IBM Db2 Denial-of-Service Vulnerability via Crafted SQL Query

A denial-of-service vulnerability has been identified in IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 for Linux, UNIX, and Windows, including DB2 Connect Server. The issue allows an authenticated user to disrupt service by using a specially crafted SQL query, which takes advantage of improper resource allocation. This vulnerability arises when the 'stmtheap' setting is configured to automatic, enabling the exploitation through tailored SQL queries that exhaust system resources.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the database to become unresponsive or unavailable.

Remediation

Users can upgrade to the special build #79671 or later for Db2 version 11.5.9, or to version 12.1.4. For version 11.5, the special build is available through Fix Central. After installing the special build, it is required to set 'DB2_STRICT_INSTANCE_MEMORY' to 'ON' to fully address the vulnerability.