CVE-2023-29258: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) versions 11.1 and 11.5 is vulnerable to a denial of service vulnerability through a specially crafted federated query on specific federation objects. The vulnerability was assigned CVE-2023-29258 and IBM X-Force ID 252048. The issue affects both server editions across all supported platforms (IBM Security).

The vulnerability has received a CVSS v3.1 base score of 7.5 (HIGH) from NIST with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, while IBM assessed it with a lower score of 5.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is related to improper input validation (CWE-20) as identified by IBM Corporation (NVD).

Successful exploitation of this vulnerability could allow an attacker to cause a denial of service condition in the affected Db2 database system, potentially disrupting availability of the database services (NetApp Advisory).

IBM has released special builds containing interim fixes for this vulnerability. For V11.1.4, the fix is available in FP7, and for V11.5, fixes are available in V11.5.8 and V11.5.9. These special builds can be applied to any affected fixpack level of the appropriate release. The fixes are available through IBM Fix Central under APAR DT198104 (IBM Security).