IBM Db2 denial of service

Vulnerability

IBM Db2 for Linux, UNIX and Windows (including Db2 Connect Server) versions 11.5.6 through 11.5.8 contain a denial-of-service vulnerability in the federated server component [1]. A specially crafted cursor can trigger the issue, but the vendor has not disclosed further technical details to prevent exploitation [1]. All platforms are affected [1].

Exploitation

An attacker with network access can exploit this vulnerability without authentication, but the attack complexity is high according to the CVSS vector (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) [1]. A specially crafted cursor must be sent to the federated server to trigger the denial-of-service condition [1]. The vendor has deliberately withheld the specific replication steps [1].

Impact

Successful exploitation leads to a denial of service, causing the affected Db2 federated server to become unavailable [1]. No impact on confidentiality or integrity is reported [1].

Mitigation

IBM has released interim fixes (special builds) for this vulnerability on the most recent fixpack levels: V10.5 FP11, V11.1.4 FP7, and V11.5.9 [1]. Customers running any affected fixpack level within 11.5.6 through 11.5.8 should obtain the special build from Fix Central and apply it to their appropriate release [1]. No workarounds are available [1].