IBM Db2 denial of service

Vulnerability

IBM Db2 for Linux, UNIX, and Windows (including Db2 Connect Server) versions 10.1, 10.5.0.x, 11.1.4.x, and 11.5.x are vulnerable to a denial of service. An authenticated user with only CONNECT privileges can exploit this vulnerability by executing a specially crafted query. The affected product editions include the Server edition on all supported platforms [1].

Exploitation

An attacker must be authenticated to the database instance and hold the CONNECT privilege, which is typically granted by default to database users. No additional privileges are required. The attacker delivers a specially crafted SQL query to the server. The complexity of the attack is high (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H), suggesting that the crafted query may require specific knowledge of the database schema or timing [1].

Impact

Successful exploitation results in a denial of service condition, making the database temporarily unavailable to legitimate users. The impact is limited to availability (A:H); there is no impact on confidentiality or integrity (C:N/I:N). The attack does not require user interaction, but it does require network access to the Db2 server [1].

Mitigation

IBM has released special builds containing interim fixes for affected versions: V10.5 FP11 (Special Build), V11.1.4 FP7 (Special Build), and V11.5.9. These special builds can be downloaded from IBM Fix Central and applied to any affected fixpack level of the respective release. The APAR ID is DT221786. No workaround is documented; the recommended action is to apply the fix. Older releases (10.1, 9.7, etc.) are no longer supported and may also be affected [1].