CVE-2023-45193: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 federated server was identified with a vulnerability that enables denial of service attacks through specially crafted cursor usage. The vulnerability, tracked as CVE-2023-45193, was disclosed on January 22, 2024 (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, while IBM Corporation assessed it with a score of 5.9 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-20 (Improper Input Validation) (NVD).

When successfully exploited, this vulnerability can lead to a denial of service condition in the IBM Db2 federated server environment. The attack specifically impacts the availability of the system without compromising confidentiality or integrity (IBM Advisory).

IBM has released special builds containing interim fixes for affected versions, specifically targeting V11.5.8 and V11.5.9. These special builds are available for various platforms including AIX 64-bit, Linux (32-bit and 64-bit versions), and Windows (32-bit and 64-bit). The fixes are tracked under APAR DT238103 (IBM Advisory).