CVE-2025-1000: 
IBM Db2 vulnerability analysis and mitigation

IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.1 contains a vulnerability that could allow an authenticated user to cause a denial of service when connecting to a z/OS database. The vulnerability (CVE-2025-1000) was disclosed on May 5, 2025, and is related to improper handling of automatic client rerouting (NVD, IBM Advisory).

The vulnerability is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). It has received a CVSS v3.1 base score of 6.5 (MEDIUM) from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, while IBM assessed it with a slightly lower score of 5.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H. The difference in scoring primarily relates to the assessment of attack complexity (NVD).

The vulnerability affects the availability of the system, potentially allowing authenticated users to cause a denial of service condition when connecting to a z/OS database. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (IBM Advisory).

IBM has released special builds containing interim fixes for this vulnerability. For V11.5.9, Special Build #55285 or later is available, and for V12.1.1, Special Build #54779 or later can be applied. These special builds can be applied to any affected level of the appropriate release to remediate the vulnerability. IBM notes that after December 31, 2025, versions 11.1 and 10.5 of Db2 will not receive security fixes as they will reach End of Support (IBM Advisory).