Release Notes
Abstract
This technical note provides guidance for installing IBM Security Guardium Data Protection patch 11.0p545, including any new features or enhancements, resolved or known issues, or notices associated with the patch.
Content
Patch information
- Patch file name: SqlGuard-11.0p545_Bundle_Jul_09_2024.tgz.enc.sig
- MD5 checksum: ac156f14d82e975430c75bec76054b4d
Finding the patch
Make the following selections to locate this patch for download on the IBM Fix Central website:
Make the following selections to locate this patch for download on the IBM Fix Central website:
- Product selector: IBM Security Guardium
- Installed version: 11.0
- Platform: All
- Click "Continue," select "Browse for fixes," and click "Continue" again.
- Select "Appliance patch (GPU and ad hoc)" and enter the patch information in the "Filter fix details" field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
- Guardium 11.0p500 (see the 11.0p500 release notes for more information)
- The latest health check patch 11.0p9997
Installation
Notes:
- This patch is an appliance bundle that includes all fixes for 11.5 except sniffer fixes.
- This patch is cumulative and includes all the fixes from previously released patches.
- This patch restarts the Guardium system.
- Do not reboot the appliance while the patch install is in progress. Contact Guardium support if there is an issue with patch installation.
- When changing the password of CLI and guardcli users in the Guardium command line interface, a password strength warning appears even when strong passwords are not enabled. To remove the strong password checks, execute the CLI command store user strong_password disable.
- If you have single sign-on enabled and are upgrading from below 11.0p530, you must re-download metadata from the upgraded central manager and apply it on the identity provider.
Overview:
- Download the patch and extract the compressed package outside the Guardium system.
- Be sure to check the latest version of these patch release notes online just before you install this patch.
- Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
- Apply the latest health check patch.
- Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
- Apply the latest quarterly DPS patch and rapid response DPS patch even if these patches were applied before the upgrade.
For information about installing Guardium Data protection patches, see How to install patches in the Guardium documentation.
Attention
SHA256 GIM client certificates
After applying patch 11.0p540, Guardium supports SHA256 GIM certificates. This has the following implications:
After applying patch 11.0p540, Guardium supports SHA256 GIM certificates. This has the following implications:
- If using default certificates, GIM connections are secured using SHA128. Custom certificates using SHA256 are more secure and are recommended for GIM connections. Note that GIM connectivity is not interrupted after applying this patch.
- GIM only verifies bundles signed with SHA256 and requires installing a transitional GIM bundle to support the change from SHA128 to SHA256.
For more information, see Updating Guardium Data Protection GIM clients with SHA256 certificates.
Guardium sniffer certification expires on 3 March 2025
The current sniffer default certificate will expire on 3 March 2025 and you must install a Guardium appliance patch to renew the certificate. For Guardium 11.5 systems, appliance bundle patch 11.0p545 or later provides an updated certificate. For more information, see IBM Guardium sniffer certification expires March 2025.
The current sniffer default certificate will expire on 3 March 2025 and you must install a Guardium appliance patch to renew the certificate. For Guardium 11.5 systems, appliance bundle patch 11.0p545 or later provides an updated certificate. For more information, see IBM Guardium sniffer certification expires March 2025.
Microsoft certificates expired on May 20, 2024
Microsoft certificates (microsoftca1-4) expired on May 20, 2024. The following Guardium patches provide updated certificates:
Microsoft certificates (microsoftca1-4) expired on May 20, 2024. The following Guardium patches provide updated certificates:
- 11.3 systems use patch 11.0p392 or later
- 11.4 systems use patch 11.0p485 or later
- 11.5 systems use patch 11.0p535 or later
- 12.0 systems use patch 12.0p5 or later
Install the correct patch for your Guardium systems to use the updated certificates. For more information, see https://www.ibm.com/support/pages/node/7080145
Enhancements
This patch includes the following enhancements:
| Issue key | Summary |
|---|---|
| GRD-75466 | Include export of Universal Connector configuration to must gather |
| GRD-79371 and GRD-79784 | Improvements for Kafka node |
| GRD-80680 | When registering Guardium Data Protection to Guardium Insights in push mode, send the information about the maximum supported DM version |
Resolved issues
This patch resolves the following issues:
| Patch | Issue key | Summary | APAR |
|---|---|---|---|
| 11.0p540 | See the release note for patch 11.0p540 | -- | |
| 11.0p545 | GRD-64204 | Scheduled job error, PEStatusJobError, is caught executing job due to a runtime exception | GA18147 |
| GRD-70966 | Aggregator query performance | DT276414 | |
| GRD-74083 | Report generated from audit process sporadically does not give all results | GA18495->DT249843 | |
| GRD-74703 | Custom alerting class file is not sending an alert to the repository database | DT386367 | |
| GRD-75941 | Include TLS version in grdapi get_secured_protocols_info | DT259587 | |
| GRD-76012 | Advanced S-TAP verification error message "java.net.UnknownHostException: <string>: Name or service not known" | DT259362 | |
| GRD-77003 | Archive failing with "Error:1815; Message:Internal error: Failed to generate partition syntax,MESSAGE_TEXT" | DT277206 | |
| GRD-77314 | Need CLI commands to manage SSH secure settings | N/A | |
| GRD-77411 | CVE scan results for Oracle 19.17. 0.0.0 | DT257073 | |
| GRD-77441 | Importing Windows GIM and S-TAP bundles resulted in "Unexpected error occurred. Please contact the system administrator during import" | DT276407 | |
| GRD-77579 | Resource deployment on central manager doesn't show all MongoDB servers (monitored by Universal Connector) | DT276393 | |
| GRD-77581 | Enabled auto_install_on_db_server_os_upgrade=1 S-TAP not running | DT276403 | |
| GRD-77615 | In the deployment health table, the disk space status does not get reset after a disk full condition has been resolved | DT259580 | |
| GRD-77725 | Cannot create a datasource without specifying an instance name for Microsoft SQL Server (DataDirect - Dynamic Port) | DT382361 | |
| GRD-78255 | Discovered database instances are not within the discovered instances report | DT383111 | |
| GRD-78308 | Guardium 12 failed at post install action during migrator check | DT276355 | |
| GRD-78416 | Increase mysql-error.log history and include all in must gather | N/A | |
| GRD-78417 | Archive fails after deleting scplog.log using diag utility | DT259993 | |
| GRD-78775 | Guardium 12 grdapi update_assessment_test bug | DT277154 | |
| GRD-78855 | Backup restore didn't restore the SAML and CyberArk configuration from 11.5 to 12 | DT276401 | |
| GRD-78975 | Vulnerability found in central manager appliance | DT383081 | |
| GRD-79051 | 'NULL' STAP group name in associate S-TAPs and managed units appears randomly | DT383379 | |
| GRD-79167 | TLS 1 and 1.1 removed from java.security in 11.0p530 | DT383106 | |
| GRD-79524 | Vulnerability Assessment test detail exceptions not working when applied to a datasource group; test still reported as failed after being added | DT365149 | |
| GRD-79665 | export_config command not working | DT380778 | |
| GRD-79754 | During a restore from backup 10.6 to 11.5, Guardium tries to read the archive through an incorrect port and does not allow modification | DT276383 | |
| GRD-79780 | Error using system backup or data archive to IBM Storage Protect after p535 | DT270368 | |
| GRD-80087 | Cloud support account expiring; support reset-managed-cli failed for cloud collector | DT383084 | |
| GRD-80247 | System configuration backup files are small | DT391600 | |
| GRD-80391 | Secure file transfer protocol (SFTP) response not correct for SFTP server with custom port | N/A | |
| GRD-80467 | Universal Connector always enabled automatically after restart of GUI, system, or network | DT382408 | |
| GRD-80592 | Guardium 11.5 Tomcat-related CVE-2023-46589 | DT381712 | |
| GRD-80710 | Adding any columns from the "Threat case comments" entity to report "Analytic case observation" removes cases with no comments from the output | DT381232 | |
| GRD-81015 | Add option to mirror data export to a third aggregator | N/A | |
| GRD-81415 | Importing transitional GIM bundle failed in Japanese and Chinese appliance | DT382392 | |
| GRD-81564 | CLI command `support analyze tables` checked table instead of analyzing table | DT382406 | |
| GRD-81658 | Since p535 upgrade, IBM Storage Protect archives are no longer working | DT381371 | |
| GRD-81732 | p535 failed on db_patch with error; Alias is marked as crashed | DT389544 | |
| GRD-83012 | Sniffer continuously restarting, causing S-TAPs to be inactive | DT386208 | |
| GRD-83500 | Editing group to be hierarchical or non-hierarchical is not taking effect | DT391599 | |
| GRD-83891 | Not trying to purge (had errors in archive) | DT391160 | |
| GRD-83905 | Service Now ticketing throws permissions issue when using a different table other than "incident" | N/A |
Security fixes
This patch contains the following security fixes:
| Patch | Issue key | Summary | CVE |
|---|---|---|---|
| 11.0p6506 | See the release note for patch 11.0p6506 | ||
| 11.0p545 | GRD-76178 | PSIRT: PVR0469527 - http2-hpack-9.4.44.v20210927.jar and jetty-http-9.4.10.v20180503.jar (publicly disclosed vulnerability found by Mend) - Kafka | CVE-2023-36478 |
| GRD-76367 | PSIRT: PVR0468745 - http2-common-9.4.44.v20210927.jar (publicly disclosed vulnerability found by Mend) datastreams | CVE-2023-44487 | |
| GRD-76398 | Upgrade of BigFix client needed for appliances |
CVE-2022-22576, CVE-2022-27544, CVE-2022-27545, CVE-2022-27775, CVE-2022-27776
|
|
| GRD-76560 | PSIRT: PVR0424448 - RHEL7 OS component upgrades needed | CVE-2020-22218 | |
| GRD-77311 | PSIRT: PVR0476001 - IBM Security Guardium is vulnerable to an out of bounds vulnerability | CVE-2023-5367 | |
| GRD-78200 | PSIRT: PVR0475474, PVR0475502, PVR0475446 - [All] PostgreSQL - CVE-2023-5869 (publicly disclosed vulnerability) |
CVE-2023-5869, CVE-2023-5870, CVE-2023-5868
|
|
| GRD-78257 | PSIRT: PVR0475474 - [All] PostgreSQL - CVE-2023-5869 (publicly disclosed vulnerability) | CVE-2023-5869 | |
| GRD-78874 | PSIRT: PVR0482970, PVR0470863, PVR0470250 - Multiple RPM updates needed for vulnerable components in 11.x and 12.0 | CVE-2023-6377, CVE-2023-5367, CVE-2022-3550, CVE-2022-4283, CVE-2022-46340, CVE-2022-46341, CVE-2022-46342, CVE-2022-46343, CVE-2022-46344, CVE-2023-0494, CVE-2023-1393, CVE-2023-46847, CVE-2020-22218, CVE-2023-34058, CVE-2023-34059, CVE-2023-3611, CVE-2023-3776, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208 | |
| GRD-79284 | PSIRT: PVR0466432 - [All] kernel - CVE-2023-42753 (publicly disclosed vulnerability) | CVE-2023-42753 | |
| GRD-79822 | PSIRT: PVR0489259 - IBM SDK, Java Technology Edition Quarterly CPU - Jan 2024 - Includes Oracle January 2024 CPU plus CVE-2023-33850 | CVE-2023-33850 | |
| GRD-79853 | xorg-x11-server needs upgrade |
CVE-2023-6816, CVE-2024-0409
|
|
| GRD-80782 | PSIRT: PVR0465525 - [All] kernel - CVE-2023-4921 (publicly disclosed vulnerability) | CVE-2023-4921 | |
| GRD-81641 | Multiple CVEs affect squid component for RHEL7 | CVE-2023-46724, CVE-2023-46728, CVE-2023-5824 | |
| GRD-82313 | PSIRT: PVR0463909, PVR0463658 [All] kernel - CVE-2023-4622 (publicly disclosed vulnerability) for 11.x only | CVE-2023-4622, CVE-2023-4623 | |
| GRD-82616 | PSIRT: PVR0487263 IBM Security Guardium is vulnerable to multiple Squid vulnerabilities for 11.x |
CVE-2023-46728 , CVE-2023-49285, CVE-2023-49286
|
|
| GRD-82619 | PSIRT: PVR0487534 [All] kernel - CVE-2024-1086 (publicly disclosed vulnerability) | CVE-2024-1086 | |
| GRD-82623 | PSIRT: PVR0494126 - kernel upgrade 11.4 and 11.5 | CVE-2024-26602 | |
| GRD-84093 | PSIRT: PVR0412772 - Grub2 upgrade needed | CVE-2022-2601 |
Known limitations
This patch contains the following known limitations:
| Issue key | Summary |
|---|---|
| GRD-85234 |
System Backup, Data Archive, and Result Archive cannot be saved on collectors.
Workaround steps are:
1. Navigate to Manage > Central Management
2. Select the collector 3. Click Distribute Configurations 4. Select System Backup 5. Click Distribute 6. Click Ok 7. Verify that the configuration and its schedule is successfully distributed and saved on the collector
Resolution will be delivered in 11.0p548 patch and in future patches.
|
[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.5.0"}]
Was this topic helpful?
Document Information
Modified date:
02 May 2025
UID
ibm17160350