IBM Db2 denial of service

Vulnerability

IBM DB2 for Linux, UNIX and Windows (including Db2 Connect Server) versions 10.5 FP11, 11.1.4 FP7, and 11.5.x are vulnerable to denial of service. The vulnerability is triggered by a specially crafted RUNSTATS command on a table that is 8TB or larger. Earlier unsupported releases may also be affected [1].

Exploitation

An attacker with low-privilege authenticated access to the database can issue a specially crafted RUNSTATS command against an 8TB table. No user interaction beyond database access is required. The CVSS vector indicates the attack is network-based but with high complexity (AV:N/AC:H/PR:L/UI:N) [1].

Impact

Successful exploitation causes a denial of service, impacting system availability. The CVSS score of 5.3 (medium) reflects no confidentiality or integrity impact, only availability [1].

Mitigation

IBM has released special builds with the interim fix for affected releases (V10.5 FP11, V11.1.4 FP7, V11.5.9) available from Fix Central. Customers on any affected fixpack level can apply the corresponding special build. Earlier unsupported releases should be upgraded [1].