CVE-2023-27555: 
IBM Db2 vulnerability analysis and mitigation

CVE-2023-27555 affects IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) version 11.5. The vulnerability was discovered and reported to IBM, with the initial public disclosure on April 28, 2023. This security flaw specifically impacts the functionality when attempting to use ACR client affinity for unfenced DRDA federation wrappers (IBM Advisory, NVD).

The vulnerability has received a CVSS v3.1 base score of 7.5 (HIGH) according to NVD assessment, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. However, IBM's own assessment rates it with a CVSS score of 5.1 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-20 (Improper Input Validation) according to IBM's assessment (NVD, IBM Advisory).

When successfully exploited, this vulnerability can result in a denial of service condition where the server may crash when attempting to use ACR client affinity for unfenced DRDA federation wrappers. The impact is primarily focused on system availability, with no direct impact on confidentiality or integrity (IBM Advisory, NetApp Advisory).

IBM has provided two mitigation approaches: 1) Remove the unsupported options from the db2dsdriver.cfg configuration for the federated data source, or 2) If the configuration cannot be changed because it is shared with other applications, provide a separate configuration for the federated data source. Additionally, special builds containing interim fixes are available for V11.5.7 and V11.5.8, which can be applied to any affected fixpack level (IBM Advisory).