CVE-2025-36001
📋 TL;DR
This vulnerability in IBM Db2 allows authenticated users to execute specially crafted SQL statements with XML that trigger uncontrolled recursion, leading to denial of service. It affects Db2 versions 11.5.0-11.5.9 and 12.1.0-12.1.3 on Linux, UNIX, and Windows systems. Attackers need database credentials to exploit this flaw.
💻 Affected Systems
- IBM Db2 for Linux, UNIX and Windows
- IBM Db2 Connect Server
⚠️ Risk & Real-World Impact
Worst Case
Complete database unavailability due to resource exhaustion from recursive processing, affecting all connected applications and users.
Likely Case
Temporary service degradation or database crashes requiring restart, disrupting business operations.
If Mitigated
Minimal impact with proper authentication controls and monitoring preventing exploitation attempts.
🎯 Exploit Status
Exploitation requires authenticated database access and knowledge of SQL/XML syntax to craft malicious recursive statements.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply IBM Db2 fix packs: 11.5.9.0a or later for 11.5.x, 12.1.3.0a or later for 12.1.x
Vendor Advisory: https://www.ibm.com/support/pages/node/7257616
Restart Required: Yes
Instructions:
1. Download appropriate fix pack from IBM Fix Central. 2. Stop all Db2 instances and applications. 3. Apply fix pack following IBM installation guide. 4. Restart Db2 instances and verify functionality.
🔧 Temporary Workarounds
Restrict XML Privileges
allRemove XML-related privileges from non-administrative users to prevent exploitation.
REVOKE EXECUTE ON FUNCTION XMLQUERY FROM PUBLIC;
REVOKE EXECUTE ON FUNCTION XMLEXISTS FROM PUBLIC;
Implement Query Monitoring
allMonitor and alert on recursive XML queries to detect exploitation attempts.
CREATE EVENT MONITOR FOR ACTIVITIES WHERE XMLQUERY LIKE '%RECURSIVE%' OR XMLEXISTS LIKE '%RECURSIVE%';
🧯 If You Can't Patch
- Implement strict principle of least privilege for database users, limiting XML function access to essential personnel only.
- Deploy network segmentation and firewall rules to restrict database access to trusted applications and IP addresses.
🔍 How to Verify
Check if Vulnerable:
Check Db2 version with 'db2level' command and compare against affected ranges: 11.5.0-11.5.9 or 12.1.0-12.1.3.Check Version:
db2level | grep 'Product name'Verify Fix Applied:
Verify version is 11.5.9.0a+ or 12.1.3.0a+ using 'db2level' and test XML recursive queries no longer cause service disruption.📡 Detection & Monitoring
Log Indicators:
- Database crash logs
- High CPU/memory usage from XML processing
- Recursive XML query patterns in audit logs
Network Indicators:
- Unusual database connection patterns from authenticated users
- Increased failed connection attempts
SIEM Query:
source="db2_audit.log" AND (query="*XMLQUERY*" OR query="*XMLEXISTS*") AND query="*RECURSIVE*"