CVE-2024-35152: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 contains a vulnerability that could allow an authenticated user to cause a denial of service with a specially crafted query due to improper memory allocation. The vulnerability was discovered and disclosed on August 14, 2024, affecting versions 11.5.8 and 11.5.9 across all platforms (IBM Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and no impact on confidentiality (C:N) or integrity (I:N), but high impact on availability (A:H). The vulnerability is related to improper memory allocation (CWE-789) (IBM Advisory).

The primary impact of this vulnerability is on system availability. If successfully exploited, an authenticated attacker could cause a denial of service condition in the Db2 database system. This could result in service disruption for legitimate users and potential system downtime (IBM Advisory).

IBM has released special builds containing interim fixes for affected versions. For version 11.5.8, Special Build #43143 or later is available, and for version 11.5.9, Special Build #43682 or later is available. These special builds can be downloaded from Fix Central and applied to any affected fixpack level to remediate the vulnerability. No workarounds are available for this vulnerability (IBM Advisory).