IBM Db2 denial of service

Vulnerability

IBM Db2 for Linux, UNIX and Windows (including Db2 Connect Server) versions 10.5, 11.1, and 11.5 contain a denial-of-service vulnerability triggered by a specially crafted query executed against certain tables. The issue resides in the query processing engine, though the specific code path is not publicly detailed. The affected versions are explicitly named in IBM's advisory [1].

Exploitation

An attacker must have authenticated database access with the ability to run SQL queries on a Db2 instance hosting the target tables. The attack complexity is high (as per CVSS vector), suggesting that specific table structures or query patterns are required to trigger the vulnerability. No user interaction beyond the attacker's own query execution is needed [1].

Impact

Successful exploitation causes a denial-of-service condition for the Db2 server, impacting availability. Confidentiality and integrity are not compromised. The CVSS base score is 5.3, reflecting a moderate availability impact [1].

Mitigation

IBM released a security fix for this vulnerability. Customers should apply the fix available via the official IBM support page [1]. As a workaround, administrators can restrict query capabilities for low-privileged users, though no specific workaround is documented in the reference. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.