Login Sign Up

CVE-2025-2134

3.5 LOW
Denial of Service

📋 TL;DR

IBM Jazz Reporting Service has an insufficient resource pooling vulnerability that allows authenticated users to degrade system performance through complex queries. This affects organizations using IBM Jazz Reporting Service where authenticated users can access reporting functionality. The vulnerability could lead to denial of service conditions affecting legitimate users.

💻 Affected Systems

Products:
  • IBM Jazz Reporting Service
Versions: Specific versions not detailed in reference; consult IBM advisory for exact affected versions
Operating Systems: All supported platforms for IBM Jazz Reporting Service
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to reporting functionality; default configurations with standard authentication are vulnerable.

📦 What is this software?

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

Jazz Reporting Service by Ibm

View all CVEs affecting Jazz Reporting Service →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system unavailability due to resource exhaustion, preventing legitimate users from accessing reporting services and potentially affecting dependent business processes.

🟠

Likely Case

Degraded system performance and slow response times for legitimate users when malicious queries consume excessive resources.

🟢

If Mitigated

Minimal impact with proper query monitoring, rate limiting, and resource controls in place.

🌐 Internet-Facing: MEDIUM - While authentication is required, internet-facing instances could be targeted by authenticated attackers or compromised accounts.
🏢 Internal Only: MEDIUM - Internal authenticated users (including malicious insiders or compromised accounts) could exploit this to disrupt reporting services.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW - Requires only authenticated access and ability to submit complex queries

Exploitation requires authenticated access; attackers need valid credentials or compromised accounts to execute resource-intensive queries.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check IBM advisory for specific fixed versions

Vendor Advisory: https://www.ibm.com/support/pages/node/7258083

Restart Required: Yes

Instructions:

1. Review IBM advisory for affected versions. 2. Apply IBM-provided fix or upgrade to patched version. 3. Restart Jazz Reporting Service. 4. Verify fix implementation.

🔧 Temporary Workarounds

Implement Query Complexity Limits

all

Configure query execution timeouts and resource limits to prevent excessive resource consumption

Configure via Jazz Reporting Service administration console: Set query timeout limits and resource constraints

Restrict User Permissions

all

Limit reporting query capabilities to trusted users only

Review and modify user roles in Jazz Reporting Service to restrict complex query execution

🧯 If You Can't Patch

  • Implement strict monitoring and alerting for resource-intensive queries
  • Apply network segmentation to isolate Jazz Reporting Service from critical systems

🔍 How to Verify

Check if Vulnerable:

Check IBM Jazz Reporting Service version against affected versions listed in IBM advisory

Check Version:

Check version via Jazz Reporting Service administration interface or consult system documentation

Verify Fix Applied:

Verify installed version matches or exceeds patched version from IBM advisory

📡 Detection & Monitoring

Log Indicators:

  • Unusually long query execution times
  • Multiple concurrent complex queries from single user
  • System resource exhaustion alerts

Network Indicators:

  • Increased response times for reporting services
  • Unusual patterns of reporting requests

SIEM Query:

source="jazz_reporting" AND (query_duration>30s OR cpu_usage>90%) | stats count by user

📊 Metadata

CVE ID: CVE-2025-2134
CVSS v3 Score: 3.5 (LOW)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-410
EPSS Score: 0.02% exploit probability (3.8th percentile)
Published: February 4, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2134, you might also want to check these:

CVE-2021-1615 8.6

An unauthenticated remote attacker can cause denial of service on Cisco Catalyst Access Points by se...

Same vulnerability type (CWE-410)
CVE-2025-0453 7.5

This vulnerability in MLflow's GraphQL endpoint allows attackers to cause denial of service by sendi...

Same vulnerability type (CWE-410)
CVE-2025-41653 7.5

An unauthenticated remote attacker can cause denial-of-service by sending specially crafted HTTP req...

Same vulnerability type (CWE-410)