CVE-2024-31880: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) versions 10.5, 11.1, and 11.5 is vulnerable to a denial of service vulnerability identified as CVE-2024-31880. The vulnerability was disclosed on October 22, 2024, and affects the server under specific configurations (IBM Advisory).

The vulnerability allows an authenticated user to cause a server crash by using a specially crafted SQL statement. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) by NIST, while IBM assessed it with a CVSS Base Score of 5.3 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

When exploited, this vulnerability can result in a denial of service condition where the IBM Db2 server crashes. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (IBM Advisory).

IBM has released special builds containing interim fixes for affected versions. The fixes are available based on the most recent fixpack level for each impacted release: V10.5 FP11, V11.1.4 FP7, and V11.5.9. These special builds can be applied to any affected fixpack level of the appropriate release. No workarounds are available for this vulnerability (IBM Advisory).