IBM Db2 for Linux, UNIX and Windows denial of service

Vulnerability

IBM Db2 for Linux, UNIX and Windows (including Db2 Connect Server) version 11.5.x is vulnerable to a denial of service when a specially crafted query is executed against certain columnar tables. All platforms are affected. The vulnerability is identified by CVE-2024-22360 and IBM X-Force ID 280905 [1].

Exploitation

An attacker with low privileges and network access can exploit this vulnerability by sending a specially crafted query to a Db2 instance that contains columnar tables. The attack complexity is high, indicating that specific conditions or table structures are required. IBM has not disclosed the exact replication steps [1].

Impact

Successful exploitation results in a denial of service, causing the Db2 service to become unavailable. The CVSS vector (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates high availability impact with no confidentiality or integrity impact [1].

Mitigation

IBM has released special builds for V11.5.8 and V11.5.9 containing an interim fix (APAR DT258141). These builds are available from Fix Central and can be applied to any affected fixpack level of V11.5. V11.5.0 is not vulnerable. No workaround has been disclosed [1].