CVE-2021-29702 – CVE-2021-29702 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-29702?

CVE-2021-29702 has a CVSS score of 7.5 (HIGH). CVE-2021-29702 is a denial-of-service vulnerability in IBM Db2 where a specially crafted SELECT statement causes the database server to crash and terminate abnormally. This affects Db2 for Linux, UNIX and Windows (including Db2 Connect Server) versions 11.1.4 and 11.5.5. Database administrators and organizations running these specific Db2 versions are impacted.

📋 TL;DR

CVE-2021-29702 is a denial-of-service vulnerability in IBM Db2 where a specially crafted SELECT statement causes the database server to crash and terminate abnormally. This affects Db2 for Linux, UNIX and Windows (including Db2 Connect Server) versions 11.1.4 and 11.5.5. Database administrators and organizations running these specific Db2 versions are impacted.

💻 Affected Systems

Products:

IBM Db2 for Linux, UNIX and Windows
IBM Db2 Connect Server

Versions: 11.1.4 and 11.5.5

Operating Systems: Linux, UNIX, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable regardless of configuration settings.

📦 What is this software?

Db2 by Ibm

View all CVEs affecting Db2 →

Db2 by Ibm

View all CVEs affecting Db2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database server crash leading to extended service outage, data unavailability, and potential data corruption if crash occurs during critical operations.

🟠

Likely Case

Database service disruption requiring manual restart, causing temporary application downtime and operational impact.

🟢

If Mitigated

Minimal impact with proper network segmentation and access controls preventing malicious queries from reaching vulnerable systems.

🌐 Internet-Facing: HIGH if vulnerable Db2 instances are directly exposed to the internet, as attackers can easily craft and send malicious SELECT statements.

🏢 Internal Only: MEDIUM as internal attackers or compromised internal systems could still exploit this, but attack surface is reduced compared to internet exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires database credentials to execute SELECT statements, but the vulnerability itself is simple to trigger once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fixes from IBM APAR IT37446 - upgrade to versions beyond 11.1.4 and 11.5.5

Vendor Advisory: https://www.ibm.com/support/pages/node/6463985

Restart Required: Yes

Instructions:

1. Review IBM advisory IT37446. 2. Apply the appropriate fix pack or interim fix from IBM. 3. Restart the Db2 database server. 4. Verify the fix is applied successfully.

🔧 Temporary Workarounds

Restrict Database Access

all

Limit database user privileges and network access to prevent unauthorized users from executing arbitrary SELECT statements.

db2 "REVOKE SELECT ON TABLE <tablename> FROM <username>"
db2 "REVOKE EXECUTE ON PROCEDURE <procedurename> FROM <username>"

Network Segmentation

linux

Implement firewall rules to restrict database access to only trusted application servers and administrators.

iptables -A INPUT -p tcp --dport 50000 -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 50000 -j DROP

🧯 If You Can't Patch

Implement strict database user privilege management following least privilege principles
Deploy network-based intrusion detection systems to monitor for suspicious SELECT statement patterns

🔍 How to Verify

Check if Vulnerable:

Check Db2 version using 'db2level' command and compare against affected versions 11.1.4 and 11.5.5.

Check Version:

db2level

Verify Fix Applied:

Verify the fix is applied by checking for APAR IT37446 in installed fixes: 'db2 "SELECT * FROM SYSIBMADM.ENV_INST_INFO"' or check version is beyond affected ranges.

📡 Detection & Monitoring

Log Indicators:

Database server crash logs in db2diag.log
Abnormal termination entries in system logs
Failed connection attempts following server crash

Network Indicators:

Unusual patterns of SELECT statements from single sources
Database port becoming unresponsive

SIEM Query:

source="db2diag.log" AND ("abnormal termination" OR "server terminated")

📊 Metadata

CVE ID: CVE-2021-29702

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-74

Published: June 16, 2021

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/200658 VDB Entry,Vendor Advisory
https://security.netapp.com/advisory/ntap-20210720-0005/ Third Party Advisory
https://www.ibm.com/support/pages/node/6463985 Patch,Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/200658 VDB Entry,Vendor Advisory
https://security.netapp.com/advisory/ntap-20210720-0005/ Third Party Advisory
https://www.ibm.com/support/pages/node/6463985 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29702, you might also want to check these: