IBM Db2 for Linux, UNIX and Windows denial of service

Vulnerability

IBM Db2 for Linux, UNIX and Windows (including DB2 Connect Server) versions 10.5.0.x, 11.1.4.x, and 11.5.x are affected by a denial of service vulnerability in the federated server component. Under certain conditions, a specially crafted query can cause the server to crash or become unresponsive [1]. All platforms are affected.

Exploitation

An attacker with low privileges and network access can exploit this vulnerability by sending a specially crafted query to the Db2 federated server. The attack does not require user interaction but does have high attack complexity, meaning the attacker must successfully craft the query and meet specific server conditions [1].

Impact

Successful exploitation leads to a denial of service, impacting the availability of the Db2 server. The CIA impact is limited to availability (high), with no impact on confidentiality or integrity. The CVSS base score is 5.3 (medium) [1].

Mitigation

IBM has released special builds containing interim fixes for the affected releases, available from Fix Central. These builds are based on the most recent fixpack levels: V10.5 FP11, V11.1.4 FP7, and V11.5.9. Customers can apply these special builds to any affected fixpack level of the appropriate release [1].