CVE-2024-54178 Overview
CVE-2024-54178 affects IBM Db2 on Cloud Pak for Data and IBM Db2 Warehouse on Cloud Pak for Data across versions 4.8, 5.0, 5.1, 5.2, and 5.3. The vulnerability allows an authenticated user to trigger a denial of service condition during database creation operations. The root cause is improper allocation of resources, classified under [CWE-770]. An attacker with valid credentials can exhaust available resources by initiating new database creation requests, disrupting service availability for legitimate users. The flaw is exploitable over the network and requires low privileges with no user interaction.
Critical Impact
Authenticated attackers can degrade or halt Db2 database services on Cloud Pak for Data deployments by exploiting unbounded resource allocation during new database creation.
Affected Products
- IBM Db2 on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, 5.3
- IBM Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, 5.3
- Deployments hosting these Db2 components on IBM Cloud Pak for Data platform
Discovery Timeline
- 2026-06-22 - CVE-2024-54178 published to NVD
- 2026-06-22 - Last updated in NVD database
Technical Details for CVE-2024-54178
Vulnerability Analysis
The vulnerability resides in the database creation workflow of IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data. When an authenticated user issues requests to create new databases, the service does not enforce sufficient limits on resource consumption. This improper allocation of resources allows a user with valid credentials to repeatedly invoke database creation operations until backend resources such as memory, storage, or compute capacity are depleted. Once exhausted, the Db2 service becomes unable to process legitimate workloads, resulting in denial of service for all tenants sharing the affected instance.
Root Cause
The defect is categorized as [CWE-770] Allocation of Resources Without Limits or Throttling. The database creation routine fails to apply quota enforcement or rate limiting against authenticated principals. There is no upper bound on the number of databases that a single authenticated user can request, nor a throttle on how quickly those requests can be issued. The resource allocator commits resources before validating system-wide consumption, allowing a single account to monopolize shared capacity.
Attack Vector
Exploitation requires the attacker to hold valid authentication credentials on the target Db2 service. From a network position, the attacker submits a series of database creation requests against the Cloud Pak for Data API or Db2 administrative interfaces. Because no privileged role is required beyond standard database creation rights, any low-privileged user with create permissions can carry out the attack. No user interaction from a victim is needed, and the attack does not require local access to the host.
The vulnerability manifests during the resource allocation phase of database provisioning. See the IBM Support Page for the official technical advisory and fix details.
Detection Methods for CVE-2024-54178
Indicators of Compromise
- Unusual spikes in database creation API calls from a single authenticated user or service account
- Rapid growth in the number of databases provisioned within a short timeframe
- Degraded performance or failed provisioning requests reported by other tenants on the same Db2 instance
- Memory, storage, or CPU exhaustion alerts on Cloud Pak for Data nodes hosting Db2 workloads
Detection Strategies
- Audit Db2 administrative logs for repeated CREATE DATABASE operations from the same principal within short intervals
- Correlate authentication events with database provisioning API activity to identify anomalous behavior patterns
- Baseline normal database creation rates per user and alert on deviations beyond historical norms
Monitoring Recommendations
- Track resource utilization metrics for Db2 pods and underlying nodes on Cloud Pak for Data clusters
- Enable detailed audit logging for database lifecycle events including creation, allocation, and deletion
- Forward Db2 and Cloud Pak for Data logs to a centralized SIEM for correlation with identity and network telemetry
How to Mitigate CVE-2024-54178
Immediate Actions Required
- Apply the official IBM fix referenced in the IBM Support Page advisory for CVE-2024-54178
- Review and restrict database creation privileges to only the accounts that require them
- Rotate credentials for any accounts showing suspicious database provisioning activity
- Validate that monitoring and alerting cover Db2 resource consumption thresholds
Patch Information
IBM has published remediation guidance for CVE-2024-54178 on the IBM Support Page. Administrators should upgrade affected Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data instances to the fixed release identified in the advisory for versions 4.8, 5.0, 5.1, 5.2, and 5.3.
Workarounds
- Enforce role-based access control to limit which users can issue CREATE DATABASE operations
- Apply administrative quotas on the number of databases each user or tenant can provision
- Implement API rate limiting on Cloud Pak for Data endpoints exposing Db2 provisioning operations
- Monitor and cap resource consumption at the namespace or project level within the Cloud Pak for Data cluster
# Configuration example: restrict database creation privileges in Db2
# Revoke broad CREATEDB authority from general users
REVOKE DBADM ON DATABASE FROM USER <low_priv_user>;
REVOKE CREATETAB, BINDADD, CONNECT, IMPLICIT_SCHEMA ON DATABASE FROM PUBLIC;
# Grant database creation only to controlled administrative roles
GRANT DBADM ON DATABASE TO ROLE db_provisioning_admin;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

