Release Notes
Abstract
This technical note provides guidance for installing IBM Security Guardium Data Protection patch 11.0p491, including any new features or enhancements, resolved or known issues, or notices associated with the patch.
Content
Patch information
- Patch file name: SqlGuard-11.0p491_Bundle_Jul_12_2024.tgz.enc.sig
- MD5 checksum: 4769b6e611e7e100754d65cf00f45d19
Finding the patch
- Select the following options to download this patch on the IBM Fix Central website and click Continue.
- Product selector: IBM Security Guardium
- Installed Version: 11.0
- Platform: All
- On the "Identify fixes" page, select Browse for fixes and click Continue.
- On the "Select fixes" page, select Appliance patch (GPU and ad hoc). Then, enter the patch information in the Filter fix details field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
- Guardium 11.0p400 (see release note)
- The latest health check patch 11.0p9997
Installation
Notes:
- Patch 11.0p491 is an appliance bundle that includes all fixes for 11.4 except sniffer fixes.
- This patch restarts the Guardium system.
- Do not reboot the appliance while the patch install is in progress. Contact Guardium support if there is an issue with patch installation.
Overview:
- Download the patch and extract the compressed package outside of the Guardium system.
- Be sure to check the latest version of these patch release notes online just before you install this patch.
- Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
- Apply the latest health check patch.
- Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, and then the collectors.
- Apply the latest quarterly DPS patch and rapid response DPS patch even if these patches were applied before the upgrade.
For information about installing Guardium Data Protection patches, see How to install patches in the product documentation.
Attention
SHA256 GIM client certificates
After applying patch 11.0p491, Guardium supports SHA256 GIM certificates. This has the following implications:
After applying patch 11.0p491, Guardium supports SHA256 GIM certificates. This has the following implications:
- If using default certificates, GIM connections are secured by using SHA128. Custom certificates that use SHA256 are more secure and are recommended for GIM connections. Note that GIM connectivity is not interrupted after you apply this patch.
- GIM only verifies bundles signed with SHA256 and requires the installation of a transitional GIM bundle to support the change from SHA128 to SHA256.
For more information, see Updating Guardium Data Protection GIM clients with SHA256 certificates.
Guardium sniffer certification expires on 3 March 2025
The current sniffer default certificate will expire on 3 March 2025 and you must install a Guardium appliance patch to renew the certificate. For Guardium 11.4 systems, appliance bundle patch 11.0p491 or later provides an updated certificate.
For more information, see IBM Guardium sniffer certification expires March 2025.
Microsoft certificates expired on May 20, 2024
Microsoft certificates (microsoftca1-4) expired on May 20, 2024. The following Guardium patches provide updated certificates:
Microsoft certificates (microsoftca1-4) expired on May 20, 2024. The following Guardium patches provide updated certificates:
- 11.3 systems use patch 11.0p392 or later
- 11.4 systems use patch 11.0p485 or later
- 11.5 systems use patch 11.0p535 or later
- 12.0 systems use patch 12.0p5 or later
Install the correct patch for your Guardium system to use the updated certificates. For more information, see https://www.ibm.com/support/pages/node/7080145
Enhancements
This patch includes the following enhancements.
| Issue key | Summary |
|---|---|
| GRD-75466 | Include export of Universal Connector configuration to must gather |
Resolved issues
This patch resolves the following issues.
| Patch | Issue key | Summary | APAR |
|---|---|---|---|
| 11.0p490 | See release note for patch 11.0p490 | ||
| 11.0p491 | GRD-70966 | Aggregator query performance | DT276414 |
| GRD-79729 | Renew Tomcat certificate | ||
| GRD-74765 | java.lang.ArrayIndexOutOfBoundsException error when classification is run on some tables | DT270218 | |
| GRD-77441 | Importing Windows GIM and S-TAP bundles resulted in "Unexpected error occurred. Please contact the system administrator during import." | DT276407 | |
| GRD-77554 | Trusted certificate related errors | DT269995 | |
| GRD-77579 | Resource deployment on central manager doesn't show all MongoDB servers (monitored by Universal Connector) | DT276393 | |
| GRD-77581 | Enabled auto_install_on_db_server_os_upgrade=1 S-TAP not running | DT276403 | |
| GRD-77615 | In the deployment health table, the disk space status does not get reset after a disk full condition has been resolved | DT259580 | |
| GRD-77725 | Cannot create a datasource without specifiying an instance name for Microsoft SQL Server (DataDirect - Dynamic Port) | DT382361 | |
| GRD-78308 | Guardium 12 failed at post install action during migrator check | DT276355 | |
| GRD-78416 | Increase mysql-error.log history and include all in must gather | ||
| GRD-79051 | NULL' S-TAP group name in associate S-TAPs and managed units appears randomly | DT383379 | |
| GRD-79302 | run_from_cm needs to be updated with the latest | ||
| GRD-79780 | Error using system backup or data archive to IBM Storage Protect after p535 | DT270368 | |
| GRD-80064 | Regexes missing from session policies after patch aplication (p535) | DT364427 | |
| GRD-80391 | Secure file transfer protocol (SFTP) response not correct for SFTP server with custom port | ||
| GRD-80467 | Universal Connector always enabled automatically after restart of GUI, system, or network | DT382408 | |
| GRD-80710 | Adding any columns from the "Threat case comments" entity to report "Analytic case observation" removes cases with no comments from the output | DT381232 | |
| GRD-82556 | grdapi export_config type=remotelog does not work when pushing to group | DT391870 | |
| GRD-83012 | Sniffer continuously restarting, causing S-TAPs to be inactive | DT386208 |
Known limitations
This patch contains the following known limitations.
| Issue key | Summary |
|---|---|
| GRD-79058 | Universal Connector support for OCI autonomous databases is not supported in 11.0p491. Resolution planned in upcoming releases. |
Security fixes
This patch contains the following security fixes.
| Issue key | Summary | CVEs |
|---|---|---|
| GRD-76178 | PSIRT: PVR0469527 - http2-hpack-9.4.44.v20210927.jar and jetty-http-9.4.10.v20180503.jar (publicly disclosed vulnerability found by Mend) - Kafka | CVE-2023-36478 |
| GRD-76367 | PSIRT: PVR0468745 - http2-common-9.4.44.v20210927.jar (publicly disclosed vulnerability found by Mend) datastreams | CVE-2023-44487 |
| GRD-76398 | Upgrade of BigFix client needed for appliances |
CVE-2022-22576, CVE-2022-27544, CVE-2022-27545, CVE-2022-27775, CVE-2022-27776
|
| GRD-76560 | PSIRT: PVR0424448 - RHEL7 OS component upgrades needed | CVE-2020-22218 |
| GRD-76918 | PSIRT: PVR0474272 - SE - Pen Testing on prem - October 2023 - Privilege escalation from Tomcat to root (server_receiver.pl) | CVE-2023-47712 |
| GRD-76919 | PSIRT: PVR0474272 - SE - Pen testing on prem - October 2023 - Privilege scalation from Tomcat to root (ip_restriction.pl) | CVE-2023-47712 |
| GRD-77266 | PSIRT: PVR0475695- IBM SDK, Java Technology Edition Quarterly CPU - Oct 2023 |
CVE-2023-22081, CVE-2023-22067, CVE-2023-5676, CVE-2023-22025
|
| GRD-78874 | PSIRT: PVR0482970, PVR0470863, PVR0470250 - Multiple RPM updates needed for vulnerable components in 11.x and 12.0 | CVE-2023-6377, CVE-2023-5367, CVE-2022-3550, CVE-2022-4283, CVE-2022-46340, CVE-2022-46341, CVE-2022-46342, CVE-2022-46343, CVE-2022-46344, CVE-2023-0494, CVE-2023-1393, CVE-2023-46847, CVE-2020-22218, CVE-2023-34058, CVE-2023-34059, CVE-2023-3611, CVE-2023-3776, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208 |
| GRD-79284 | PSIRT: PVR0466432 - [All] kernel - CVE-2023-42753 (publicly disclosed vulnerability) | CVE-2023-42753 |
| GRD-79822 | PSIRT: PVR0489259 - IBM SDK, Java Technology Edition Quarterly CPU - Jan 2024 - Includes Oracle January 2024 CPU plus CVE-2023-33850 | CVE-2023-33850 |
| GRD-80782 | PSIRT: PVR0465525 - [All] kernel - CVE-2023-4921 (publicly disclosed vulnerability) | CVE-2023-4921 |
| GRD-81641 | Multiple CVEs affect squid component for RHEL7 | CVE-2023-46724, CVE-2023-46728, CVE-2023-5824 |
| GRD-82313 | PSIRT: PVR0463909, PVR0463658 [All] kernel - CVE-2023-4622 (publicly disclosed vulnerability) for 11.x only | CVE-2023-4622, CVE-2023-4623 |
| GRD-82616 | PSIRT: PVR0487263 IBM Security Guardium is vulnerable to multiple Squid vulnerabilities for 11.x |
CVE-2023-46728, CVE-2023-49285, CVE-2023-49286
|
| GRD-82619 | PSIRT: PVR0487534 [All] kernel - CVE-2024-1086 (publicly disclosed vulnerability) | CVE-2024-1086 |
| GRD-82623 | PSIRT: PVR0494126 - kernel upgrade 11.4 and 11.5 | CVE-2024-26602 |
[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.4.0"}]
Was this topic helpful?
Document Information
Modified date:
12 February 2025
UID
ibm17160735