IBM Support

Release of Guardium Data Protection patch 11.0p492

Release Notes


Abstract

This technical note provides guidance for installing IBM Guardium Data Protection patch 11.0p492, including any new features or enhancements, resolved or known issues, or notices associated with the patch.

Content

Patch information
  • Patch file name: SqlGuard-11.0p492_Bundle_Nov_11_2024.tgz.enc.sig
  • MD5 checksum: 6681d819f51b86c98fdf2f41b12d0618
Finding the patch 
Make the following selections to locate this patch for download on the IBM Fix Central website:
  • Product selector: IBM Security Guardium
  • Installed Version: 11.0
  • Platform: All
Click Continue.
On the "Identify fixes" page, select Browse for fixes and click Continue .
On the "Select fixes" page, select Appliance patch (GPU and ad hoc). Then, enter the patch information in the Filter fix details field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
  • Guardium 11.0p400 (see the 11.0p400 release notes for more information)
  • The latest health check patch 11.0p9997
Installation
Notes:
  • This patch is an appliance bundle that includes fixes for Guardium 11.4.
  • This patch is cumulative and includes all the fixes from previously released patches.
  • This patch restarts the Guardium system.
  • Do not reboot the appliance while the patch install is in progress. Contact IBM Support if there is an issue with patch installation.
Overview:
  1. Download the patch and extract the compressed package outside the Guardium system.
  2. Be sure to check the latest version of these patch release notes online just before you install this patch.
  3. Pick a "quiet" or low-traffic time  to install the patch on the Guardium system.
  4. Apply the latest health check patch.
  5. Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
  6. Apply the latest quarterly DPS patch and rapid response DPS patch even if these patches were applied before the upgrade.
For information about installing Guardium Data Protection patches, see How to install patches in the product documentation.
Attention
Guardium patch signing certificate expires on 29 March 2025
The current patch signing certificate for Guardium appliance patches will expire on 29 March 2025. Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed.
For Guardium 11.4 systems, appliance bundle patch 11.0p492 or later provides an updated certificate. For more information, see IBM Guardium - Patch signing certificate set to expire in March 2025.
SHA256 GIM client certificates
Guardium 11.0p492 supports both SHA256 and SHA128 GIM certificates. This has the following implications:
  • The default certificates could be either SHA256 or SHA128, depending on the GIM server certificate setup. Custom certificates that use SHA256 are more secure and are recommended for GIM connections.
  • GIM only verifies bundles signed with SHA256 and requires installation of a transitional GIM bundle to support the GIM client upgrade from SHA128 to SHA256.
Microsoft certificates expired on 20 May 2024
Microsoft certificates (microsoftca1-4) expired on 20 May 2024. The following Guardium patches provide updated certificates:
  • 11.3 systems use patch 11.0p392 or later
  • 11.4 systems use patch 11.0p485 or later
  • 11.5 systems use patch 11.0p535 or later
  • 12.0 systems use patch 12.0p5 or later
Install the correct patch for your Guardium system to use the updated certificates.  For more information, see https://www.ibm.com/support/pages/node/7080145
 
Enhancements
This patch includes the following enhancements:
Issue key Summary
GRD-84390 Universal Connector cleanup
GRD-88704 [Microsoft SQL Server] Record database offline and permission errors in classification process log
Known Limitations
This patch includes the following known limitations:
Issue key Summary
GRD-90380 CLI setup for SNMP does not appear correctly on GUI. 
Resolution: a fix will be included in the next bundle release
Resolved issues
This patch resolves the following issues:
Patch Issue key Summary APAR
11.0p491 See the 11.0p491 release notes for more information
11.0p492 GRD-78417 Archive fails after deleting scplog.log by using diag utility DT259993
GRD-80995 Couchbase database connection Vulnerability Assessment DT379903
GRD-82017 Venafi commands failing on Guardium appliances 11.4 and 11.5 DT394191
GRD-82250 Guardium cannot classify tables with function-based index on Sybase database [Error Code: 11738] DT396797
GRD-82730 Missing Guardium database partitions after backup restore
DT393703
DT393704
DT393706
GRD-82731 p1234 needing to be installed more than once on central manager DT391476
GRD-83064 Unable to delete config from UI, since config was not present in /var/IBM/Guardium/uc/config DT397578
GRD-83096 Troubleshooting error with Guardium REST API DT397350
GRD-83537 cli_userauth appliance attempting to renew UNIX password DT392817
GRD-84021
Make instance name optional for dynamic Microsoft SQL Server data source definition
GRD-85028 HSTS missing from HTTPS server (RFC 6797) vulnerability DT396837
GRD-85175 Initial start updated from the central manager is not updating all the managed units correctly DT396812
GRD-85220 Logrotate configuration reverting back to Weekly 4 after installing bundle patch p5xx
GRD-85891 Backup central manager failed to "failover" managed units after primary central manager went down DT396868
GRD-86996 CLI unable to set alerter SNMP traphost by using hostname DT397016
GRD-87282 EMEA - GUI showing v2 SNMP, but CLI and traffic in SNMPv3
Security fixes
This patch contains the following security fixes:
Patch Issue key Summary CVE
11.0p6409
See the 11.0p609 release notes for more information
11.0p492 GRD-74731 Mitigation for CVE-2023-1829
CVE-2023-1829
GRD-76365 PSIRT: PVR0468745 - http2-common-9.4.44.v20210927.jar (Publicly disclosed vulnerability found by Mend) - webapps
CVE-2023-44487
GRD-82306 PSIRT: PVR0507058 zlib-v1.2.12 (Publicly disclosed vulnerability found by Mend)
CVE-2022-37434
GRD-82996 PSIRT: PVR0510300 - bcprov-jdk15on-1.56.jar (Publicly disclosed vulnerability found by Mend) - webapps, gimserver
GRD-82997 PSIRT: PVR0510300 - bcprov-jdk15on-1.56.jar (Publicly disclosed vulnerability found by Mend) - datastreams
GRD-82998 PSIRT: PVR0510300 - bcprov-jdk15on-1.56.jar (Publicly disclosed vulnerability found by Mend) - solr
GRD-83492 PSIRT: PVR0506186, PVR0510604, PVR0510640, PVR0510586, PVR0510622 - [All] GNU glibc - CVE-2024-2961, CVE-2024-33599  (Publicly disclosed vulnerability) 
CVE-2024-2961
CVE-2024-33599
CVE-2024-33600 CVE-2024-33601
CVE-2024-33602
 
GRD-84093 PSIRT: PVR0412772 - Grub2 upgrade needed
CVE-2022-2601
GRD-84116 PSIRT: PVR0498203 & PVR0498442 - ZooKeepeer - Kafka
CVE-2017-5637
CVE-2018-8012
CVE-2019-0201
CVE-2023-44981
CVE-2024-23944
GRD-84339 PSIRT: PVR0461564 - [All] Python (Publicly disclosed vulnerability)
CVE-2023-40217
GRD-85072 botan-1.10.5-01.el7.x86_64 rpm has vulnerabilities
CVE-2015-5726
CVE-2015-5727
CVE-2015-7824
CVE-2015-7825
CVE-2015-7826
CVE-2015-7827
CVE-2016-2194
CVE-2016-2195
CVE-2016-6878
CVE-2016-9132

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.4.0"}]

Document Information

Modified date:
03 January 2025

UID

ibm17173646

Page Feedback