IBM Db2 denial of service

Vulnerability

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) version 11.5.x (11.5.8 and 11.5.9, but not 11.5.0) is vulnerable to a denial of service when a specially crafted cursor is used on the federated server. The vulnerability is identified with IBM X-Force ID 268759 [1].

Exploitation

Exploitation requires network access and can be carried out without authentication, though the attack complexity is considered high (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). An attacker must be able to submit a specially crafted cursor to the federated server; however, IBM does not disclose specific replication steps to avoid aiding malicious actors [1].

Impact

Successful exploitation results in a denial of service (availability impact). The vulnerability does not affect confidentiality or integrity. The CVSS base score is 5.9 [1].

Mitigation

IBM has released special builds containing interim fixes for V11.5.8 and V11.5.9, available via Fix Central. The fix for V11.5.9 is associated with APAR DT238103. Customers running any vulnerable fixpack level should apply the appropriate special build. V11.5.0 is not vulnerable. No workarounds are mentioned in the provided reference [1].