IBM Db2 denial of service

Vulnerability

IBM Db2 for Linux, UNIX, and Windows (including Db2 Connect Server) versions 10.5, 11.1, and 11.5 are vulnerable to denial of service (DoS) when processing a specially crafted query [1]. The vulnerability exists in the database engine and can be triggered by any authenticated user with network access. Earlier unsupported releases (10.1, 9.7, etc.) may also be affected [1].

Exploitation

An attacker with low-privileged access to the database can send a specially crafted query over the network to trigger the vulnerability. No user interaction is required beyond the initial authentication. The attack complexity is low, and the exploit does not require any special configuration beyond standard Db2 deployment [1].

Impact

Successful exploitation results in a denial of service condition, causing the Db2 server to become unavailable. The impact is limited to availability; confidentiality and integrity are not affected. The CVSS base score is 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) [1].

Mitigation

IBM has released special builds containing interim fixes for this issue, available from Fix Central. These builds target the most recent fixpack levels: V10.5 FP11, V11.1.4 FP7, and V11.5.8. They can be applied to any affected fixpack level of the respective release. No permanent fix pack has been released as of the publication date [1]. Users on unsupported releases should upgrade to a supported version.