CVE-2023-38728: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) versions 10.5, 11.1, and 11.5 contains a vulnerability that could allow a denial of service attack through a specially crafted XML query statement. This vulnerability was assigned CVE-2023-38728 and was disclosed in October 2023 (IBM Security).

The vulnerability has been assigned a CVSS Base score of 5.3 (Medium) with the vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating that it requires network access and has high attack complexity. The vulnerability specifically relates to the handling of XML query statements in the database system (IBM Security).

When successfully exploited, this vulnerability could lead to a denial of service (DoS) condition in the affected IBM Db2 systems. The CVSS scoring indicates that while there is no impact on confidentiality or integrity, there is a high impact on system availability (NetApp Security).

IBM has released special builds containing interim fixes for this vulnerability. These are available for V10.5 FP11, V11.1.4 FP7, and V11.5.8, which can be applied to any affected fixpack level of the appropriate release. No workarounds are available at this time (IBM Security).