IBM Db2 denial of service

Vulnerability

IBM Db2 for Linux, UNIX and Windows (including Db2 Connect Server) versions 10.5, 11.1, and 11.5 are affected by a denial of service vulnerability. The issue lies in the query processing engine, where a specially crafted query can trigger excessive resource consumption or crash the service. No specific table or configuration is required beyond the basic database setup. [1]

Exploitation

An attacker must have low-privileged authentication to the database. The attack is network-based, and no user interaction is needed. The attacker sends a specially crafted query to the Db2 instance, causing the database to enter an unstable state. [1]

Impact

Successful exploitation results in denial of service, affecting the availability of database services. The CIA impact is: C:N/I:N/A:H. The attacker gains no data access or privilege escalation, but service disruption can affect dependent applications. [1]

Mitigation

IBM has provided fixes for this vulnerability. Administrators should apply the latest fix pack for the affected versions as described in the IBM Security Bulletin [1]. Specific fix versions include Db2 11.5.8.0 and later, Db2 11.1.4.7 and later, and Db2 10.5.0.11 and later. There are no known workarounds; upgrading is recommended. [1]