Release Notes
Abstract
This technical note provides guidance for installing IBM Guardium Data Protection patch 12.0p35, including any new features or enhancements, resolved or known issues, or notices associated with the patch.
Content
Patch information
- Patch file name: SqlGuard-12.0p35_Bundle_Jan_28_2025.tgz.enc.sig
- MD5 checksum: db1829cccec92048901ea72bcab22fa0
Finding the patch
- Select the following options to download this patch on the IBM Fix Central website and click Continue.
- Product selector: IBM Security Guardium
- Installed Version: 12.0
- Platform: All
- On the "Identify fixes" page, select Browse for fixes and click Continue.
- On the "Select fixes" page, select Appliance patch (GPU and Ad-Hoc). Then, enter the patch information in the Filter fix details field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
The latest Guardium Data Protection health check patch 12.0p9997
Installation
Notes:
- This patch is an appliance bundle that includes all fixes for version 12.0.
- This patch is cumulative and includes all the fixes from previously released patches.
- This patch restarts the Guardium system.
- Do not reboot the appliance while the patch install is in progress. Contact IBM Support if there is an issue with patch installation.
- When changing the password of CLI and guardcli users in the Guardium command line interface, a password strength warning appears even when strong passwords are not enabled. To remove the strong password checks, execute the CLI command store user strong_password disable.
Overview:
- Download the patch and extract the compressed package outside the Guardium system.
- Review the latest version of the patch release notes just before you install the patch.
- Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
- Apply the latest health check patch.
- Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
- Apply the latest quarterly DPS patch and rapid response DPS patch even if these patches were applied before the upgrade.
For information about installing Guardium Data protection patches, see How to install patches in the Guardium documentation.
Attention
Guardium appliance bundle upgrade time extended due to MySQL tables conversion
Following MySQL support requirements, most tables are converted from MyISAM to InnoDB starting with Guardium appliance bundle versions 11.0p550 and later, and versions 12.0p25 and later. Due to the large size of some tables, which are mostly static tables, the conversion might consume more time than usual during an appliance bundle upgrade. Note: Do not cancel the patch installation process. If you have any concerns, contact IBM Support.
For more information, see Guardium appliance bundle upgrade time extended due to MySQL tables conversion.
Guardium patch signing certificate expires on 29 March 2025
The current patch signing certificate for Guardium appliance patches will expire on 29 March 2025. Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed.
This patch, 12.0p35, is signed by the new patch signing certificate. Therefore, to install this patch, the patch signing certificate on your Guardium appliance must first be updated by installing ad hoc patch 12.0p1012 (see release note), appliance bundle 12.0p25 (see release note), or appliance bundle 12.0p30 (see release note).
For Guardium 12.0 systems, appliance bundle patch 12.0p25 or later provides an updated certificate. For more information, see IBM Guardium - Patch signing certificate set to expire in March 2025.
IBM Db2 for z/OS JDBC driver update
In 12.0p35, the IBM Db2 for z/OS JDBC driver in Guardium Vulnerability Assessment is updated to support IBM Db2 13 for z/OS, which enables TLS 1.3 and other advantages. You might need to update your IBM Db2 JDBC license. If so, test your connection in a staging environment and contact the IBM Db2 Support team if licensing issues arise. For assistance, open a case at ibm.com/mysupport.
In 12.0p35, the IBM Db2 for z/OS JDBC driver in Guardium Vulnerability Assessment is updated to support IBM Db2 13 for z/OS, which enables TLS 1.3 and other advantages. You might need to update your IBM Db2 JDBC license. If so, test your connection in a staging environment and contact the IBM Db2 Support team if licensing issues arise. For assistance, open a case at ibm.com/mysupport.
Enhancements
This patch includes the following enhancements.
| Issue key | Summary |
|---|---|
| GRD-80045 | Configured time interval for healthy/unhealthy universal connector S-TAP host status duration |
|
GRD-81544
|
Added CLI command to increase innodb_buffer_pool_size parameter
|
| GRD-86309 | Update SNMP and SMTP grdapi commands |
| GRD-88440 | Communicate which managed units are Apache Kafka nodes to Guardium Insights. |
| GRD-88704 |
[Microsoft SQL Server] Record database offline and permission errors in classification process log
|
| GRD-88790 |
Teradata gdmmonitor clarification for Guardium 11.4 and later
|
| GRD-90552 | Updated CLI command show certificate summary to list new patch signing certificates |
Known issues
This patch includes the following known issues.
| Issue key | Summary |
|---|---|
| GRD-92906 | If patch 12.0p1006 (see release note) is already applied after your environment is upgraded (for example, when you applied patch 12.p30 over patch 12.p25) and you see the "Important: Guardium UC update must be reinstalled" message on your universal connector configuration page, then you can ignore the message. You do not need to apply universal connector patch 12.0p1006 again on your environment. |
Resolved issues
This patch resolves the following issues.
| Patch | Issue key | Summary | Known issue (APAR) |
|---|---|---|---|
| 12.0p30 | This patch includes resolved issues from 12.0p30 (see release notes) | ||
| 12.0p35 | GRD-78772 | Venafi: Guardium GUI certificate renewal error: "guardium Venafi retrieve script error 80333" trying to import Venafi certificate | DT389660 |
| GRD-80164 | "show remotelog test" configured with facility.priority='all.all' only tests using facility.priority='daemon.info' | DT419678 | |
| GRD-80995 | Couchbase database connection vulnerability assessment with LDAP needs GUI changes | DT379903 | |
| GRD-81983 | Aggregator GUI is slow and unresponsive | DT395091 | |
| GRD-82704 | Guardium Insights - New Central Manager registration method - UI restart | N/A | |
| GRD-83572 | Vulnerability Assessment Test ID 394 fails for MongoDB, indicating that authentication is disabled if auth type is x509 (which is a valid authentication type) | DT419687 | |
| GRD-84052 | rsyslog test fails intermittently and randomly | DT397061 | |
| GRD-84325 | Audit process not adding partitions in finalSql | DT396467 | |
| GRD-84662 | When changing the password for the cli user after it has expired, the Guardium appliance forces to change the password twice instead of once | DT419649 | |
| GRD-86996 | CLI: Unable to set Alerter SNMP traphost by using hostname | DT397016 | |
| GRD-87491 | Error 'ORA-00942: table or view does not exist.' from Assessment Test ID 2374 'No Authorization To CREATE ANY LIBRARY Privilege' | DT419661 | |
| GRD-87503 | Guardium unable to connect with Oracle databases, getting Java Array error - VA | DT418630 | |
| GRD-87529 | Add TUPLE_PARAMETERS table to translation | N/A | |
| GRD-87931 | GRD- cannot overwrite snmp contact information | DT397399 | |
| GRD-88026 | Cloning out of the box reports fails | DT420128 | |
| GRD-88120 | Aggregator: Import/Export/Archive failing after bundle patch 545 with "Another aggregation process is currently running" | DT417651 | |
| GRD-88259 | reset-managed-cli command fails to reset the CLI password on all managed units | DT419826 | |
| GRD-89153 | Schedule job exception: PEStatusJob trigger: siGroup.PEStatusJobError caught executing job due to some runtime exception | DT419637 | |
| GRD-89310 | GUI login hangs in AWS cloud environment with central manager and managed units | DT419827 | |
| GRD-89704 | EMEA - aggregation/archive log warning - adm | DT420186 | |
| GRD-90015 | Venafi certifications failing after applying fix p550 | DT416887 | |
| GRD-90211 | Unable to add new catalog archive entry on collector | DT421878 | |
| GRD-90257 | Some GUI operations, such as editing a report in Query-Report Builder, take several minutes to respond | DT418120 | |
| GRD-90942 | Scheduled Job Exception 'IP Alias creation: An error occurred java.util.IllegalFormatConversionException: d != java.lang.String' after version 12.1 upgrade | DT419702 | |
| GRD-91084 | systemstats_linux: unexpected header length in /proc/net/snmp | DT421432 | |
| GRD-91695 | Resolved security vulnerability | ||
| GRD-92308 | Primary central manager failover policy installation verification change | DT421946 |
Security fixes
This patch resolves the following issues.
| Patch | Issue key | Summary | CVE |
|---|---|---|---|
|
12.0p30
|
This patch includes fixes from 12.0p30 (see release notes) | ||
| 12.0p35 | GRD-86744 | glibc - RHEL 9 CVEs |
CVE-2024-2961, CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602
|
| GRD-86745 | ubound, bind - RHEL 9 CVEs |
CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516, CVE-2023-50387, CVE-2023-50868
|
|
| GRD-86747 | shim rpm - RHEL 9 CVEs |
CVE-2023-40546, CVE-2023-40547, CVE-2023-40548, CVE-2023-40549, CVE-2023-40550, CVE-2023-40551
|
|
| GRD-86749 | nghttp2 rpm - RHEL 9 CVEs |
CVE-2024-28182
|
|
| GRD-86750 | gnutls rpm - RHEL 9 CVEs |
CVE-2024-28834, CVE-2024-28835, CVE-2024-0567, CVE-2023-5981, CVE-2024-0553
|
|
| GRD-86751 | perl rpm - RHEL 9 CVEs | CVE-2023-47038 | |
| GRD-86753 | traceroute rpm - RHEL 9 CVEs | CVE-2023-46316 | |
| GRD-86755 | pam rpm - RHEL 9 CVEs | CVE-2024-22365 | |
| GRD-86756 | xorg-x11-server rpm - RHEL 9 CVEs |
CVE-2023-5367, CVE-2023-5380, CVE-2023-6377, CVE-2023-6478, CVE-2023-6816, CVE-2024-0229, CVE-2024-0408, CVE-2024-0409, CVE-2024-21885, CVE-2024-21886
|
|
| GRD-86757 | grub2 rpm - RHEL 9 CVEs |
CVE-2023-4692, CVE-2023-4693, CVE-2024-1048, CVE-2023-4001
|
|
| GRD-86759 | harfbuzz rpm - RHEL 9 CVEs | CVE-2023-25193 | |
| GRD-86760 | libjpeg-turbo rpm - RHEL 9 CVEs | CVE-2021-29390 | |
| GRD-86762 | libtiff rpm - RHEL 9 CVEs |
CVE-2022-40090, CVE-2023-3618, CVE-2023-6228, CVE-2023-40745, CVE-2023-41175
|
|
| GRD-86764 | libxpm rpm - RHEL 9 CVEs | CVE-2023-43788, CVE-2023-43789 | |
| GRD-86765 | python-cryptography rpm - RHEL 9 CVEs | CVE-2023-23931 | |
| GRD-86766 | binutils rpm - RHEL 9 CVEs | CVE-2022-4285 | |
| GRD-86769 | avahi rpm - RHEL 9 CVEs | CVE-2023-38469 | |
| GRD-86772 | postgresql-private-libs rpm - RHEL 9 CVEs | CVE-2023-2454 | |
| GRD-86778 | squid rpm - RHEL 9 CVEs | CVE-2024-23638, CVE-2024-37894 | |
| GRD-86779 | libuv rpm - RHEL 9 CVEs | CVE-2024-24806 | |
| GRD-86780 | cockpit rpm - RHEL 9 CVEs | CVE-2024-2947 |
|
| GRD-86781 | gdk-pixbuf2 rpm - RHEL 9 CVEs | CVE-2022-48622 |
|
| GRD-86783 | systemd rpm - RHEL 9 CVEs | CVE-2023-7008 |
|
| GRD-86785 | apr rpm - RHEL 9 CVEs | CVE-2022-24963 | |
| GRD-88447 | PSIRT: PVR0534141 - 3RD PARTY: SSRF Vulnerability | ||
| GRD-89640 |
Multiple kernel vulnerabilities for RHEL9.
PSIRT: PVR0487545, PVR0487589, PVR0487600, PVR0488067, PVR0488111, PVR0488144, PVR0493101, PVR0493131, PVR0493191, PVR0493926, PVR0493956, PVR0494016, PVR0494056, PVR0494066, PVR0494106, PVR0494136, PVR0494156, PVR0494784, PVR0495229, PVR0496124, PVR0496341, PVR0496371, PVR0496421, PVR0498916, PVR0499550, PVR0499560, PVR0499701, PVR0499711, PVR0499731, PVR0499741, PVR0500003, PVR0501585, PVR0501595, PVR0501605, PVR0503605, PVR0503806, PVR0504363, PVR0504393, PVR0513763, PVR0514044, PVR0514054, PVR0514074, PVR0514084, PVR0514094, PVR0514104, PVR0514124, PVR0514134, PVR0515178, PVR0515752, PVR0515762, PVR0515822, PVR0515852, PVR0515892, PVR0516417, PVR0516427, PVR0516447, PVR0516881, PVR0516931, PVR0516951, PVR0516961, PVR0526181, PVR0526201, PVR0526221, PVR0526241, PVR0526261, PVR0536501, PVR0536509, PVR0536535, PVR0536555, PVR0536575, PVR0536611, PVR0536651, PVR0536727, PVR0536745, PVR0536771, PVR0536789, PVR0536807, PVR0536827, PVR0536847, PVR0536895, PVR0536915, PVR0536923, PVR0536961, PVR0536979, PVR0536989, PVR0537025, PVR0537033, PVR0537123, PVR0537141, PVR0537151, PVR0537161, PVR0537169, PVR0537233, PVR0537260, PVR0537270, PVR0537278, PVR0537354, PVR0537364, PVR0537420, PVR0537428, PVR0537458, PVR0537506, PVR0537514, PVR0537554, PVR0537602, PVR0537612, PVR0537630, PVR0537656, PVR0537666, PVR0537719, PVR0537729, PVR0537739, PVR0537749, PVR0537853, PVR0537909, PVR0537917, PVR0537943, PVR0537953, PVR0537973, PVR0537983, PVR0538019, PVR0539466, PVR0539509, PVR0539750, PVR0540378, PVR0540865, PVR0540895, PVR0541666, PVR0541897, PVR0541957, PVR0542678, PVR0542728, PVR0542748, PVR0546227, PVR0546267, PVR0546701, PVR0547158, PVR0554807, PVR0554859, PVR0554901, PVR0554928, PVR0554993, PVR0555002, PVR0555029, PVR0555062, PVR0555809, PVR0555818, PVR0556636, PVR0560886, PVR0561049, PVR0561768, PVR0563606, PVR0564748, PVR0566524, PVR0566545, PVR0566565, PVR0566625, PVR0570511
|
CVE-2021-47419, CVE-2021-47432, CVE-2021-47440, CVE-2021-47476, CVE-2021-47556, CVE-2023-52439, CVE-2023-52445, CVE-2023-52455, CVE-2023-52462, CVE-2023-52464, CVE-2023-52466, CVE-2023-52467, CVE-2023-52473, CVE-2023-52475, CVE-2023-52477, CVE-2023-52482, CVE-2023-52490, CVE-2023-52492, CVE-2023-52518, CVE-2023-52529, CVE-2023-52576, CVE-2023-52614, CVE-2023-52615, CVE-2023-52622, CVE-2023-52626, CVE-2023-52643, CVE-2023-52648, CVE-2023-52658, CVE-2023-52662, CVE-2023-52667, CVE-2023-52679, CVE-2023-52756, CVE-2023-52762, CVE-2023-52775, CVE-2023-52784, CVE-2023-52791, CVE-2023-52834, CVE-2024-0841, CVE-2024-22099, CVE-2024-23307, CVE-2024-23848, CVE-2024-24857, CVE-2024-24858, CVE-2024-25739, CVE-2024-26581, CVE-2024-26589, CVE-2024-26591, CVE-2024-26593, CVE-2024-26600, CVE-2024-26603, CVE-2024-26605, CVE-2024-26609, CVE-2024-26612, CVE-2024-26614, CVE-2024-26618, CVE-2024-26627, CVE-2024-26629, CVE-2024-26631, CVE-2024-26633, CVE-2024-26638, CVE-2024-26640, CVE-2024-26641, CVE-2024-26645, CVE-2024-26646, CVE-2024-26650, CVE-2024-26660, CVE-2024-26669, CVE-2024-26670, CVE-2024-26671, CVE-2024-26686, CVE-2024-26708, CVE-2024-26717, CVE-2024-26719, CVE-2024-26725, CVE-2024-26735, CVE-2024-26740, CVE-2024-26746, CVE-2024-26759, CVE-2024-26772, CVE-2024-26772, CVE-2024-26782, CVE-2024-26785, CVE-2024-26786, CVE-2024-26789, CVE-2024-26799, CVE-2024-26803, CVE-2024-26837, CVE-2024-26840, CVE-2024-26843, CVE-2024-26857, CVE-2024-26861, CVE-2024-26878, CVE-2024-26880, CVE-2024-26886, CVE-2024-26889, CVE-2024-26897, CVE-2024-26900, CVE-2024-26903, CVE-2024-26907, CVE-2024-26921, CVE-2024-26924, CVE-2024-26925, CVE-2024-26960, CVE-2024-26984, CVE-2024-27012, CVE-2024-27015, CVE-2024-27017, CVE-2024-27049, CVE-2024-27062, CVE-2024-27072, CVE-2024-27079, CVE-2024-27395, CVE-2024-27410, CVE-2024-27437, CVE-2024-31076, CVE-2024-34030, CVE-2024-35801, CVE-2024-35807, CVE-2024-35810, CVE-2024-35814, CVE-2024-35824, CVE-2024-35835, CVE-2024-35838, CVE-2024-35839, CVE-2024-35847, CVE-2024-35853, CVE-2024-35854, CVE-2024-35855, CVE-2024-35861, CVE-2024-35862, CVE-2024-35863, CVE-2024-35864, CVE-2024-35865, CVE-2024-35866, CVE-2024-35867, CVE-2024-35869, CVE-2024-35880, CVE-2024-35888, CVE-2024-35894, CVE-2024-35900, CVE-2024-35912, CVE-2024-35924, CVE-2024-35925, CVE-2024-35930, CVE-2024-35938, CVE-2024-35939, CVE-2024-35946, CVE-2024-35952, CVE-2024-35962, CVE-2024-35970, CVE-2024-35989, CVE-2024-36003, CVE-2024-36015, CVE-2024-36882, CVE-2024-36884, CVE-2024-36889, CVE-2024-36930, CVE-2024-36977, CVE-2024-38540, CVE-2024-38550, CVE-2024-38565, CVE-2024-38586, CVE-2024-38601, CVE-2024-38608, CVE-2024-39492, CVE-2024-39503, CVE-2024-40961, CVE-2024-40984, CVE-2024-41012, CVE-2024-41020, CVE-2024-41058, CVE-2024-41066, CVE-2024-41071, CVE-2024-41092, CVE-2024-41093, CVE-2024-42079, CVE-2024-42090, CVE-2024-42268, CVE-2024-42271, CVE-2024-42272, CVE-2024-42272, CVE-2024-42276, CVE-2024-42283, CVE-2024-42284, CVE-2024-42301, CVE-2024-43817, CVE-2024-43856, CVE-2024-43865, CVE-2024-43870, CVE-2024-43888, CVE-2024-44989, CVE-2024-45018 | |
| GRD-90217 | RHEL9 - python3-setuptools rpm update | CVE-2024-6345 | |
| GRD-90218 | RHEL9 - python3-idna rpm update | CVE-2024-3651 | |
| GRD-90219 | RHEL9 - Red Hat Update for linux-firmware (RHSA-2024:4774) | CVE-2023-31346 CVE-2023-31356 CVE-2023-20584 | |
| GRD-90220 | RHEL9 - Red Hat Update for net-Simple Network Management Protocol (SNMP) (RHSA-2024:7260) |
CVE-2022-24805, CVE-2022-24810, CVE-2022-24809, CVE-2022-24808, CVE-2022-24807, CVE-2022-24806
|
|
| GRD-90221 | RHEL9 - Red Hat Update for openipmi (RHSA-2024:8037) | CVE-2024-42934 | |
| GRD-90222 | RHEL9 - Red Hat Update for c-ares (RHSA-2024:3842) | CVE-2024-25629 | |
| GRD-90224 | RHEL9 - bubblewrap and flatpak rpm to latest | CVE-2024-42472 | |
| GRD-90225 | RHEL9 - yajl rpm to latest | CVE-2023-33460 | |
| GRD-90332 | PSIRT : PVR0495866, PVR0496166, PVR0523399 krb5 (publicly disclosed vulnerability) | CVE-2024-26462, CVE-2024-26458, CVE-2024-37371 | |
| GRD-90393 | PSIRT: PVR0512735 PVR0515455, PVR0523472 OpenSSL | CVE-2024-4603, CVE-2024-4741, CVE-2024-5535 | |
| GRD-91115 |
Mutliple vulnerabilities in RHEL9 Linux Kernel
PSIRT: PVR0561900, PVR0561901, PVR0577106, PVR0579330, PVR0579085, PVR0578945, PVR0578569, PVR0578484, PVR0578416, PVR0577950, PVR0577378, PVR0577712, PVR0577417, PVR0577472, PVR0577482, PVR0577512
|
CVE-2024-41091, CVE-2024-42096, CVE-2024-27030, CVE-2024-27023, CVE-2024-43869, CVE-2024-43830, CVE-2024-41090, CVE-2024-42084, CVE-2024-26761, CVE-2024-27017, CVE-2024-36902, CVE-2024-36920, CVE-2024-26921, CVE-2024-43911, CVE-2024-42070, CVE-2021-47606, CVE-2024-45020, CVE-2024-41071, CVE-2024-40956, CVE-2024-27022, CVE-2024-36932, CVE-2024-42141, CVE-2024-40905, CVE-2024-38543, CVE-2024-44984, CVE-2024-45005, CVE-2024-36891, CVE-2024-36477, CVE-2023-52902, CVE-2022-48974, CVE-2022-48997, CVE-2024-36926, CVE-2024-36902, CVE-2024-40906, CVE-2024-27016, CVE-2024-26899, CVE-2024-26987, CVE-2024-38600, CVE-2024-26882, CVE-2024-39486 | |
| GRD-92036 | PSIRT: PVR0563574 - Snowflake-jdbc-3.14.0.jar (publicly disclosed vulnerability found by Mend) - webapps | CVE-2024-6763 | |
| GRD-92044 | PSIRT: PVR0568961 - Kafka - CVE-2024-31141 (publicly disclosed vulnerability) - kafka | CVE-2024-31141 |
[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.0.0"}]
Was this topic helpful?
Document Information
Modified date:
27 May 2025
UID
ibm17182382