CVE-2023-26022: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) was identified with CVE-2023-26022, a vulnerability that could lead to a denial of service condition. The vulnerability was discovered and disclosed in April 2023, affecting all fix pack levels of IBM Db2 V10.5, V11.1, and V11.5 server editions across all platforms. The issue specifically occurs when an Out of Memory condition happens while using the DBMS_OUTPUT module (IBM Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, while IBM Corporation assessed it with a Base Score of 5.9 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is related to improper input validation (CWE-20) as identified by IBM Corporation (NVD).

When successfully exploited, this vulnerability can cause the IBM Db2 server to crash, resulting in a denial of service condition. The impact primarily affects the availability of the system, with no direct impact on confidentiality or integrity (NetApp Advisory).

IBM has released special builds containing interim fixes for this vulnerability. These are available based on the most recent fixpack level for each impacted release: V10.5 FP11, V11.1.4 FP7, v11.5.7, and V11.5.8. These special builds can be applied to any affected fixpack level of the appropriate release to remediate the vulnerability. No workarounds have been identified for this vulnerability (IBM Advisory).