IBM Db2 Denial-of-Service Vulnerability via Improper Query Data Neutralization

A denial-of-service vulnerability has been identified in IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 for Linux, UNIX, and Windows, including Db2 Connect Server. The issue allows an authenticated user to cause a denial of service by exploiting improper neutralization of special elements in data query logic. This vulnerability can lead to a SQLCODE -901 error when processing a specially crafted query that involves a defined index.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by leading to a trap or a return SQLCODE -901, indicating a severe error that disrupts normal database operations.

Remediation

Users can upgrade to the special build containing the interim fix for this issue. For Db2 version 11.5, this special build is available through Fix Central. For Db2 version 12.1, the special build can also be obtained from Fix Central. Additionally, as a temporary workaround, the registry variable 'DB2_REDUCED_OPTIMIZATION' can be set to 'NO_SORT_NLJOIN,NO_SORT_MGJOIN' to avoid certain SORT operations that may trigger the vulnerability.