Root vulnerability threatens IBM's Db2 database system
Security updates close several vulnerabilities in IBM Db2 and Business Automation Workflow.
(Image: AFANASEV IVAN/Shutterstock.com)
Attackers can attack systems with IBM Db2 and Business Automation Workflow and, in the worst case, gain root privileges to compromise PCs. Security patches are available for download.
Multiple Software Vulnerabilities
As stated in a warning message, Business Automation can be attacked via three security vulnerabilities classified as “medium” (CVE-2025-54121, CVE-2025-50181, CVE-2025-50182). If attacks are successful, users will no longer be able to establish new connections to the application, for example. Version 24.0.0-IF007, on the other hand, is equipped to handle this.
Since listing all recently closed security vulnerabilities in Db2 and security patches would go beyond the scope of this report, administrators can find further information in the warning messages linked below this post. Here, we will only address the most dangerous vulnerabilities.
Thus, remote attackers can, for example, access actually protected information. Apparently, no CVE number has been assigned to this vulnerability yet. The starting point is the lack of input validation in the context of Apache Commons Codec.
In certain, undescribed configurations, local attackers can execute malicious code and subsequently escalate to root user (CVE-2025-36186 “high”). In such a position, attackers generally gain full control over systems.
Furthermore, DoS attacks and unauthorized access to instances are also possible, among other things.
Videos by heise
Early November, IBM developers equipped InfoSphere against DoS attacks.
List sorted by threat level in descending order:
- IBM Db2 federated Server is vulnerable to sensitive information disclosure under specific conditions
- IBM Db2 is vulnerable to privilege escalation under specific configurations (CVE-2025-36186)
- IBM Db2 is vulnerable to a denial of service due to improper allocation of resources (CVE-2025-36008)
- IBM Db2 is vulnerable to a denial of service due to the improper release of resources after use (CVE-2025-36006)
- IBM Db2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query (CVE-2024-47118)
- IBM Db2 is vulnerable to users regaining access without admin help after account lockout (CVE-2025-33012)
- IBM Db2 is vulnerable to a denial of service due to improper neutralization of special elements in data query logic (CVE-2025-36185)
- IBM Db2 is vulnerable to running out of memory under certain conditions (CVE-2025-33134)
- IBM Db2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query (CVE-2025-2534)
- IBM Db2 is vulnerable to a denial of service due to the database monitor script incorrectly detecting that the instance is still starting under specific conditions (CVE-2025-36136)
- IBM Db2 is vulnerable to information disclosure and credential exposure to privileged users under specific conditions (CVE-2025-36131)
(des)
