IBM Db2 denial of service

Vulnerability

IBM Db2 for Linux, UNIX, and Windows (including Db2 Connect Server) versions 10.5, 11.1, and 11.5 are vulnerable to denial of service via a specially crafted query on certain database configurations. The vulnerability exists when an authenticated user with low privileges submits a malicious query that triggers excessive resource consumption. Earlier unsupported releases (e.g., 10.1, 9.7) may also be affected but are no longer supported [1].

Exploitation

An attacker must have valid database credentials (low privileges required, no user interaction) and network access to the Db2 server. The attacker crafts a specific SQL query that, when executed against a vulnerable database, causes the database engine to crash or become unresponsive. The attack complexity is high (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating that specific conditions or query patterns may be needed [1].

Impact

Successful exploitation results in a denial of service (availability impact only), causing the Db2 database to stop processing queries or to crash. Confidentiality and integrity are not impacted. The service disruption requires administrative intervention to restore normal operations [1].

Mitigation

IBM has released special builds containing interim fixes for the affected releases. For V10.5, apply the special build for V10.5 FP11; for V11.1, apply the special build for V11.1.4 FP7; for V11.5, apply the special build for V11.5.8. These builds are available on IBM Fix Central. Customers on earlier unsupported versions should upgrade to a supported release. No workaround is documented [1].