IBM has recently disclosed a security vulnerability (CVE-2024-37071) affecting its Db2 database software for Linux and UNIX platforms.
Under certain circumstances, an authenticated user could use the flaw to launch a denial of service (DoS) attack by abusing bad memory allocation with a specially constructed query.
Vulnerability Details
A recently identified vulnerability, tracked as CVE-2024-37071, involves improper memory allocation in IBM Db2 for Linux, UNIX, and Windows (including Db2 Connect Server).
This flaw enables authenticated users to launch a denial-of-service (DoS) attack by crafting malicious queries. The CVSS base score of 5.3 indicates that the vulnerability is moderately serious. It is classified as CWE-789 (Memory Allocation with Excessive Size Value).
The issue impacts Db2 deployments on Linux and UNIX platforms, while Windows remains unaffected. Affected versions include IBM Db2 Server editions from 10.5.0 to 10.5.11, 11.1.4 to 11.1.4.7, and 11.5.0 to 11.5.9, as well as earlier releases like 10.1.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Solution and Fixes
IBM has provided interim fixes to address this vulnerability. Customers using affected versions are advised to download special builds of the most recent fixpack versions for their respective Db2 releases from IBM Fix Central.
- Version 10.5: Special Build for Fix Pack 11 (various platforms).
- Version 11.1: Special Build for Fix Pack 7 (various platforms).
- Version 11.5:
- Build #49307 or later for V11.5.8 Download here.
- Build #50315 or later for V11.5.9 Download here.
IBM recommends applying these fixes as soon as possible to mitigate the risk of exploitation.
This vulnerability has a medium severity CVSS score of 5.3. While the attack complexity is high and requires an authenticated user, the potential consequence of a successful exploit would be a denial of service, making the Db2 service unavailable.
IBM has confirmed that there are no workarounds or mitigation approaches for this issue apart from applying the provided fixes. We strongly encourage customers using unsupported Db2 versions to upgrade to a supported version and apply the relevant patches.
- Identify Vulnerable Installations: Determine if your system is running one of the affected Db2 versions.
- Download Fixes: Access the special builds available on IBM Fix Central.
- Update and Secure Your Environment: Apply the fixes to ensure your Db2 installation is no longer vulnerable.
- Stay Informed: Subscribe to IBM’s “My Notifications” service to receive updates on future security advisories.
IBM does not disclose detailed replication steps for vulnerabilities to minimize the risk of exploitation. For more information on security best practices, visit the IBM Secure Engineering Web Portal.
For more technical details and to evaluate the impact of this vulnerability on your organization’s environment, visit IBM’s Security Bulletin.
Although the vulnerability requires an authenticated user to execute the attack, organizations running affected versions of Db2 should act promptly to apply the fixes provided by IBM to avoid the risk of a denial of service. Preventative updates and diligent monitoring are crucial to safeguarding database systems against potential exploits.
Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses