SB2025072221 - Multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025072221

SB2025072221 - Multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products

Published: July 22, 2025

Security Bulletin ID SB2025072221
Severity
High
Patch available
YES
Number of vulnerabilities 12
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 8% Medium 33% Low 58%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 12 secuirty vulnerabilities.


1) Uncontrolled Memory Allocation (CVE-ID: CVE-2025-2518)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-0915)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient release of allocated memory resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


3) Memory leak (CVE-ID: CVE-2025-1992)

The vulnerability allows a remote user to perform DoS attack on the target system.

The vulnerability exists due to insufficient release of allocated memory after usage. A remote user can force the application to leak memory and perform denial of service attack.


4) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-1000)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of automatic client rerouting when connecting to a z/OS database. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


5) Race condition (CVE-ID: CVE-2025-1493)

The vulnerability allows a remote user to perform a denial of service attack.

The vulnerability exists due to concurrent execution of shared resources. A remote user can exploit the race and gain unauthorized access to perform a denial of service attack.


6) Resource exhaustion (CVE-ID: CVE-2025-25193)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to application attempts to load a file that does not exist. A local user can create a large file on the system and crash the application.

Note, the vulnerability affects Windows installations only.


7) Resource management error (CVE-ID: CVE-2024-47535)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an unsafe reading of an environment file on Windows. A local user can create an overly large file and perform a denial of service (DoS) attack.


8) Input validation error (CVE-ID: CVE-2024-52903)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.


9) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-3050)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper allocation of CPU resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


10) Incorrect default permissions (CVE-ID: CVE-2024-23454)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the RunJar.run() method does not set permissions for temporary directory by default. A local user with access to the system can view contents of files and directories.


11) Stack-based buffer overflow (CVE-ID: CVE-2024-49350)

The vulnerability allows a remote user to perform a denial of service attack.

The vulnerability exists due to server may crash under certain conditions with a specially crafted query. A remote unauthenticated user can send a specially crafted query, trigger stack-based buffer overflow and perform a denial of service attack.


12) Deserialization of Untrusted Data (CVE-ID: CVE-2025-30065)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data within the parquet-avro module when parsing an Avro schema from a Parquet file metadata. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install update from vendor's website.

References