CVE-2023-40687: 
IBM Db2 vulnerability analysis and mitigation

IBM DB2 for Linux, UNIX and Windows (includes Db2 Connect Server) versions 10.5, 11.1, and 11.5 was identified with a vulnerability that could lead to denial of service attacks. The vulnerability, tracked as CVE-2023-40687, was discovered and disclosed in December 2023. The issue specifically affects systems running DB2 when processing RUNSTATS commands on tables of 8TB or larger (IBM Advisory).

The vulnerability has received a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. A separate assessment by IBM Corporation assigned a CVSS score of 5.3 MEDIUM with the vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is related to improper input validation (CWE-20) when processing RUNSTATS commands on large database tables (NVD).

When successfully exploited, this vulnerability can result in a denial of service condition affecting the availability of the DB2 database system. The attack specifically impacts systems when processing RUNSTATS commands on tables that are 8TB or larger in size (IBM Advisory).

IBM has released special builds containing interim fixes for affected versions. These builds are available based on the most recent fixpack levels: V10.5 FP11, V11.1.4 FP7, and V11.5.9. The fixes can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability. No workarounds have been identified for this vulnerability (IBM Advisory).