Release Notes
Abstract
This technical note provides guidance for installing IBM Security Guardium Data Protection patch 12.0p20, including any new features or enhancements, resolved or known issues, or notices associated with the patch.
Content
Patch information
- Patch file name: SqlGuard-12.0p20_Bundle_Apr_09_2025.tgz.enc.sig
- MD5 checksum: 3e35eb55241e11fb2162acfe3d337288
Finding the patch
- Select the following options to download this patch on the IBM Fix Central website and click Continue.
- Product selector: IBM Security Guardium
- Installed Version: 12.0
- Platform: All
- On the "Identify fixes" page, select Browse for fixes and click Continue.
- On the "Select fixes" page, select Appliance patch (GPU and Ad-Hoc). Then, enter the patch information in the Filter fix details field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
The latest Guardium Data Protection health check patch 12.0p9997
Installation
Notes:
- This patch is an appliance bundle that includes all fixes for 12.0 except sniffer fixes.
- This patch restarts the Guardium system.
- Do not reboot the appliance while the patch install is in progress. Contact Guardium support if there is an issue with patch installation.
- When changing the password of CLI and guardcli users in the Guardium command line interface, a password strength warning appears even when strong passwords are not enabled. To remove the strong password checks, execute the CLI command store user strong_password disable.
Overview:
- Download the patch and extract the compressed package outside the Guardium system.
- Review the latest version of the patch release notes just before you install the patch.
- Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
- Apply the latest health check patch.
- Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
- Apply the latest quarterly DPS patch and rapid response DPS patch even if these patches were applied before the upgrade.
For information about installing Guardium Data protection patches, see How to install patches in the Guardium documentation.
Attention
Renewed Guardium patch signing certificate
Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed. This patch is signed by a new patch signing certificate. Therefore, to install this patch, the patch signing certificate on your Guardium appliance must first be updated by installing ad hoc patch 12.0p1012 (see release note) or an appropriate appliance bundle listed in the IBM Guardium - Patch signing certificate set to expire in March 2025 support document.
Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed. This patch is signed by a new patch signing certificate. Therefore, to install this patch, the patch signing certificate on your Guardium appliance must first be updated by installing ad hoc patch 12.0p1012 (see release note) or an appropriate appliance bundle listed in the IBM Guardium - Patch signing certificate set to expire in March 2025 support document.
Enhancements
This patch includes the following enhancements:
| Issue key | Summary |
|---|---|
| GRD-75466 | Include export of Universal Connector configuration to must gather |
| GRD-77815 | Change Central Management page to allow only applicable actions for kafka-node |
| GRD-79371 and GRD-79784 | Improvements for Kafka node |
| GRD-80325 | Extra check so generic ad-hoc does nothing on appliance where fix already exists |
| GRD-80531 | Add proxy connection option when connecting Guardium Data Protection to Guardium Insights |
Resolved issues
This patch resolves the following issues:
| Patch | Issue key | Summary | APAR |
|---|---|---|---|
| 12.0p15 | This patch includes fixes from 12.0p15 (see release notes) | ||
| 12.0p20 | GRD-74083 | Report generated from audit process sporadically does not give all results | DT249843 |
| GRD-74703 | Custom alerting class file is not sending an alert to the repository database | DT386367 | |
| GRD-77314 | Need CLI commands to manage SSH secure settings | -- | |
| GRD-77725 | Cannot create a datasource without specifying an instance name for Microsoft SQL Server (DataDirect - Dynamic Port) | DT382361 | |
| GRD-78249 | Admin/accessmgr reconciliation fails with CyberArk after SAML enable with OKTA | DT270057 | |
| GRD-78255 | Discovered database instances are not within the discovered instances report | DT383111 | |
| GRD-78975 | Vulnerability found in central manager appliance | DT383081 | |
| GRD-79051 | 'NULL' STAP group name in associate S-TAPs and managed units appears randomly | DT383379 | |
| GRD-79206 | Correlation alert is not triggering despite data matching criteria | DT270105 | |
| GRD-79524 | Vulnerability Assessment test detail exceptions not working when applied to a datasource group; test still reported as failed after being added | DT365149 | |
| GRD-79665 | export_config command is not working | DT380778 | |
| GRD-79780 | Error using system backup or data archive to IBM Storage Protect after p535 | DT270368 | |
| GRD-80087 | Cloud support account expiring; support reset-managed-cli failed for cloud collector | DT383084 | |
| GRD-80247 | System configuration backup files are small | DT391600 | |
| GRD-80391 | Secure file transfer protocol (SFTP) response not correct for SFTP server with custom port | -- | |
| GRD-80467 | Universal Connector always enabled automatically after restart of GUI, system, or network | DT382408 | |
| GRD-80681 | CVE test fails for Sybase 15.7 SP141 recommending to install SP141 that is already installed | DT380819 | |
| GRD-80710 | Adding any columns from the "Threat case comments" entity to report "Analytic case observation" removes cases with no comments from the output | DT381232 | |
| GRD-81015 | Add option to mirror data export to a third aggregator | -- | |
| GRD-81148 | EMEA-Import Job fails on aggregator | DT386513 | |
| GRD-81564 | CLI command `support analyze tables` checked table instead of analyzing table | DT382406 | |
| GRD-81658 | Since p535 upgrade, IBM Storage Protect archives are no longer working | DT381371 | |
| GRD-81706 | Hostname and domain name are changing after collector restart | DT387808 | |
| GRD-81732 | p535 failed on db_patch with error; Alias is marked as crashed | DT389544 | |
| GRD-81763 | In the Inspection Engine Configuration page, if two or more inspection engines are added, all of the inspection engines cannot be started or stopped | DT386931 | |
| GRD-81943 | 12.0 TLS and hidden RPC services vulnerability | DT391527 | |
| GRD-83012 | Sniffer continuously restarts, which causes S-TAPs to be inactive | DT386208 |
Security fixes
This patch resolves the following issues:
| Issue key | Summary | CVE |
|---|---|---|
| 12.0p6006 | This patch includes fixes from 12.0p6006 (see release notes) | -- |
| 12.0p6007 | This patch includes fixes from 12.0p6007 (see release notes) | -- |
| 12.0p6008 | This patch includes fixes from 12.0p6008 (see release notes) | -- |
| GRD-79853 | xorg-x11-server needs upgrade | CVE-2023-6816 CVE-2024-0409 |
| GRD-80561 | PSIRT: PVR0492187 Oracle MySQL (Publicly disclosed vulnerability) |
CVE-2024-20968
CVE-2024-20976 CVE-2024-20960 CVE-2024-20962 CVE-2024-20970 CVE-2024-20978 CVE-2024-20964 CVE-2024-20972 CVE-2024-20982 CVE-2024-20966 CVE-2024-20974 CVE-2024-20984 |
| GRD-82304 | PSIRT: PVR0505132 update joda-time to latest jar in Datastream | CVE-2024-23080 |
| GRD-82620 | PSIRT: PVR0487534,PVR0487633 kernel upgrade v12 |
CVE-2024-0565
CVE-2024-1085
CVE-2024-1086 |
| GRD-82621 | PSIRT: PVR0493171, PVR0493161, PVR0493111, PVR0492761,PVR0515228, PVR0515248 kernel upgrade v12 | CVE-2024-26584 |
| GRD-82622 | PSIRT: PVR0494126 Kernel upgrade v12.0 | CVE-2024-26602 |
| GRD-82624 | PSIRT: PVR0495078 IBM Security Guardium is vulnerable to multiple Bind vulnerabilities | CVE-2023-4408 CVE-2023-5517 CVE-2023-5679 CVE-2023-50387 |
| GRD-83052 | PSIRT: CVE-2023-6478- xorg-x11-server-common rpm upgrade | CVE-2023-6478 |
Known limitations
This patch contains the following known limitations:
| Issue key | Summary |
|---|---|
| GRD-85173 |
Azure PostgreSQL is not supported in 12.0p20. If you have have this plug-in configured, do not upgrade to 12.0p20.
|
| GRD-85370 | After you upgrade the central manager to 12.0p16 or later, you will have very limited functionality available on managed units until you also update them to the same patch version. |
|
GRD-88531
|
After applying patch 12.0p20 on a FIPS-enabled environment, TLS is reset to TLS1.2,TLS1.3.
Workaround:
|
[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.0.0"}]
Was this topic helpful?
Document Information
Modified date:
24 April 2025
UID
ibm17161693