IBM DB2 for Linux, UNIX and Windows denial of service

Vulnerability

IBM Db2 for Linux, UNIX and Windows (including Db2 Connect Server) versions 10.5, 11.1, and 11.5 at any fix pack level are vulnerable to a denial of service when compiling a specific variation of an anonymous block [1]. The vulnerability causes the database to trap (crash), leading to service unavailability [1].

Exploitation

No authentication is required [1]. An attacker with network access can send a crafted SQL anonymous block to a vulnerable Db2 server, triggering the trap during compilation. No special privileges are needed, and the attack does not require user interaction [1].

Impact

Successful exploitation results in a denial of service, as the Db2 process traps and becomes unavailable [1]. The impact is limited to availability (CIA: none on confidentiality or integrity), with high availability impact per CVSS score of 7.5 [1].

Mitigation

IBM has released special builds containing interim fixes for affected releases: V10.5 FP11, V11.1.4 FP7, V11.5.7, and V11.5.8. These can be downloaded from IBM Fix Central for the appropriate platform [1]. Customers should apply the special build corresponding to their release. No workaround is available, but the interim fix remediates the vulnerability [1].