Release Notes
Abstract
This technical note provides guidance for installing IBM Security Guardium Data Protection patch 11.0p540, including any new features or enhancements, resolved or known issues, or notices associated with the patch.
Content
Patch information
- Patch file name: SqlGuard-11.0p540_Bundle_Apr_28_2024.tgz.enc.sig
- MD5 checksum: c0149e498d941eb026f37e9db6f4b38c
Finding the patch
Make the following selections to locate this patch for download on the IBM Fix Central website:
Make the following selections to locate this patch for download on the IBM Fix Central website:
- Product selector: IBM Security Guardium
- Installed version: 11.0
- Platform: All
- Click "Continue," select "Browse for fixes," and click "Continue" again.
- Select "Appliance patch (GPU and ad hoc)" and enter the patch information in the "Filter fix details" field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
- Guardium 11.0p500 (see the 11.0p500 release notes for more information)
- The latest health check patch 11.0p9997
Installation
Notes:
- This patch is an appliance bundle that includes all fixes for 11.5 except sniffer fixes.
- This patch restarts the Guardium system.
- Do not reboot the appliance while the patch install is in progress. Contact Guardium support if there is an issue with patch installation.
- When changing the password of CLI and guardcli users in the Guardium command line interface, a password strength warning appears even when strong passwords are not enabled. To remove the strong password checks, execute the CLI command store user strong_password disable.
- If you have single sign-on enabled and are upgrading from below 11.0p530, you must re-download metadata from the upgraded CM and apply it on IdP.
Overview:
- Download the patch and extract the compressed package outside the Guardium system.
- Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
- Apply the latest health check patch.
- Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
- Apply the latest quarterly DPS patch and rapid response DPS patch even if these patches were applied before the upgrade.
For information about installing Guardium Data protection patches, see How to install patches in the Guardium documentation.
Attention
SHA256 GIM client certificates
After applying patch 11.0p540, Guardium supports SHA256 GIM certificates. This has the following implications:
After applying patch 11.0p540, Guardium supports SHA256 GIM certificates. This has the following implications:
- If using default certificates, GIM connections are secured using SHA128. Custom certificates using SHA256 are more secure and are recommended for GIM connections. Note that GIM connectivity is not interrupted after applying this patch.
- GIM only verifies bundles signed with SHA256 and requires installing a transitional GIM bundle to support the change from SHA128 to SHA256.
For more information, see Updating Guardium Data Protection GIM clients with SHA256 certificates.
Microsoft certificates expire on May 20, 2024
Microsoft certificates (microsoftca1-4) expire on May 20, 2024. The following Guardium patches provide updated certificates:
Microsoft certificates (microsoftca1-4) expire on May 20, 2024. The following Guardium patches provide updated certificates:
- 11.3 systems use patch 11.0p392 or later
- 11.4 systems use patch 11.0p485 or later
- 11.5 systems use patch 11.0p535 or later
- 12.0 systems use patch 12.0p5 or later
Install the correct patch for your Guardium systems to use the updated certificates. For more information, see https://www.ibm.com/support/pages/node/7080145
Enhancements
This patch includes the following enhancements:
| Issue key | Summary |
|---|---|
| INS-35925 | Fix plugins CVEs in release-v1.5.1 |
| GRD-76619 | Process 2023 Q4 DPS |
| GRD-76441 | Adv Stap Verify: Support MS SQL Cluster |
| GRD-76186 | Possibility to set flag STAP_GLOBAL_KEY by update GLOBAL_SESSION_KEY configuration parameter using GuardApi command and S-TAP Control. |
| GRD-76121 | Backport UC image to old versions |
| GRD-75025 | Enable customer to change proxy settings for UC traffic |
| GRD-74700 | GIM tables with column type as 'datatime', which might have potential DST issue every year |
| GRD-73114 | GDP : Custom datamarts execution modes during streaming configuration |
| GRD-70629 | Expose mapping of collector ID to appliance name (FQDN) |
| GRD-70440 | Custom email template for Audit process alerts |
| GRD-67083 | Enhanced S-TAP Verification including IE Verification Status with other fixes and scenario handling |
| GRD-65057 | Investigation spike: Support for Namespaces with Hashicorp Vault integration |
| GRD-64146 | Provide alert/notification about status (different than success) of classification |
| GRD-60504 | Add ability to display both alias & non-alias value in a report |
| GRD-76642 | Remediation for expiring self-signed Guardium Installation Manager (GIM) SHA1 Certificates. Resolves the following flash: https://www.ibm.com/support/pages/node/7115129 |
Resolved issues
This patch resolves the following issues:
| Patch | Issue key | Summary | APAR | |
|---|---|---|---|---|
| 11.0p535 | Patch 11.0p535 on Fix Central | -- | ||
| 11.0p540 | GRD-80064 | Regex'es missing from Session Policies after patch application (p535) | DT364427 | |
| GRD-76239 | SNMP message is not sent due to double quotes in the message | |||
| GRD-79206 | Correlation alert is not triggering despite data is matching criteria. | DT270105 | ||
| GRD-78382 | Enable port 8444 to be disabled even if GIM clients are registered | -- | ||
| GRD-78249 | Admin/accessmgr reconciliation fails with CyberArk after SAML enable with OKTA | DT270057 | ||
| GRD-78241 | SNMP user configuration lost after 11.4 to 11.5 upgrade | DT270156 | ||
| GRD-77659 | Include GIM_SYSTEM_MODULES in deploy_agent Must Gather | -- | ||
| GRD-77554 | There are trusted certificate related erors. Attempting restart... | DT269995 | ||
| GRD-77523 | Aliasing is not working for Health Deployment table | GA18499 | ||
| GRD-77244 | All of the appliances in customer's environment are having issues with / (sda3) partition full | GA18500 | ||
| GRD-76970 | TSM Vulnerability Mitigation | DT258503 | ||
| GRD-76913 | Error in disabling custom Java ciphers | DT270396 | ||
| GRD-76624 | V11.5 Clicking "Search Users" button in "Audit Process To-Do List" Page Always Returned Error | GA18482 | ||
| GRD-76129 | The Active Threat Analytics page UI displays abnormally, and load more cannot be loaded. | DT270056 | ||
| GRD-76021 | Ciphers re-enabled after installing V11 P530 | GA18483 | ||
| GRD-75831 | Account lockout configuration is getting reset to default after every GPU patch installation | DT259386 | ||
| GRD-75781 | Adv Stap Verify: "handshake failed": unable to find valid certification path to requested target | DT259356 | ||
| GRD-75092 | Can not import STAP/GIM module because of the error "This bundle already exists in the Guardium system." | DT259584 | ||
| GRD-75080 | "Update database failure" while updating CLI password in Access Manager if one or more guardcli accounts are disabled | DT259323 | ||
| GRD-74797 | “support store slon off” command cannot stop slon capture, it is stuck at "Please, wait..." status | GA18479 | ||
| GRD-74765 | java.lang.ArrayIndexOutOfBoundsException error when classification is run on some tables | DT270218 | ||
| GRD-74712 | Oracle DATA Integrity Issues within DB Username Showing Unexpected values | GA18480 | ||
| GRD-74596 | "Error in generating report/monitor" when "Show SQL with Values" for SQL with "Order By" keywords | GA18477 | ||
| GRD-74216 | Sniffer Crashing - Session inference query | DT259811 | ||
| GRD-74207 | Issues with import group members from query into a dynamic tuple | -- | ||
| GRD-74093 | Snowflake VA report run long time and eventually time out | DT270085 | ||
| GRD-73805 | Include gimserver logs in deploy_agents_issues must gather | -- | ||
| GRD-72998 | Qualys Reports Vulnerability on Guardium port 3129 | DT259327 | ||
| GRD-72735 | V11.3 upgrade to V11.5: Issue to send reports under SNMP message type after applied patches P520/P4057. | DT270196 | ||
| GRD-71384 | Adv Stap Verify: java.lang.Exception: Too Many records returned | DT259358 | ||
Known limitations
This patch contains the following known limitations:
| Issue key | Summary |
|---|---|
| GRD-81992 |
If you have configured the Azure Cosmos or Neptune universal connector plugins, traffic will not be captured and the universal connector will be disabled after applying path 11.0p540.
Workaround: upload the required universal connector plugin again, and following the plugin's' readme file for for instructions.
|
| GRD-81989 |
Unable to deploy S-TAPs using Deploy Monitoring Agents after applying patch 11.0p540 in an IPv6 environment.
Workaround: use the API command grdapi gim_remote_activation
|
| GRD-81400 |
When Guardium is deployed on an AWS EC2 instace, Cloudwatch universal connector plugins using role arn authentication will not work.
Workaround: upload the required universal connector plugin again. |
| GRD-81181 |
Guardium UI stops working after installing patch 11.0p540 on an AWS instance.
Workaround: restart the network using the "restart network" CLI command.
|
| GRD-81149 |
If you have configured the Microsoft SQL Server on-prem universal connector plugin on Guardium 11.0p535 and upgrade to Guardium 11.0p540 or later, the plugin appears unstable.
Workaround: upload logstash-filter-xml-4.2.0-2.zip before upgrading to 11.0p540 or later. See the plugin readme file for more information.
|
| GRD-80965 |
The "global session key" parameter cannot be updated from the Guardium UI for Windows servers with S-TAP version v11.5.0.258.
Workaround: update the "global session key" parameter through the guard_tap.ini file.
|
| GRD-80789 |
After installing patch 11.0p540, for a newly installed environment, there is no need to upload most universal connector plugins prior to configuration: most of the available plugins are now available within Guardium Data Protection.
The following universal connector plugins still require manual upload:
|
Security fixes
This patch contains the following security fixes:
| Issue key | Summary | CVEs |
|---|---|---|
| 11.0p6504 | Security Patch 11.0p6504 on Fix Central | |
| GRD-78163 | Vulnerabilities in containered rpm - CVE-2021-41103, CVE-2023-25173, CVE-2022-23648 | CVE-2021-41103, CVE-2023-25173, CVE-2022-23648 |
| GRD-78092 | PSIRT: PVR0479010 - Apache Struts 2 CVE-2023-50164 vulnerability | CVE-2023-50164 |
| GRD-77917 | PSIRT: PVR0477215, PVR0476180 - reactor-netty-1.0.24.jar (Publicly disclosed vulnerability found by Mend) - datastreams | CVE-2023-34054, CVE-2023-34062 |
| GRD-77429 | PSIRT: PVR0476700, PVR0476723 - IBM Security Guardium is vulnerable to multiple vulnerabilities in open-vm-tools component | CVE-2023-34059, CVE-2023-34058 |
| GRD-77266 | PSIRT: PVR0475695- IBM SDK, Java Technology Edition Quarterly CPU - Oct 2023 | CVE-2023-22081, CVE-2023-22067, CVE-2023-5676, CVE-2023-22025 |
| GRD-76927 | PSIRT: PVR0474271 - SE - Pen Testing On-prem - October, 2023 - GIM module upload functionality can be used to upload any file | CVE-2023-47711 |
| GRD-76919 | PSIRT: PVR0474272 - SE - Pen Testing On-prem - October, 2023 - Privilege scalation from tomcat to root (ip_restriction.pl) | CVE-2023-47712 |
| GRD-76918 | PSIRT: PVR0474272 - SE - Pen Testing On-prem - October, 2023 - Privilege escalation from tomcat to root (server_receiver.pl) | CVE-2023-47712 |
| GRD-75494 | PSIRT: PVR0466861 - snappy-java-1.1.10.1.jar (Publicly disclosed vulnerability found by Mend) - UC | CVE-2023-43642 |
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
20 May 2024
UID
ibm17148445