Release Notes
Abstract
This technical note provides guidance for installing IBM Guardium Data Protection patch 12.0p40, including any new features or enhancements, resolved or known issues, or notices associated with the patch.
Content
Patch information
- Patch file name: SqlGuard-12.0p40_Bundle_May_07_2025.tgz.enc.sig
- MD5 checksum: f3170001d6e91c0dc7acfe5cf93c4f00
Finding the patch
- Select the following options to download this patch on the IBM Fix Central website and click Continue.
- Product selector: IBM Security Guardium
- Installed Version: 12.0
- Platform: All
- On the "Identify fixes" page, select Browse for fixes and click Continue.
- On the "Select fixes" page, select Appliance patch (GPU and Ad-Hoc). Then, enter the patch information in the Filter fix details field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
The latest Guardium Data Protection health check patch 12.0p9997
Installation
Notes:
- This patch is an appliance bundle that includes all fixes for version 12.0.
- This patch is cumulative and includes all the fixes from previously released patches.
- This patch restarts the Guardium system.
- Do not reboot the appliance while the patch install is in progress. Contact IBM Support if there is an issue with patch installation.
- When changing the password of CLI and guardcli users in the Guardium command line interface, a password strength warning appears even when strong passwords are not enabled. To remove the strong password checks, execute the CLI command store user strong_password disable.
Overview:
- Download the patch and extract the compressed package outside the Guardium system.
- Review the latest version of the patch release notes just before you install the patch.
- Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
- Apply the latest health check patch.
- Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
- Apply the latest quarterly DPS patch and rapid response DPS patch even if these patches were applied before the upgrade.
For information about installing Guardium Data protection patches, see Installing patches in the Guardium documentation.
Attention
Guardium appliance bundle upgrade time extended due to MySQL tables conversion
Following MySQL support requirements, most tables are converted from MyISAM to InnoDB starting with Guardium appliance bundle versions 11.0p550 and later, and versions 12.0p25 and later. Due to the large size of some tables, which are mostly static tables, the conversion might consume more time than usual during an appliance bundle upgrade. Note: Do not cancel the patch installation process. If you have any concerns, contact IBM Support.
For more information, see Guardium appliance bundle upgrade time extended due to MySQL tables conversion.
Guardium patch signing certificate expired on 29 March 2025
The current patch signing certificate for Guardium appliance patches expired on 29 March 2025. Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed.
This patch, 12.0p40, is signed by the new patch signing certificate. Therefore, to install this patch, the patch signing certificate on your Guardium appliance must first be updated by installing ad hoc patch 12.0p1012 (see release note), appliance bundle 12.0p25 (see release note), or appliance bundle 12.0p30 (see release note).
For Guardium 12.0 systems, appliance bundle patch 12.0p25 or later provides an updated certificate. For more information, see IBM Guardium - Patch signing certificate set to expire in March 2025.
Enhancements
This patch includes the following enhancements.
| Issue key | Summary |
|---|---|
| GRD-86444 | S-TAP (Software TAP) verification support for Milvus (NoSQL) database type to verify inspection engines |
| GRD-86445 | Advanced verification support for Milvus (NoSQL) database type to verify inspection engines |
| GRD-86446 | Added support for creating a datasource of Milvus Database type for an Stap Verification Application type |
| GRD-88705 | [Microsoft SQL Server] Improved the handling of unavailable database connections during classification scan |
| GRD-89094 | Fixed version check logic for Neo4j to correctly compare versions with decimals |
| GRD-92386 | When upgrading from version 11.5 to version 12.0, special characters are allowed in the password for SCP backup server |
| GRD-94307 | Add force option to CLI command replace certificate gim algorithm |
| GRD-94703 | Removed old patch signing certificates from appliance and UI after March 2025 |
| GRD-94997 | Update Entrust Certificate Authority root certificate (entrust_g3) signature algorithm to SHA2 |
Resolved issues
This patch resolves the following issues.
| Patch | Issue key | Summary | Known issue (APAR) |
|---|---|---|---|
| 12.0p35 | This patch includes fixes from 12.0p35 (see release notes) | DT419735 | |
|
GRD-85772
|
Enterprise load balancer (ELB) not relocating S-TAPs (Software TAPs) when collector database is getting full | DT419735 | |
| GRD-87135 | Unable to send files from Guardium to COS bucket on IBM Cloud | DT431894 | |
|
GRD-87718
|
GUI Certificate running in 1024 bites after running the CLI command restore certificate keystore alias default tomcat | DT422234 | |
| GRD-88890 | Backup configuration via SFTP failed with the Connection corrupted message | DT426747 | |
| GRD-89081 | CLI command show port open scans for the open port instead of making an actual connection | N/A | |
| GRD-89308 | Version 12.1 managed units do not successfully register to central manager | DT426768 | |
|
GRD-89562
|
Inconsistent hostname in syslog message header for Guardium sniffer and audit process |
DT423305
|
|
|
GRD-89659
|
The issue with test report result for Guardium vulnerability assessment scan is Guardium Test ID on MS SQL Server is No Guest User Accounts is erring for all instances | DT419987 | |
| GRD-89881 | Guardium FAM policy for adding another action cannot be saved | DT419254 | |
| GRD-89910 | Guardium version 12.1 central manager still accepts TLS 1.0 and 1.1 connections | DT431893 | |
|
GRD-91913
|
In GIM Clients Status report, the GIM client install date is displayed in UTC timezone with the column header: GIM Client Install Date (UTC) |
DT431919
|
|
|
GRD-92530
|
Deployment Health Table / Dashboard on the central manager shows unavailable status (blue) for all managed units | DT425251 | |
| GRD-92686 | Grdapi to upload custom table is not working when using only datasource group is attached to the custom table | DT431864 | |
|
GRD-93189
|
Unable to log in to the appliance after configuring multi-factor authentication for DUO on Guardium | DT422702 | |
|
GRD-93684
|
For the grdapi change_cli_password, the following error appears: User has insufficient privileges for the requested API function | DT431874 | |
|
GRD-93729
|
After the failover to the backup central manager, the managed units are unable to sync license | DT424816 | |
|
GRD-94015
|
Managed unit registration to the central manager does not succeed due to mismatch in the strength of the system shared secret | DT424713 | |
|
GRD-94620
|
After Enforce allowlist for GUI logins is enabled, Chinese characters for user's First Name and Last name are displayed as garbaged characters in the GUI | DT435753 | |
| GRD-95201 | Grdapi create_stap_inspection_engine fails with duplicate message when there are no duplicates | N/A | |
| GRD-95306 | Solr certificate for version 11.5 expired on 12 January 2025 | DT436468 | |
| GRD-98054 | Sniffer restarts on all collectors since 11.0p560 is installed | DT436686 |
Security fixes
This patch resolves the following issues.
| Patch | Issue key | Summary | CVE |
|---|---|---|---|
| 12.0p35 | This patch includes fixes from 12.0p35 (see release notes) | ||
|
GRD-88577
|
PSIRT : PVR0568237, PVR0568289, PVR0568315 Postgresql in version 12.x and version 11.x
|
CVE-2024-7348, CVE-2024-10979, CVE-2024-10978, CVE-2024-10976, CVE-2025-1094
|
|
|
GRD-91838
|
PSIRT: PVR0586687 - SE - Pen Testing On-prem 2024 - Read any file by SUID binary - nmap_wrapper (TZAVW-0004 - 6.1 Medium - page 10) |
CVE-2025-25023
|
|
|
GRD-92006
|
SE - Pen Testing On-prem 2024 - Extraneous information revealed in detailed error messages (TZAVW-0019 - 5.3 Medium - page 1) |
CVE-2025-25028
|
|
|
GRD-92007
|
PSIRT: PVR0586693 - SE - Pen Testing On-prem 2024 - Incorrect Authorization of Setup functions (TZAVW-0021 - 5.0 Medium - pages 11-12) |
CVE-2025-25026
|
|
|
GRD-92008
|
PSIRT: PVR0586689 - SE - Pen Testing On-prem 2024 - Download any file from server by backup/export function (TZAVW-0005 - 4.9 - Medium - page 14) |
CVE-2025-25029
|
|
|
GRD-92009
|
PSIRT: PVR0586686 - SE - Pen Testing On-prem 2024 - User information is available to all users (TZAVW-0012 - 4.3 Medium - pages 14-15) |
CVE-2025-25025
|
|
| GRD-92011 |
PVR0586696 - SE - Pen Testing On-prem 2024 - Multiple DataStream Vulnerabilities (TZAVW-0018 - 9.8 - Critical - pages 16-18)
|
CVE-2023-32732, CVE-2015-1832,
CVE-2024-45772, CVE-2023-22737,
CVE-2021-47400, CVE-2022-31122,
CVE-2023-33953, CVE-2018-1313,
CVE-2024-45217, CVE-2024-3596
|
|
| GRD-92031 | PSIRT: PVR0552042 - commons-io-2.11.0.jar (Publicly disclosed vulnerability found by Mend) - kafka |
CVE-2024-47554
|
|
| GRD-92032 | PSIRT: PVR0557444 - jetty-http-9.4.53.v20231009.jar (Publicly disclosed vulnerability found by Mend) - kafka |
CVE-2024-6763
|
|
| GRD-92040 | PSIRT: PVR0567482 - netty-common-4.1.108.Final.jar (Publicly disclosed vulnerability found by Mend) - kafka |
CVE-2024-47535
|
|
| GRD-92046 | PSIRT: PVR0568961 - Kafka - CVE-2024-31141 (Publicly disclosed vulnerability) - datastreams |
CVE-2024-31141
|
|
| GRD-92047 | PSIRT: PVR0575094 - struts2-core-2.5.33.jar (Publicly disclosed vulnerability found by Mend) - webapps |
CVE-2024-53677
|
|
| GRD-93251 | PSIRT: PVR0586099 - cxf-core-3.5.6.jar (Publicly disclosed vulnerability found by Mend) | ||
| GRD-93447 | Tenable Scan - Skopeo rpm need to be installed latest in version 12 |
CVE-2024-34156
|
|
|
GRD-93448
|
Tenable Scan - runc rpm need to be installed latest in version 12
|
CVE-2024-24788, CVE-2024-21626
|
|
| GRD-93449 | Tenable Scan - pam rpm need to be installed latest in version 12 | CVE-2024-10963 | |
|
GRD-93632
|
PSIRT: PVR0562183 - MySQL Upgrade needed for October
2024 CPU
|
CVE-2024-21193, CVE-2024-21194 CVE-2024-21197, CVE-2024-21198 CVE-2024-21199, CVE-2024-21200 CVE-2024-21201, CVE-2024-21204 CVE-2024-21209, CVE-2024-21212 CVE-2024-21213, CVE-2024-21231 CVE-2024-21236, CVE-2024-21237 CVE-2024-21241, CVE-2024-21243 CVE-2024-21244, CVE-2024-21247 CVE-2024-21262, CVE-2024-21272
|
|
| GRD-93688 | Tenable Scan - rsync rpm need to be installed latest in version 12 | CVE-2024-12085 | |
| GRD-94118 | Tenable Scan - krb5 rpm need to update | CVE-2024-3596 | |
| GRD-94137 | Tenable Scan - tuned rpm in version 12.x | CVE-2024-52337 | |
|
GRD-94326
|
Tenable Scan - KERNEL need to be updated
|
CVE-2024-53088, CVE-2024-38598, CVE-2024-35927, CVE-2024-43879, CVE-2024-35898, CVE-2024-35913, CVE-2024-35973, CVE-2024-35824, CVE-2024-35809, CVE-2024-38562, CVE-2024-35859, CVE-2023-28746, CVE-2024-50256, CVE-2024-40907 | |
|
GRD-94913
|
PSIRT: PVR0595976, PVR0596141 - multiple netty vulnerabilities (Publicly disclosed vulnerability found by Mend) |
CVE-2025-25193, CVE-2025-24970
|
|
| GRD-95020 | Tenable Scan - glib2 rpm need to be updated | CVE-2024-34397 | |
|
GRD-95022
|
Tenable Scan - podman and buildah rpm need to be updated
|
CVE-2024-9675, CVE-2024-9407, CVE-2024-9676 | |
|
GRD-95023
|
Tenable Scan - microcode ctl
|
CVE-2023-46103, CVE-2023-38575, CVE-2023-45733, CVE-2023-22655, CVE-2023-28746, CVE-2023-43490, CVE-2023-39368, CVE-2023-46103, CVE-2023-38575, CVE-2023-45733, CVE-2023-22655 | |
| GRD-95024 | Tenable Scan - libgcrypt we need to update to latest | CVE-2024-2236 | |
| GRD-95025 | Tenable Scan - nano rpm need to be updated | CVE-2024-5742 | |
| GRD-95137 | Tenable Scan - vim rpm need to be updated | CVE-2021-3903 | |
| GRD-96187 | CVE-2024-52336 tuned-2.22.1-3.el9_4.noarch | CVE-2024-52336 | |
| GRD-96809 | Tenable Scan - emacs rpm needs to be updated | CVE-2025-1244 | |
| GRD-97707 | PSIRT: PVR0630165 - netty-incubator-codec-classes-quic-0.0.52.Final.jar (Publicly disclosed vulnerability found by Mend) | CVE--2025-29908 | |
| GRD-97817 | PSIRT: PVR0631190 - 3rd party: IBM Security Guardium - Stored XSS | ||
| GRD-98135 | FreeType remote code execution vulnerability | CVE-2025-27363 | |
| GRD-98305 | PSIRT: PVR0636917 - IBM Guardium Data Protection is vulnerable to multiple Tomcat vulnerabilities | CVE-2025-24813, CVE-2024-50379 |
[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.0.0"}]
Was this topic helpful?
Document Information
Modified date:
27 May 2025
UID
ibm17231168