- Threat ID
- Threat Date
- Threat Name
- Date/Varchar DoS
- CVE Reference
- CCE Reference
- Database Type
- IBM DB2
- Patchable Vulnerabilities
- IBM DB 6 and 7 on Windows
- A denial of service vulnerability was discovered in the query processor. When running a specially-formatted SELECT statement, the database crashes.
- DB2 provides a version of SQL with complex procedural extensions. This gives users of DB2 the ability to create stored procedures with complex logic. The SQL is compiled by the Query Compiler engine.
A normal user may be able to crash the database by executing a malicious query. If a query contains a datetime type and varchar type, the database has a problem processing the query and ceases to function. This error occurs when the following query was executed and compiled.
SELECT * FROM EMPLOYEE WHERE YEAR(BIRTHDATE)=1999 AND FIRSTNME<''
Handling of the YEAR function crashes causing the database to stop.
Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.