Release Notes
Abstract
This technical note provides guidance for installing IBM Guardium Data Protection patch 11.0p565, including any new features or enhancements, resolved or known issues, or notices associated with the patch.
Content
Patch information
- Patch file name: SqlGuard-11.0p565_Bundle_May_07_2025.tgz.enc.sig
- MD5 checksum: a61e8a4ef650b06d0b24f46dc6d64599
Finding the patch
- Select the following options to download this patch on the IBM Fix Central website and click Continue.
- Product selector: IBM Security Guardium
- Installed version: 11.5
- Platform: All
- On the "Identify fixes" page, select Browse for fixes and click Continue.
- On the "Select fixes" page, select Appliance Patch (GPU and Ad-Hoc). Then, enter the patch information in the Filter fix details field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
-
Guardium 11.0p500 (see release note)
-
The latest Guardium health check patch 11.0p9997
-
The latest Guardium patch signing certificate on your Guardium appliance. For more information, see IBM Guardium - Patch signing certificate set to expire in March 2025.
Installation
Notes:
- This patch is an appliance bundle that includes fixes for version 11.5.
- This patch is cumulative and includes all the fixes from previously released patches.
- This patch restarts the Guardium system.
- Do not reboot the appliance while the patch install is in progress. Contact IBM Support if there is an issue with patch installation.
- When changing the password of CLI and guardcli users in the Guardium command line interface, a password strength warning appears even when strong passwords are not enabled. To remove the strong password checks, execute the CLI command store user strong_password disable.
- If you have single sign-on enabled and are upgrading from below 11.0p530, you must re-download metadata from the upgraded central manager and apply it on the identity provider.
Overview:
- Download the patch and extract the compressed package outside the Guardium system.
- Be sure to check the latest version of this patch release note online just before you install this patch.
- Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
- Apply the latest health check patch.
- Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
- Apply the latest quarterly DPS patch and rapid response DPS patch.
For information about installing patches, see Installing patches in the Guardium documentation.
Attention
Guardium appliance bundle upgrade time extended due to MySQL tables conversion
Following MySQL support requirements, most tables are converted from MyISAM to InnoDB starting with Guardium appliance bundle versions 11.0p550 and later, and versions 12.0p25 and later. Due to the large size of some tables, which are mostly static tables, the conversion might consume more time than usual during an appliance bundle upgrade. Note: Do not cancel the patch installation process. If you have any concerns, contact IBM Support.
For more information, see Guardium appliance bundle upgrade time extended due to MySQL tables conversion.
Guardium sniffer certification expired on 3 March 2025
The previous sniffer default certificate expired on 3 March 2025 and you must install a Guardium appliance patch to renew the certificate. For Guardium 11.5 systems, appliance bundle patch 11.0p545 or later provides an updated certificate. For more information, see IBM Guardium sniffer certification expires March 2025.
The previous sniffer default certificate expired on 3 March 2025 and you must install a Guardium appliance patch to renew the certificate. For Guardium 11.5 systems, appliance bundle patch 11.0p545 or later provides an updated certificate. For more information, see IBM Guardium sniffer certification expires March 2025.
Guardium patch signing certificate expired on 29 March 2025
Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed. The previous patch signing certificate for Guardium appliance patches expired on 29 March 2025.
This patch, 11.0p565, is signed by the new patch signing certificate. Therefore, to install this patch, your Guardium appliance must be prepared by installing an ad hoc or bundle patch with the fix that allows patches signed by old or new certificates to be installed. See IBM Guardium - Patch signing certificate set to expire in March 2025 and follow the steps in the "What to do after March 29th 2025" section if the patch signing certificate was not renewed.
SHA256 GIM client certificates
After applying patch 11.0p530 or later, Guardium supports SHA256 Guardium Installation Manager (GIM) certificates. This has the following implications:
After applying patch 11.0p530 or later, Guardium supports SHA256 Guardium Installation Manager (GIM) certificates. This has the following implications:
- The default certificates could be either SHA256 or SHA128, depending on the GIM server certificate setup. Custom certificates that use SHA256 are more secure and are recommended for GIM connections. Note that GIM connectivity is not interrupted after applying this patch.
- GIM only verifies bundles signed with SHA256 and requires installation of a transitional GIM bundle to support the GIM client change from SHA128 to SHA256.
For more information, see Updating Guardium Data Protection GIM clients with SHA256 certificates.
Microsoft certificates expired on 20 May 2024
Microsoft certificates (microsoftca1-4) expired on 20 May 2024. The following Guardium patches provide updated certificates:
Microsoft certificates (microsoftca1-4) expired on 20 May 2024. The following Guardium patches provide updated certificates:
- 11.3 systems that use patch 11.0p392 or later
- 11.4 systems that use patch 11.0p485 or later
- 11.5 systems that use patch 11.0p535 or later
- 12.0 systems that use patch 12.0p5 or later
Install the correct patch for your Guardium systems to use the updated certificates. For more information, see https://www.ibm.com/support/pages/node/7080145
Enhancements
This patch includes the following enhancements.
| Issue key | Summary |
|---|---|
| GRD-86309 | Update SNMP and SMTP configurations by using grdapi commands |
| GRD-88705 | [Microsoft SQL Server] Improved the handling of unavailable database connections during classification scan |
| GRD-89094 | Fixed version check logic for Neo4j to correctly compare versions with decimals |
| GRD-92386 | When upgrading from version 11.5 to version 12.0, special characters are allowed in the password for SCP backup server |
| GRD-92922 | Upgrade AWS KCL (Kinesis Client Library) to version 2.6.1 or later to avoid known issue with shard processing |
| GRD-94307 | Add force option to CLI command replace certificate gim algorithm |
| GRD-94703 | Removed old patch signing certificates from appliance and UI after March 2025 |
| GRD-94997 | Update Entrust Certificate Authority root certificate (entrust_g3) signature algorithm to SHA2 |
Resolved issues
This patch resolves the following issues.
|
Patch
|
Issue key
|
Summary
|
Known issue (APAR)
|
|---|---|---|---|
|
11.0p560
|
See release note for patch 11.0p560
|
||
| 11.0p565 | GRD-65890 | Copy a custom K-TAP module from one GIM server environment to another GIM server environment by using the CLI command export gim_bundle <param : host> | GA18407 |
|
GRD-78855
|
Backup restore didn't restore the SAML and CyberArk configuration from 11.5 to 12 | DT276401 | |
|
GRD-80679
|
Guardium audit process intermittently fails with error:1615; message:Prepared statement needs to be re-prepared | DT421926 | |
| GRD-87129 | After configuring A-TAP on collector with Oracle Exadata databases, the collector reports a high CPU usage | DT420527 | |
|
GRD-89562
|
Inconsistent hostname in syslog message header for Guardium sniffer and audit process | DT423305 | |
| GRD-90898 | Incorrect indentation in grdapi list_inspection_engines | DT425742 | |
| GRD-91695 | Resolved security vulnerability | N/A | |
| GRD-92214 | Issue with adding and updating catalog by using GUI and grdapi | DT426077 | |
| GRD-92517 | Add Oracle Cloud Infrastructure to the list of available Kubernetes service providers for the Cloud provider parameter in the Kubernetes tab of the Deploy External S-TAP window | DT425733 | |
|
GRD-92530
|
Deployment health topology and table views, and the deployment health dashboard show blue unavailable status for all managed units | DT425251 | |
|
GRD-92686
|
When datasource group is attached to the custom table, grdapi to upload custom table does not work
|
DT431864
|
|
|
GRD-93189
|
Unable to log in to the appliance after configuring multi-factor authentication for DUO on Guardium | DT422702 | |
|
GRD-93335
|
Vulnerability named "No Input Validation" reported in all Guardium appliances | DT425752 | |
|
GRD-93729
|
After the failover to the backup central manager, the managed units are unable to sync license
|
DT424816
|
|
|
GRD-94290
|
After patch 11.0p492, audit process displays the following error: com.guardium.portal.admin.ApplicationResources' key: 'todo.notification.action..review
|
DT425537
|
|
|
GRD-95306
|
Solr certificate for version 11.5 expired on 12 January 2025
|
DT436468
|
|
|
GRD-98054
|
After installing 11.0p560, sniffer restarts on all collectors
|
Security fixes
This patch contains the following security fixes.
|
Patch
|
Issue key
|
Summary
|
CVE
|
|---|---|---|---|
|
11.0p560
|
See release note for patch 11.0p560
|
||
|
11.0p565
|
GRD-82532
|
PSIRT: PVR0509682 - IBM SDK, Java Technology Edition Quarterly CPU - Apr 2024 - includes Oracle April 2024 CPU and CVE-2023-38264 |
CVE-2023-38264
|
|
GRD-88577
|
PSIRT : PVR0568237, PVR0568289, PVR0568315 PostgreSQL in versions 12.x and 11.x
|
CVE-2024-7348, CVE-2024-10979, CVE-2024-10978, CVE-2024-10976, CVE-2025-1094
|
|
|
GRD-91838
|
PSIRT: PVR0586687 - SE - Pen Testing On-prem 2024 - Read any file by SUID binary - nmap_wrapper (TZAVW-0004 - 6.1 Medium - page 10) |
CVE-2025-25023
|
|
|
GRD-92006
|
SE - Pen Testing On-prem 2024 - Extraneous information revealed in detailed error messages (TZAVW-0019 - 5.3 Medium - page 11) |
CVE-2025-25028
|
|
| GRD-92036 | PSIRT: PVR0563574 - Snowflake-jdbc-3.14.0.jar (Publicly disclosed vulnerability found by Mend) - webapps |
CVE-2024-6763
|
|
| GRD-92047 | PSIRT: PVR0575094 - struts2-core-2.5.33.jar (Publicly disclosed vulnerability found by Mend) - webapps |
CVE-2024-53677
|
|
|
GRD-93251
|
PSIRT: PVR0586099 - cxf-core-3.5.6.jar (Publicly disclosed vulnerability found by Mend) | ||
|
GRD-93632
|
PSIRT: PVR0562183 - MySQL upgrade needed for October 2024 CPU
|
CVE-2024-21193, CVE-2024-21194, CVE-2024-21197, CVE-2024-21198, CVE-2024-21199, CVE-2024-21200, CVE-2024-21201, CVE-2024-21204, CVE-2024-21209, CVE-2024-21212, CVE-2024-21213, CVE-2024-21231, CVE-2024-21236, CVE-2024-21237, CVE-2024-21241, CVE-2024-21243, CVE-2024-21244, CVE-2024-21247, CVE-2024-21262, CVE-2024-21272 | |
|
GRD-93689
|
Tenable Scan - latest rsync rpm needs to be installed in version 11.x |
CVE-2024-12085
|
|
| GRD-93695 | Tenable Scan - latest squid rpm needs to be installed | CVE-2024-45802, CVE-2023-46846 | |
|
GRD-94122
|
Tenable Scan - shim rpm needs update
|
CVE-2023-40551, CVE-2023-40550, CVE-2023-40549 | |
| GRD-94124 | Tenable Scan - python3 rpm needs to be updated | CVE-2024-6232 | |
| GRD-94136 | Tenable Scan - tuned rpm needs to be updated | CVE-2024-52337 | |
|
GRD-95676
|
PVR0523399, PVR0586695 krb5-0:1.15.1-55.el7_9.3 vulnerability |
CVE-2024-37371, CVE-2024-3596
|
|
| GRD-96809 | Tenable Scan - emacs rpm needs to be updated | CVE-2025-1244 | |
| GRD-97237 | PSIRT: PVR0630123 - RHEL7 kernel update | CVE-2024-36971 | |
| GRD-97817 | PSIRT: PVR0631190 - 3rd party: IBM Security Guardium - Stored XSS | ||
| GRD-98135 | PSIRT: PVR0636423 - FreeType remote code execution vulnerability | CVE-2025-27363 |
[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.5.0"}]
Was this topic helpful?
Document Information
Modified date:
27 May 2025
UID
ibm17230003