What security vulnerabilities has IBM disclosed in Db2 and Tivoli Monitoring?

IBM has disclosed multiple security vulnerabilities affecting its Db2 database management system and Tivoli Monitoring IT management software, including two critical vulnerabilities that could allow attackers to execute malicious code on vulnerable systems: CVE-2025-30065 (CVSS 10.0) in Db2 and CVE-2025-3357 (CVSS 9.8) in Tivoli Monitoring.

What is CVE-2025-30065 and why does it have a perfect CVSS score?

CVE-2025-30065 is a critical vulnerability with a perfect CVSS score of 10.0 affecting the Apache Parquet parquet-avro module integrated as a component of IBM Db2. This vulnerability allows for arbitrary code execution through schema manipulation when processing untrusted Parquet files, representing the highest possible security risk.

What is CVE-2025-3357 and how dangerous is it?

CVE-2025-3357 (CVSS 9.8) is a critical input validation vulnerability in IBM Tivoli Monitoring. This security flaw stems from improper validation of an index value in a dynamically allocated array and could allow remote attackers to execute arbitrary code without requiring authentication or user interaction.

What are IBM Db2 and Tivoli Monitoring used for?

IBM Db2 is a database management system used by organizations for storing and managing critical business data. IBM Tivoli Monitoring is an IT management software solution used for monitoring and managing IT infrastructure. Vulnerabilities in these systems are particularly serious due to their central role in enterprise operations.

Which versions of IBM Tivoli Monitoring are affected?

The affected versions include IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 19. Organizations running these versions should immediately upgrade to address the critical input validation vulnerability.

What other vulnerabilities were found in IBM Db2?

IBM also disclosed three medium severity denial of service vulnerabilities in IBM Db2: CVE-2024-49350 (CVSS 6.5), CVE-2025-2518 (CVSS 5.3), and CVE-2025-3050 (CVSS 5.3). While less severe than the code execution vulnerabilities, these could still disrupt database operations.

How can organizations fix the IBM Tivoli Monitoring vulnerability?

For IBM Tivoli Monitoring, administrators must upgrade to version 6.3.0.7-TIV-ITM-SP0020 (Service Pack 20) to remediate the critical input validation vulnerability CVE-2025-3357. This release specifically addresses the improper index validation that could lead to remote code execution.

What makes these IBM vulnerabilities particularly concerning?

These vulnerabilities are particularly concerning because they affect critical enterprise infrastructure components. The Db2 vulnerability has a perfect CVSS score of 10.0, while the Tivoli Monitoring vulnerability allows remote code execution without authentication, potentially giving attackers complete control over affected systems.

What should organizations do immediately about these IBM vulnerabilities?

Organizations should immediately apply the available patches and security updates. For Db2, upgrade to Apache Parquet 1.15.1 or apply IBM special builds. For Tivoli Monitoring, upgrade to Service Pack 20. Given the critical nature of these vulnerabilities, especially the perfect CVSS 10.0 score, these updates should be prioritized as emergency patches.

Advisory

Multiple security flaws, two critical expose IBM Db2 and Tivoli Monitoring to remote code execution

published: May 31, 2025

Take action: If you are using IBM Db2 or Tivoli Monitoring, make sure they are isolated and accessible only from trusted networks. Then plan a patch cycle, because there are two critical flaws and isolation is not going to fix things long term.

Learn More

IBM has disclosed multiple security vulnerabilities affecting its Db2 database management system and Tivoli Monitoring IT management software that could allow attackers to execute malicious code on vulnerable systems.

Vulnerability summary:

CVE-2025-30065 (CVSS score 10.0) - Critical vulnerability in Apache Parquet parquet-avro module affecting IBM Db2 which is integrated as a component of IBM Db2. This vulnerability allows for arbitrary code execution through schema manipulation when processing untrusted Parquet files.
CVE-2025-3357 (CVSS score 9.8) - Critical input validation vulnerability in IBM Tivoli Monitoring. This security flaw stems from insufficient validation of input data, specifically improper validation of an index value in a dynamically allocated array. The vulnerability could allow remote attackers to execute arbitrary code without requiring authentication or user interaction.
CVE-2024-49350 (CVSS score 6.5) - Medium severity denial of service vulnerability in IBM Db2
CVE-2025-2518 (CVSS score 5.3) - Medium severity denial of service vulnerability in IBM Db2
CVE-2025-3050 (CVSS score 5.3) - Medium severity denial of service vulnerability in IBM Db2

The affected versions include IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 19.

IBM has released patches and security updates to address these vulnerabilities. For the Apache Parquet vulnerability affecting Db2, organizations should upgrade to Apache Parquet version 1.15.1 or apply the available IBM special builds that include the necessary security fixes.

For IBM Tivoli Monitoring, administrators must upgrade to version 6.3.0.7-TIV-ITM-SP0020 (Service Pack 20) to remediate the critical input validation vulnerability. This release specifically addresses the improper index validation that could lead to remote code execution.

Multiple security flaws, two critical expose IBM Db2 and Tivoli Monitoring to remote code execution

Read More
Progress Kemp LoadMaster has maximum severity critical flaw
Ivanti Patches High-Severity Authentication Bypass in Endpoint Manager
VMware reports critical vulnerability in vCenter
Cisco reports critical flaws in Smart Licensing Utility
n8n Patches More Critical Command Injection and Sandbox …