IBM Db2 denial of service

Vulnerability

IBM Db2 for Linux, UNIX and Windows (including Db2 Connect Server) versions 10.5.0.x, 11.1.4.x, and 11.5.x are vulnerable to a denial of service condition. An authenticated user with CONNECT privileges can exploit this vulnerability by executing a specially crafted query. Earlier releases such as 10.1 and 9.7 may also be affected but are no longer supported [1].

Exploitation

To exploit this vulnerability, an attacker needs valid credentials with at least CONNECT privileges on the Db2 instance. The attacker then submits a specially crafted query to the database server. The CVSS vector indicates the attack complexity is high (AC:H), meaning special conditions must be met for the attack to succeed, and no user interaction is required [1].

Impact

Successful exploitation results in a denial of service condition, causing the Db2 server to become unresponsive or crash. This impacts availability (A:H) but does not affect confidentiality or integrity (C:N/I:N) [1]. The attacker does not gain any additional privileges beyond their authenticated session.

Mitigation

IBM has released special builds containing interim fixes for affected versions: V10.5 FP11, V11.1.4 FP7, and V11.5.9. These builds can be downloaded from IBM Fix Central and applied to any affected fixpack level of the respective release. The APAR ID is DT246499. No workaround is documented other than applying the fix [1].