Release Notes
Abstract
This technical note provides guidance for installing IBM Security Guardium Data Protection patch 11.0p490, including any new features or enhancements, resolved or known issues, or notices associated with the patch.
Content
Patch information
- Patch file name: SqlGuard-11.0p490_Bundle_Apr_03_2024.tgz.enc.sig
- MD5 checksum: daf96f54b07be8f48e9566da38eacff0
Finding the patch
Make the following selections to locate this patch for download on the IBM Fix Central website:
Make the following selections to locate this patch for download on the IBM Fix Central website:
- Product selector: IBM Security Guardium
- Installed version: 11.0
- Platform: All
- Click "Continue," select "Browse for fixes," and click "Continue" again
- Enter the patch information in the "Filter fix details" field to locate the patch
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
- Guardium 11.0p400 (see the 11.0p400 release notes for more information)
- The latest health check patch 11.0p9997
Installation
Notes:
- Patch 11.0p490 is an appliance bundle that includes all fixes for 11.4 except sniffer fixes.
- This patch restarts the Guardium system.
- Do not reboot the appliance while the patch install is in progress. Contact Guardium support if there is an issue with patch installation.
Overview:
- Download the patch and extract the compressed package outside of the Guardium system.
- Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
- Apply the latest health check patch.
- Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, and then the collectors.
- Apply the latest quarterly DPS patch and rapid response DPS patch even if these patches were applied before the upgrade.
For information about installing Guardium Data Protection patches, see How to install patches in the product documentation.
Attention
SHA256 GIM client certificates
After applying patch 11.0p490, Guardium supports SHA256 GIM certificates. This has the following implications:
After applying patch 11.0p490, Guardium supports SHA256 GIM certificates. This has the following implications:
- If using default certificates, GIM connections are secured by using SHA128. Custom certificates that use SHA256 are more secure and are recommended for GIM connections. Note that GIM connectivity is not interrupted after you apply this patch.
- GIM only verifies bundles signed with SHA256 and requires the installation of a transitional GIM bundle to support the change from SHA128 to SHA256.
For more information, see Updating Guardium Data Protection GIM clients with SHA256 certificates.
Microsoft certificates expire on May 20, 2024
Microsoft certificates (microsoftca1-4) expire on May 20, 2024. The following Guardium patches provide updated certificates:
Microsoft certificates (microsoftca1-4) expire on May 20, 2024. The following Guardium patches provide updated certificates:
- 11.3 systems use patch 11.0p392 or later
- 11.4 systems use patch 11.0p485 or later
- 11.5 systems use patch 11.0p535 or later
- 12.0 systems use patch 12.0p5 or later
Install the correct patch for your Guardium system to use the updated certificates. For more information, see https://www.ibm.com/support/pages/node/7080145
Enhancements
This patch includes the following enhancements:
| Issue key | Summary |
|---|---|
| GRD-76441 | Adds support to MSSQL Cluster to Advanced STAP verification by allowing use of datasource with listenerIP |
| GRD-75025 | Ability to change proxy settings for UC traffic |
| GRD-74414 | Adds CLI : support get_gdp_cluster_info command that generates /opt/IBM/Guardium/log/gdp_cluster_info.csv. This file contains a header line with field names and a row for each managed collector that is accessible through fileserver. |
| GRD-67889 | Creates easily configured slon looper and lightweight dynamic login dumper accessible from the GUI. Learn more at https://www.ibm.com/docs/en/guardium/12.x?topic=support-running-slon-looper-utility |
| GRD-70440 | Allows custom email template for Audit process alerts |
| GRD-67083 | Enhanced S-TAP Verification including IE Verification Status with other fixes and scenario handling |
| GRD-64146 | Addresses case within Classification where there is no SQL exception thrown by MS SQL Server database driver |
| GRD-76642 | Remediation for expiring self-signed GIM SHA1 Certificates. Resolves the following flash notification: https://www.ibm.com/support/pages/node/7115129 |
Resolved issues
This patch resolves the following issues:
| Patch | Issue key | Summary | APAR |
|---|---|---|---|
| 11.0p485 | -- | Patch 11.0p485 on Fix Central | -- |
| 11.0p490 | GRD-77934 | p410 Install Issue | DT269375 |
| GRD-77659 | Include GIM_SYSTEM_MODULES in deploy_agent Must Gather | -- | |
| GRD-77523 | Aliasing is not working for Health Deployment table | GA18499 | |
| GRD-76970 | TSM Vulnerability Mitigation | DT258503 | |
| GRD-76624 | V11.5 clicking "Search Users" in Audit Process To-Do List page always returned error | GA18482 | |
| GRD-76012 | Adv Stap Verify: java.net.UnknownHostException: <string>: Name or service not known | DT259362 | |
| GRD-75941 | Include TLS version in grdapi get_secured_protocols_info | DT259587 | |
| GRD-75831 | Account lockout configuration is getting reset to default after every GPU patch installation | DT259386 | |
| GRD-75781 | Adv Stap Verify: "handshake failed": unable to find valid certification path to requested target | DT259356 | |
| GRD-75092 | Cannot import STAP/GIM module because of the error "This bundle already exists in the Guardium system." | DT259584 | |
| GRD-74712 | Oracle DATA integrity issues within DB Username showing unexpected values | GA18480 | |
| GRD-74577 | Unable to open and edit alert java.lang.NullPointerException | GA18455 | |
| GRD-74216 | Sniffer crashing - session inference query | DT259811 | |
| GRD-74207 | Issues with import group members from query into a dynamic tuple | -- | |
| GRD-73805 | Include gimserver logs in deploy_agents_issues must gather | -- | |
| GRD-73651 | Audit process builder stops sending information to rsyslog | GA18444 | |
| GRD-73623 | Unable to observe data on "Suspected SQL Injection Cases" | GA18462 | |
| GRD-72998 | Qualys reports vulnerability on Guardium port 3129 | DT259327 | |
| GRD-72202 | AGG_CLEANUP_ORPHANS_ON_AGG,0,Error:1062; Message:Duplicate entry | GA18470 | |
| GRD-71882 | Purge / Archive uses "flush tables" | GA18456 | |
| GRD-71384 | Adv Stap Verify: java.lang.Exception: Too many records returned | DT259358 | |
| GRD-70945 | Unable to configure cli_userauth ldap by using SSL connection | GA18448 | |
| GRD-59398 | Aggregation processes fail due to stuck queries from threat detection analytics (11.3) | GA18092 |
Known limitations
This patch contains the following known limitations:
| Issue key | Summary |
|---|---|
| GRD-81806 |
If any GDP Universal Connector plug-in is configured on a patch earlier than 11.0p490, the Universal Connector becomes unstable (goes into disable and enable state) after applying 11.0p490.
Workaround: After you apply patch 11.0p490, upload zzz-logstash-input-google_pubsub-1.2.2.zip
|
| GRD-81149 |
If you configured the Microsoft SQL Server on-prem Universal Connector plug-in on Guardium 11.0p485 and upgrade to Guardium 11.0p490 or later, the plug-in appears to be disabled.
Workaround: Upload the following logstash filter before you upgrade to 11.0p490 or later to prevent the plug-in from appearing disabled: logstash-filter-xml-4.2.0-2.zip
|
Security fixes
This patch contains the following security fixes:
| Issue key | Summary | CVEs |
|---|---|---|
| 11.0p6404 | Security Patch 11.0p6404 on Fix Central | |
| INS-35925 | Fix CVEs: CVE-2022-45688, CVE-2023-2976, CVE-2023-5072, CVE-2023-0067 | CVE-2022-45688, CVE-2023-2976, CVE-2023-5072, CVE-2023-0067 |
| GRD-78257 | PSIRT: PVR0475474 - [All] PostgreSQL - CVE-2023-5869 (Publicly disclosed vulnerability) | CVE-2023-5869 |
| GRD-78200 | PSIRT: PVR0475474, PVR0475502, PVR0475446 - [All] PostgreSQL - CVE-2023-5869 (Publicly disclosed vulnerability) | CVE-2023-5869, CVE-2023-5870, CVE-2023-5868 |
| GRD-78163 | Vulnerabilities in containered rpm - CVE-2021-41103, CVE-2023-25173, CVE-2022-23648 | CVE-2021-41103, CVE-2023-25173, CVE-2022-23648 |
| GRD-78092 | PSIRT: PVR0479010 - Apache Struts 2 CVE-2023-50164 vulnerability | CVE-2023-50164 |
| GRD-77917 | PSIRT: PVR0477215, PVR0476180 - reactor-netty-1.0.24.jar (Publicly disclosed vulnerability found by Mend) - datastreams | CVE-2023-34054, CVE-2023-34062 |
| GRD-77429 | PSIRT: PVR0476700, PVR0476723 - IBM Security Guardium is vulnerable to multiple vulnerabilities in open-vm-tools component | CVE-2023-34059, CVE-2023-34058 |
| GRD-76927 | PSIRT: PVR0474271 - SE - Pen Testing On Prem - October, 2023 - GIM module upload functionality can be used to upload any file | CVE-2023-47711 |
| GRD-75494 | PSIRT: PVR0466861 - snappy-java-1.1.10.1.jar (Publicly disclosed vulnerability found by Mend) - UC | CVE-2023-43642 |
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
01 July 2024
UID
ibm17145246