CVE-2023-27559: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) versions 10.5, 11.1, and 11.5 was identified with a vulnerability tracked as CVE-2023-27559. The vulnerability was disclosed on April 26, 2023, and involves a denial of service condition where the server may crash when using a specially crafted subquery (IBM Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) by NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction. IBM's own assessment rated it lower at 5.3 (MEDIUM) with the vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, suggesting higher attack complexity and required privileges (NVD).

The vulnerability affects the availability of the system, potentially causing the Db2 server to crash when exploited. The impact is limited to denial of service with no direct effect on confidentiality or integrity of the system (IBM Advisory).

IBM has released special builds containing interim fixes for affected versions: V10.5 FP11, V11.1.4 FP7, V11.5.7, and V11.5.8. These special builds can be applied to any affected fixpack level of the appropriate release to remediate the vulnerability. No workarounds have been identified (IBM Advisory).