CVE-2024-41762: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) versions 10.5, 11.1, and 11.5 is vulnerable to a denial of service vulnerability where the server may crash under certain conditions when processing a specially crafted query. The vulnerability was disclosed on December 7, 2024, and is tracked as CVE-2024-41762 (NVD, IBM Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with low attack complexity, requiring low privileges and no user interaction. IBM has assigned a lower CVSS score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, suggesting higher attack complexity. The vulnerability is associated with CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-789 (Memory Allocation with Excessive Size Value) (NVD).

The vulnerability affects the availability of the system, potentially causing the Db2 server to crash when processing specially crafted queries. There are no reported impacts to confidentiality or integrity of the system (IBM Advisory).

IBM has released special builds containing interim fixes for the affected versions. Customers running vulnerable fixpack levels can download and apply these special builds from Fix Central. The fixes are available for V10.5 FP11, V11.1.4 FP7, and V11.5.9, and can be applied to any affected fixpack level of the appropriate release. No workarounds are available for this vulnerability (IBM Advisory).