in the corpus: 2017-02-08T16:59:00.133Z. NVD shows the record was modified on 2026-05-13T00:24:29.033Z. The source corpus includes IBM PSIRT vendor advisories, NVD references, and the CVE description's explicit warning that this CVE has been incorrectly reused for other products; use the IBM Domino/Notes scope from the listed CPEs and description, not unrelated GCM nonce issues.

Official resources

Published 2017-02-08; modified 2026-05-13 per the supplied CVE/NVD timeline. No CISA KEV data was supplied for this CVE.