IBM Db2 denial of service

Vulnerability

IBM Db2 for Linux, UNIX and Windows (including Db2 Connect Server) versions 10.5, 11.1, and 11.5 are vulnerable to denial of service when processing a specially crafted XML query statement. The vulnerability exists in the XML query parsing component, which can be exploited without requiring any special configuration beyond default settings.

Exploitation

An attacker with network access to the Db2 database server can send a malicious XML query statement. No authentication is required to trigger the vulnerable code path. The attacker does not need any special privileges or user interaction; sending the crafted query is sufficient to cause the denial of service.

Impact

Successful exploitation leads to a denial of service, making the database instance unavailable until manual intervention. This impacts the availability of the database service, potentially disrupting applications that rely on it.

Mitigation

No specific fix is disclosed in the available references. Affected customers should monitor IBM's security advisories for updates. As a general mitigation, restrict network access to the database server and apply the principle of least privilege to database connections.