CVE-2023-38740: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX, and Windows (includes Db2 Connect Server) version 11.5 contains a vulnerability that allows denial of service attacks through specially crafted SQL statements. The vulnerability was assigned CVE-2023-38740 and was disclosed in October 2023. The affected systems include Db2 11.5.x Server editions across all supported platforms (IBM Security).

The vulnerability has received a CVSS v3.1 base score of 7.5 (HIGH) from NIST with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, while IBM Corporation assessed it with a score of 5.3 (MEDIUM) and vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-20 (Improper Input Validation) according to IBM's assessment (NVD Database).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition in the affected Db2 database systems. The attack affects availability while not impacting confidentiality or integrity of the system (NetApp Advisory).

IBM has released special builds containing interim fixes (APAR DT224814) for affected versions. These builds are available for V11.5.8 and can be applied to any affected fixpack level to remediate the vulnerability. The fixes are available for multiple platforms including AIX 64-bit, Linux (32-bit and 64-bit), and Windows. No workarounds have been identified for this vulnerability (IBM Security).