CVE-2023-46167: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 federated server was identified with a vulnerability tracked as CVE-2023-46167. The vulnerability affects versions 11.5.6 through 11.5.8 and was discovered in late 2023. When exploited, this vulnerability allows attackers to cause a denial of service condition through the use of a specially crafted cursor (IBM Security, NVD).

The vulnerability has received varying CVSS v3.1 severity ratings. The National Vulnerability Database (NVD) assigned it a Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, while IBM Corporation rated it at 5.9 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. The primary difference in scoring relates to the attack complexity assessment (NVD).

The successful exploitation of this vulnerability results in a denial of service condition affecting the IBM Db2 federated server functionality. The attack specifically impacts service availability while not compromising data confidentiality or integrity (IBM Security, NetApp Advisory).

IBM has released special builds containing interim fixes for the affected versions. These special builds are available based on the most recent fixpack level for the impacted release V11.5.9. The fixes can be downloaded from Fix Central and applied to any affected fixpack level to remediate this vulnerability. No temporary workarounds have been identified (IBM Security).