CVE-2024-45663 Overview
IBM Db2 for Linux, UNIX and Windows contains a denial of service vulnerability affecting versions 11.1, 11.5, and 12.1. The flaw also impacts Db2 Connect Server installations bundled with these releases. A remote unauthenticated attacker can submit a specially crafted query that causes the database server to crash under certain conditions. The vulnerability disrupts database availability without requiring authentication or user interaction. IBM published a fix and advisory through its support portal in November 2024.
Critical Impact
Unauthenticated network attackers can crash IBM Db2 servers with a crafted query, causing service outages for dependent applications.
Affected Products
- IBM Db2 for Linux, UNIX and Windows 11.1
- IBM Db2 for Linux, UNIX and Windows 11.5
- IBM Db2 for Linux, UNIX and Windows 12.1 (includes Db2 Connect Server)
Discovery Timeline
- 2024-11-21 - CVE-2024-45663 published to NVD
- 2025-08-08 - Last updated in NVD database
Technical Details for CVE-2024-45663
Vulnerability Analysis
CVE-2024-45663 is a denial of service vulnerability in the IBM Db2 query processing path. The server fails to handle certain malformed or edge-case query structures, causing the database engine to crash. The vulnerability is reachable over the network without authentication, which makes it accessible to any client that can connect to the Db2 listener port. The NVD entry classifies the weakness as NVD-CWE-noinfo, reflecting that IBM has not publicly disclosed the specific code defect. The impact is limited to availability — confidentiality and integrity of stored data are not affected.
Root Cause
IBM has not published the specific root cause. The advisory describes the condition as a server crash triggered by a specially crafted query under certain conditions. This pattern typically corresponds to improper input validation in the SQL parser, optimizer, or runtime execution engine, where unexpected query shapes cause unhandled exceptions or invalid memory access. Consult the IBM Support Page for vendor-supplied details.
Attack Vector
The attack vector is network-based with low complexity and no privileges required. An attacker establishes a connection to the Db2 server and submits a crafted SQL query. When the query reaches the vulnerable processing logic, the server process terminates abnormally. Any client able to reach the Db2 service port (default 50000/tcp) and submit queries can trigger the condition. Repeated exploitation prevents legitimate connections and queries from completing, producing a sustained denial of service.
No public proof-of-concept code is available. IBM has not released
exploitation details, and no entries exist in Exploit-DB or known
PoC repositories at the time of writing. Refer to the IBM advisory
linked above for vendor guidance.
Detection Methods for CVE-2024-45663
Indicators of Compromise
- Unexpected Db2 instance crashes or db2sysc process restarts logged in db2diag.log.
- FODC (First Occurrence Data Capture) directories generated after receiving client queries.
- Connection resets and client-side SQL30081N communication errors immediately after a query submission.
- Repeated connection attempts from a single source followed by service termination.
Detection Strategies
- Monitor db2diag.log for trap, panic, or signal SIGSEGV entries correlated with inbound query traffic.
- Alert on abnormal restarts of the Db2 instance service or container.
- Inspect network traffic to TCP 50000 (or the configured Db2 listener port) for anomalous query patterns from untrusted sources.
- Correlate database service availability metrics with authentication logs to identify pre-crash queries.
Monitoring Recommendations
- Forward db2diag.log, FODC dumps, and OS-level process termination events to a centralized log platform for correlation.
- Track query failure rates and connection error spikes as availability signals.
- Enable Db2 audit facility (db2audit) to capture statements preceding crashes for forensic review.
How to Mitigate CVE-2024-45663
Immediate Actions Required
- Apply the IBM-supplied fix pack or special build referenced in the IBM Support advisory for Db2 11.1, 11.5, and 12.1.
- Restrict network access to the Db2 listener port so only trusted application servers can connect.
- Require strong authentication for all database connections and disable unused authentication methods.
- Review the NetApp Security Advisory if Db2 runs on affected NetApp infrastructure.
Patch Information
IBM has released remediated builds for the affected versions. Refer to the IBM support page for the specific fix pack levels and download instructions: IBM Support Page for CVE-2024-45663. Apply the patch in a maintenance window and validate database functionality after the upgrade.
Workarounds
- Place the Db2 listener behind a firewall or bastion that only permits connections from authorized application hosts.
- Use network segmentation and host-based firewall rules to block direct client access from untrusted networks.
- Enforce least-privilege database accounts to limit which clients can submit ad-hoc queries until patching is complete.
# Restrict Db2 listener access with host firewall (example: iptables)
iptables -A INPUT -p tcp --dport 50000 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 50000 -j DROP
# Verify installed Db2 fix pack level after patching
db2level
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
