CVE-2023-38720: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) versions 11.1.4.x and 11.5.x are affected by a vulnerability identified as CVE-2023-38720. The vulnerability was disclosed on October 16, 2023, and allows attackers to cause a denial of service condition through a specially crafted ALTER TABLE statement (IBM Security Bulletin).

The vulnerability has received a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it is network-accessible, requires low attack complexity, needs no privileges or user interaction, and can cause a complete impact on system availability. IBM has also provided their own assessment with a CVSS score of 5.3 (MEDIUM) with the vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (NetApp Advisory).

When successfully exploited, this vulnerability can lead to a denial of service condition, potentially making the Db2 database service unavailable. The vulnerability specifically affects the ALTER TABLE functionality, with no impact on data confidentiality or integrity (IBM Security Bulletin).

IBM has released special builds containing interim fixes (APAR DT215667) for affected versions. These are available for V11.1.4 FP7 and V11.5.8 and can be applied to any affected fixpack level. The fixes are available for multiple platforms including AIX, Linux, Windows, and Solaris. No workarounds have been identified for this vulnerability (IBM Security Bulletin).