VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 4, 2014· Updated May 6, 2026

CVE-2014-3095

CVE-2014-3095

Description

A crafted SELECT with a UNION subquery crashes the IBM DB2 server, causing denial of service for authenticated users on multiple versions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A crafted SELECT with a UNION subquery crashes the IBM DB2 server, causing denial of service for authenticated users on multiple versions.

Vulnerability

A denial-of-service vulnerability exists in the SQL engine of IBM DB2 for Linux, UNIX, and Windows. The bug is triggered by a carefully crafted SELECT statement that includes a subquery containing a UNION clause. Affected versions are DB2 9.5 through FP10, 9.7 through FP9a, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP4 [1].

Exploitation

A remote, authenticated user can send the malformed SELECT query over the network. No special privileges beyond standard database access are required; the attacker must be able to execute SQL queries on the target server. Exploitation does not require user interaction or race conditions [1].

Impact

Successful exploitation causes the DB2 daemon to crash, leading to a denial of service. The availability of the database server is disrupted, but no data confidentiality or integrity is compromised. The CVSS v2 base score is 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P) [1].

Mitigation

IBM has released fixes for the affected versions. Users should apply the appropriate DB2 fix pack: FP10 for 9.5, FP9a for 9.7, FP5 for 9.8, FP4 for 10.1, and FP4 for 10.5 [1]. No workarounds are documented by IBM. The vulnerability is also applicable to IBM InfoSphere Balanced Warehouse, Smart Analytics System, and PureData System for Operational Analytics appliances [1].

References
  1. Security Bulletin: IBM® InfoSphere Balanced Warehouse, IBM Smart Analytics System and IBM PureData System for Operational Analytics are affected by an IBM DB2® LUW denial of service vulnerability (CVE-2014-3095)

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

42
  • IBM/Db242 versions
    cpe:2.3:a:ibm:db2:10.1:*:*:*:*:*:*:*+ 41 more
    • cpe:2.3:a:ibm:db2:10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:10.1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:10.1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:10.1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:10.1.0.3:a:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:10.1.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:10.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:10.5.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:10.5.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:10.5.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:10.5.0.3:a:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5.0.2:a:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5.0.3:a:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5.0.3:b:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5.0.4:a:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5.0.6:a:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.7:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.7.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.7.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.7.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.7.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.7.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.7.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.7.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.7.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.7.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.7.0.9:a:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.8:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.8.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.8.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.8.0.5:*:*:*:*:*:*:*
    • (no CPE)range: 9.5 through FP10, 9.7 through FP9a, 9.8 through FP5, 10.1 through FP4, 10.5 before FP4

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

11

News mentions

0

No linked articles in our index yet.