IBM Support

Release of Guardium Data Protection patch 11.0p555

Release Notes


Abstract

This technical note provides guidance for installing IBM Guardium Data Protection patch 11.0p555, including any new features or enhancements, resolved or known issues, or notices associated with the patch.

Content

Patch information
  • Patch file name: SqlGuard-11.0p555_Bundle_Apr_08_2025.tgz.enc.sig
  • MD5 checksum: 06f4dab0a1aaa97d3e834bea4fb874b2
Finding the patch
  1. Select the following options to download this patch on the IBM Fix Central website and click Continue.
    • Product selector: IBM Security Guardium
    • Installed Version: 11.5
    • Platform: All
  2. On the "Identify fixes" page, select Browse for fixes and click Continue.
  3. On the "Select fixes" page, select Appliance patch (GPU and Ad-Hoc). Then, enter the patch information in the Filter fix details field to locate the patch.
 
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
  • Guardium 11.0p500 (see the 11.0p500 release note for more information)
  • The latest health check patch 11.0p9997
Installation
Notes:
  • This patch is an appliance bundle that includes fixes for version 11.5.
  • This patch is cumulative and includes all the fixes from previously released patches.
  • This patch restarts the Guardium system.
  • Do not reboot the appliance while the patch install is in progress. Contact IBM Support if there is an issue with patch installation.
  • When changing the password of CLI and guardcli users in the Guardium command line interface, a password strength warning appears even when strong passwords are not enabled. To remove the strong password checks, execute the CLI command store user strong_password disable.
  • If you have single sign-on enabled and are upgrading from below 11.0p530, you must re-download metadata from the upgraded central manager and apply it on the identity provider.
Overview:
  1. Download the patch and extract the compressed package outside the Guardium system.
  2. Be sure to check the latest version of this patch release note online just before you install this patch.
  3. Pick a "quiet" or low-traffic time  to install the patch on the Guardium system.
  4. Apply the latest health check patch.
  5. Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
  6. Apply the latest quarterly DPS patch and rapid response DPS patch even if these patches were applied before the upgrade.
For information about installing patches, see How to install patches in the Guardium documentation.
Attention
Guardium appliance bundle upgrade time extended due to MySQL tables conversion
Following MySQL support requirements, most tables are converted from MyISAM to InnoDB starting with Guardium appliance bundle versions 11.0p550 and later, and versions 12.0p25 and later. Due to the large size of some tables, which are mostly static tables, the conversion might consume more time than usual during an appliance bundle upgrade. Note: Do not cancel the patch installation process. If you have any concerns, contact IBM Support.
 
Renewed Guardium patch signing certificate
Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed. This patch, 11.0p555, is signed by a new patch signing certificate. Therefore, to install this patch, the patch signing certificate on your Guardium appliance must first be updated by installing ad hoc patch 11.0p1057 (see release note) or an appropriate appliance bundle listed in IBM Guardium - Patch signing certificate set to expire in March 2025.
SHA256 GIM client certificates
After applying patch 11.0p530 or later, Guardium supports SHA256 Guardium Installation Manager (GIM) certificates.  This has the following implications:
  • The default certificates could be either SHA256 or SHA128, depending on the GIM server certificate setup. Custom certificates that use SHA256 are more secure and are recommended for GIM connections.  Note that GIM connectivity is not interrupted after applying this patch.
  • GIM only verifies bundles signed with SHA256 and requires installation of a transitional GIM bundle to support the GIM client change from SHA128 to SHA256.
Microsoft certificates expired on 20 May 2024
Microsoft certificates (microsoftca1-4) expired on 20 May 2024.  The following Guardium patches provide updated certificates:
  • 11.3 systems that use patch 11.0p392 or later
  • 11.4 systems that use patch 11.0p485 or later
  • 11.5 systems that use patch 11.0p535 or later
  • 12.0 systems that use patch 12.0p5 or later
Install the correct patch for your Guardium systems to use the updated certificates.  For more information, see https://www.ibm.com/support/pages/node/7080145
 
Enhancements
This patch includes the following enhancements:
Issue key Summary
GRD-79723
If the latest Guardium Installation Manager (GIM) bundles are installed on all existing GIM clients, you can replace GIM certificates from the Guardium appliance without taking additional action on the GIM clients. Use the following commands in the Guardium CLI:
  • replace certificate gim algorithm default command switches the GIM server certificate to SHA2
  • replace certificate gim algorithm default_sha1 command switches the GIM server certificate to SHA1
This enhancement applies to the following GIM bundle versions and later:
  • Guardium Linux-UNIX GIM 11.4_r117207, 11.5_r117180, 12.0_r117209, and 12.1.0.0 r118024
  • Guardium Windows GIM 11.4.0.413, 11.5.0.338, 12.0.0.183, and 12.1.0.112
GRD-84073
Upgrade IBM Storage Protect client to latest revision (formerly IBM Spectrum Protect, Tivoli Storage Manager)
GRD-84348 Upgrade MySQL version in 11.5 above 8.0.34
GRD-88128 CVE test support for MongoDB on Windows
GRD-88254
Added the ability to export the database list to a CSV file from within Central Manager > Compliance Monitoring > Application.
Resolved issues
This patch resolves the following issues:
Patch
Issue key
Summary
Known issue (APAR)
11.0p550 See release note for patch 11.0p550 --
11.0p555
 GRD-68858 The SESSION_TRUST_DETAILS  table is not purging properly GA18394
GRD-76110
Managed unit may lose connectivity to the Central Manager after installing patch 11.0p500 to upgrade from 11.4 to 11.5
 DT399889
GRD-80995 Couchbase database connection vulnerability assessment with LDAP needs GUI changes DT379903
GRD-81983 Aggregator GUI is slow and unresponsive  DT395091
GRD-82250 Guardium cannot classify tables with function-based index on Sybase database [Error Code: 11738] DT396797
GRD-82704 Guardium Insights -  New Central Manager registration method - UI restart N/A
GRD-84052 rsyslog test fails intermittently and randomly DT397061
GRD-84215
Cannot upload Guardium Installation Manager modules again
 DT395912
GRD-84325 Audit process not adding partitions in finalSql DT396467
GRD-84680 Vulnerability Assessment shows "sa.result.test.exception.view.click" text DT418299
GRD-85175 Initial start updated from the central manager is not updating all of the managed units correctly DT396812
GRD-85220 logrotate configuration reverts to default after installing bundle patch 11.0p540 or 11.0p545 DT399828
GRD-85278 Audit process builder's reordering receivers not taking effect DT393991
GRD-86991 When creating tuple group, unable to add tuple parameters on a Simplified Chinese appliance DT399735
GRD-87503 Guardium unable to connect with Oracle databases, getting Java Array error - VA DT418630
GRD-88205
Universal connector ICD Postgres connections exceeded max limit 30. To fully resolve this issue, install Guardium Data Protection universal connector patch 11.0p1051 (see release note) after you install Guardium Data Protection patch 11.0p555.
 DT408991
GRD-89352 Sniffer failed to start on Microsoft Azure collector after installing patch 11.0p545 and security patch 11.0p6509 DT416659
Security fixes
This patch contains the following security fixes:
Issue key
Summary
CVE
GRD-74731
Mitigation for CVE-2023-1829
 CVE-2023-1829
GRD-76365 PSIRT: PVR0468745 - http2-common-9.4.44.v20210927.jar (Publicly disclosed vulnerability found by Mend) - webapps CVE-2023-44487
GRD-84339 PSIRT: PVR0461564 - [All] Python (Publicly disclosed vulnerability) CVE-2023-40217
GRD-84527
Tenable Nessus scan
CVE-2016-5766, CVE-2020-14363, CVE-2020-36558, CVE-2021-20305, CVE-2021-27803, CVE-2021-31535, CVE-2021-4034, CVE-2021-42574, CVE-2022-24407, CVE-2022-42896, CVE-2022-43552, CVE-2023-2002, CVE-2023-25775, CVE-2023-38409, CVE-2023-40217, CVE-2023-4408, CVE-2023-45871, CVE-2023-4622, CVE-2023-4623, CVE-2023-4921, CVE-2023-50387, CVE-2023-50868, CVE-2024-1086, CVE-2024-26602, CVE-2024-2961, CVE-2024-31080, CVE-2024-31081, CVE-2024-31083, CVE-2024-32487, CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602
GRD-87435 PSIRT: PVR0528822 [All] Oracle MySQL - July 2024 - CPU - 12.1 only - post 12.1 GA
CVE-2024-20996 , CVE-2024-21125, CVE-2024-21127, CVE-2024-21129, CVE-2024-21130, CVE-2024-21134, CVE-2024-21135, CVE-2024-21137, CVE-2024-21142, CVE-2024-21157, CVE-2024-21159, CVE-2024-21160, CVE-2024-21162, CVE-2024-21163, CVE-2024-21165, CVE-2024-21166, CVE-2024-21170, CVE-2024-21171, CVE-2024-21173, CVE-2024-21176, CVE-2024-21177, CVE-2024-21179, CVE-2024-21185
GRD-88447 PSIRT: PVR0534141 - 3rd party: SSRF vulnerability in IBM Guardium

[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.5.0"}]

Document Information

Modified date:
27 May 2025

UID

ibm17178618

Page Feedback