Release Notes
Abstract
This technical note provides guidance for installing IBM Guardium Data Protection patch 11.0p494, including any new features or enhancements, resolved or known issues, or notices associated with the patch.
Content
Patch information
- Patch file name: SqlGuard-11.0p494_Bundle_Mar_21_2025.tgz.enc.sig
- MD5 checksum: 70aba77d1d6bfff5ccec13649fcad765
Finding the patch
- Select the following patches to download this patch on the IBM Fix Central website and click Continue.
- Product selector: IBM Security Guardium
- Installed Version: 11.0
- Platform: All
- On the "Identify fixes" page, select Browse for fixes and click Continue.
- On the "Select fixes" page, select Appliance patch (GPU and ad hoc). Then, enter the patch information in the Filter fix details field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
- Guardium 11.0p400 (see the 11.0p400 release notes for more information)
- The latest health check patch 11.0p9997
Installation
Notes:
- This patch is an appliance bundle that includes fixes for Guardium 11.4.
- This patch is cumulative and includes all the fixes from previously released patches.
- This patch restarts the Guardium system.
- Do not reboot the appliance while the patch install is in progress. Contact IBM Support if there is an issue with patch installation.
Overview:
- Download the patch and extract the compressed package outside the Guardium system.
- Be sure to check the latest version of these patch release notes online just before you install this patch.
- Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
- Apply the latest health check patch.
- Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
- Apply the latest quarterly DPS patch and rapid response DPS patch even if these patches were applied before the upgrade.
For information about installing Guardium Data Protection patches, see How to install patches in the product documentation.
Attention
Guardium patch signing certificate expired on 29 March 2025
The current patch signing certificate for Guardium appliance patches expired on 29 March 2025. Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed.
For Guardium 11.4 systems, appliance bundle patch 11.0p492 or later provides an updated certificate. For more information, see IBM Guardium - Patch signing certificate set to expire in March 2025.
SHA256 GIM client certificates
After applying patch 11.0p475 or later, Guardium supports SHA256 Guardium Installation Manager (GIM) certificates. This has the following implications:
After applying patch 11.0p475 or later, Guardium supports SHA256 Guardium Installation Manager (GIM) certificates. This has the following implications:
- The default certificates could be either SHA256 or SHA128, depending on the GIM server certificate setup. Custom certificates that use SHA256 are more secure and are recommended for GIM connections.
- GIM only verifies bundles signed with SHA256 and requires installation of a transitional GIM bundle to support the GIM client upgrade from SHA128 to SHA256.
For more information, see Updating Guardium Data Protection GIM clients with SHA256 certificates.
Microsoft certificates expired on 20 May 2024
Microsoft certificates (microsoftca1-4) expired on 20 May 2024. The following Guardium patches provide updated certificates:
Microsoft certificates (microsoftca1-4) expired on 20 May 2024. The following Guardium patches provide updated certificates:
- 11.3 systems use patch 11.0p392 or later
- 11.4 systems use patch 11.0p485 or later
- 11.5 systems use patch 11.0p535 or later
- 12.0 systems use patch 12.0p5 or later
Install the correct patch for your Guardium system to use the updated certificates. For more information, see https://www.ibm.com/support/pages/node/7080145
Enhancements
This patch includes the following enhancements.
| Issue key | Summary |
|---|---|
| GRD-88705 | [Microsoft SQL Server] Improved the handling of unavailable database connections during classification scan |
| GRD-94703 | Removed old patch signing certificates from appliance and UI after March 2025 |
Resolved issues
This patch resolves the following issues.
| Patch | Issue key | Summary | APAR |
|---|---|---|---|
| 11.0p493 | See the 11.0p493 release notes for more information | ||
| 11.0p494 | GRD-87121 | SMTP subject/issuer verification failed | DT422295 |
| GRD-87718 | After running restore certificate keystore alias default tomcat, GUI certificate is still running in 1024 bites | DT422234 | |
| GRD-89310 | GUI login hangs in AWS cloud environment with central manager and managed units | DT419827 | |
| GRD-90015 | Venafi certificates still failing after applying fix p550 | DT416887 | |
| GRD-90211 | Unable to add new Catalog Archive entry on collector | DT421878 | |
| GRD-91695 | Resolved security vulnerability | N/A | |
| GRD-92308 | Primary central manager failover policy installation verification change | DT421946 | |
| GRD-92406 | After installing 11.0p492 on the collector, unable to see the status of patches on central manager | DT426128 | |
| GRD-94290 | After applying 11.0p492, the audit process displays the following error com.guardium.portal.admin.ApplicationResources' key: 'todo.notification.action.review | DT425537 |
Security fixes
This patch contains the following security fixes.
| Patch | Issue key | Summary | CVE |
|---|---|---|---|
| 11.0p493 |
See the 11.0p493 release notes for more information
|
||
| 11.0p494 |
GRD-88577
|
PSIRT: PVR0568237, PVR0568289, PVR0568315 PostgreSQL in versions 12.x and 11.x
|
CVE-2024-7348, CVE-2024-10979, CVE-2024-10978, CVE-2024-10976, CVE-2025-1094
|
|
GRD-91838
|
PSIRT: PVR0586687 - SE - Pen Testing On-prem 2024 - Read any file by SUID binary - nmap_wrapper (TZAVW-0004 - 6.1 Medium - page 10) | CVE-2025-25023 | |
|
GRD-92047
|
PSIRT: PVR0575094 - struts2-core-2.5.33.jar (Publicly disclosed vulnerability found by Mend) - webapps | CVE-2024-53677 | |
|
GRD-93251
|
PSIRT: PVR0586099 - cxf-core-3.5.6.jar (Publicly disclosed vulnerability found by Mend) | ||
| GRD-93689 | Tenable Scan - rsync rpm need update | CVE-2024-12085 | |
|
GRD-94122
|
Tenable Scan - shim rpm need update
|
CVE-2023-40551, CVE-2023-40550, CVE-2023-40549
|
|
| GRD-94124 | Tenable Scan - python3 rpm need update | CVE-2024-6232 | |
| GRD-94136 | Tenable Scan - tuned rpm need update | CVE-2024-52337 |
[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.4.0"}]
Was this topic helpful?
Document Information
Modified date:
03 April 2025
UID
ibm17228909