Release Notes
Abstract
This technical note provides guidance for installing IBM Guardium Data Protection patch 12.0p10, including any new features or enhancements, resolved or known issues, or notices associated with the patch.
Content
Patch information
- Patch file name: SqlGuard-12.0p10_Bundle_Feb_26_2024.tgz.enc.sig
- MD5 checksum: cf0f386fa639c2612fb0ef4d2883d4cc
Finding the patch
- Select the following options to download this patch on the IBM Fix Central website and click Continue.
- Product selector: IBM Security Guardium
- Installed Version: 12.0
- Platform: All
- On the "Identify fixes" page, select Browse for fixes and click Continue.
- On the "Select fixes" page, select Appliance patch (GPU and Ad-Hoc). Then, enter the patch information in the Filter fix details field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
The latest Guardium Data Protection health check patch 12.0p9997
Installation
Notes:
- This patch is an appliance bundle that includes all fixes for version 12.0.
- This patch is cumulative and includes all the fixes from previously released patches.
- This patch restarts the Guardium system.
- Do not reboot the appliance while the patch install is in progress. Contact IBM Support if there is an issue with patch installation.
- When changing the password of CLI and guardcli users in the Guardium command line interface, a password strength warning appears even when strong passwords are not enabled. To remove the strong password checks, execute the CLI command store user strong_password disable.
Overview:
- Download the patch and extract the compressed package outside the Guardium system.
- Review the latest version of the patch release notes just before you install the patch.
- Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
- Apply the latest health check patch.
- Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
- Apply the latest quarterly DPS patch and rapid response DPS patch.
For information about installing Guardium Data protection patches, see How to install patches in the Guardium documentation.
Attention
Renewed Guardium patch signing certificate
Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed. This patch, 12.0p10 is signed by a new patch signing certificate. Therefore, to install this patch, the patch signing certificate on your Guardium appliance must first be updated by installing ad hoc patch 12.0p1012 (see release note) or an appropriate appliance bundle listed in IBM Guardium - Patch signing certificate set to expire in March 2025.
Guardium GIM default self-signed SHA128 certificate
The Guardium GIM default self-signed certificates expired in May 2024. If the certificates were not renewed by the expiration date, the GIM client-server communication is affected. Note that data monitoring activity through S-TAP is not disrupted.
To renew the GIM server (appliance) certificate, install Guardium patch 12.0p10. After you install the patch, allow a few hours for automatic distribution of the renewed GIM certificates to execute on the agents. Check status by using the GIM Certificate Deployment Status report. To learn about the certificate distribution mechanism, see Creating and managing custom GIM certificates.
For more information, see IBM Security Guardium default Self Signed Guardium Installation Manager (GIM) SHA1 Certificates set to expire in May of 2024
Microsoft certificates expired on 20 May 2024
Microsoft certificates (microsoftca1-4) expired on 20 May 2024. The following Guardium patches provide updated certificates:
- 11.3 systems use patch 11.0p392 or later
- 11.4 systems use patch 11.0p485 or later
- 11.5 systems use patch 11.0p535 or later
- 12.0 systems use patch 12.0p5 or later
Install the correct patch for your Guardium systems to use the updated certificates. For more information, see IBM Guardium Security - Microsoft certificates are expiring on May 20th 2024, how can we renew them before this date?
FAM crawler deprecation
FAM discovery agent (crawler) is deprecated starting with Guardium Data Protection 12.1 (see release note).
Enhancements
This patch includes the following enhancements.
| Issue key | Summary |
|---|---|
|
INS-35925
|
Fix plug-ins CVEs in release 1.5.1.
|
|
GRD-78560
|
Improvements for session level policies.
|
|
GRD-75822
|
Ease restriction for GIM custom certificates for SHA256 after upgrading to 12.0 environment. After upgrading to 12.0, you can continue using the default self-signed certificates.
|
|
GRD-75202
|
Add action parameter LABEL to ALERT and LOG actions.
|
|
GRD-75025
|
Enable customer to change proxy settings for universal connector traffic.
|
|
GRD-74193
|
Add new session-level policies SQL criteria: LITERAL
Allowed operators: =, !=, In Group, Not in Group
Criteria allows assignment of existing data-security policy groups of OBJECTS and FIELDS, so customer can reuse existing groups with session-level policies.
|
|
GRD-72527
|
Vulnerability Assessment performance improvements.
|
|
GRD-71702
|
Add new parameter "HDFS audit history length" to Hadoop Monitoring UI page.
|
|
GRD-79022
|
Capability to switch the GIM server certificate to SHA-1.
The CLI command replace certificate gim sha1_default switches GIM certificates that are SHA-256 with the new set of SHA-1 certificates. The command runs when GIM clients are not connected and the current GIM certificate on the appliance is SHA-256.
The command will not run in these scenarios:
|
Known issues
This patch includes the following known issues.
| Issue key | Summary |
|---|---|
|
GRD-82833
|
Do not install this patch if you're using GCP, OCI, or Azure. The fixes for these users will be delivered through a separate patch. AWS is not affected.
|
|
GRD-80265
|
The Deploy Monitoring Agents UI returns the following error, even when GIM clients are present and in listener mode: "GIM clients were not found at the specified IP addresses. Verify that your GIM clients are in listener mode and try again." This impacts both Windows and UNIX clients. No workaround is available; this issue will be fixed in an upcoming release.
|
|
GRD-79651
|
Microsoft SQL Server (on-prem) stops working with universal connector.
Workaround: Upload the correct plug-in for your version of Guardium:
Note: AWS MSSQL does not require uploading the logstash-filter .zip files previously described.
|
|
GRD-79441
|
Universal connector returns an error when updating proxy settings, even when the proxy parameters are correct.
Workaround: After updating proxy settings using the update_proxy Guardium API command, apply the changes using the following command: grdapi run_universal_connector overwrite_old_instance="true" |
|
GRD-79431
|
Unable to clear the IP restriction list from Guardium global profile when disabling IP restriction mode.
Workaround: Perform the operation as two separate actions:
|
Resolved issues
This patch resolves the following issues.
| Patch | Issue key | Summary | Known issue (APAR) |
|---|---|---|---|
| 12.0p05 | This patch includes fixes from patch 12.0p05 | ||
| 12.0p10 | GRD-77062 | "Manage login access by IP address" does not block SSH login in version 12 | GA18496 |
| GRD-76375 | Alerter for SMTP restarts every 5 mins in version 12 | DT259284 | |
| GRD-76019 | “You do not have privileges to see this report” error displays if the dashboard is created by another user | GA18471 | |
| GRD-75092 | Can not import S-TAP and GIM modules because of the following error: "This bundle already exists in the guardium system." | DT259584 | |
| GRD-75080 | "Update database failure" error appears while updating CLI password in Access Manager if one or more guardcli accounts are disabled | DT259323 | |
| GRD-74797 | support store slon off command cannot stop slon capture and is stuck at "Please, wait..." status | GA18479 | |
| GRD-74770 | Oracle (OCI): show network verify command displays empty results | GA18464 | |
| GRD-74712 | Oracle data integrity issues within database username displays unexpected values | GA18480 | |
| GRD-74651 | Executing store system ssh secure with FIPS mode enabled could potentially make system inaccessible other than console | GA18475 | |
| GRD-74597 | Choosing Investigate risky users does not work in the Active Risk Spotter GUI page | GA18461 | |
| GRD-74596 | Error in generating report/monitor when "Show SQL with Values" for SQL with "Order By" keywords | GA18477 | |
| GRD-74577 | Unable to open/edit Alert - java.lang.NullPointerException | GA18455 | |
| GRD-74293 | 215-No access to registry access extended procedures | GA18468 | |
| GRD-74251 | 210-No access to general extended procedures | GA18466 | |
| GRD-74207 | Issues with import group members from query into a dynamic tuple | N/A | |
| GRD-73651 | Audit process builder stops sending information to rsyslog | GA18444 | |
| GRD-73641 | ORIGINAL_TIMEZONE usage in GI datamarts. | N/A | |
| GRD-73623 | Unable to observe data on suspected SQL injection cases | GA18462 | |
| GRD-72875 | Patch installation fails error: "Failed dependencies: device-mapper-multipath-0.4.9-133.el7.x86_64led" | GA18434 | |
| GRD-71924 | OneLogin SAML/SSO configuration | GA18474 | |
| GRD-71882 | Purge / Archive uses "flush tables" | GA18456 | |
| GRD-71296 | Version 11.5p520 Aggregator MySQL occasionally crashed during data archive | GA18454 | |
| GRD-70945 | Unable to configure cli_userauth ldap by using SSL connection | GA18448 | |
| GRD-70493 | Column 'DS_NAME' in field list is ambiguous while creating a custom domain | GA18469 | |
| GRD-69268 | Audit jobs scheduled to run from CM on aggregators failing to start on time | GA18452 | |
| GRD-62943 | smtp auth type defaults to NULL when changing the alerter config | GA18437 |
Security fixes
This patch resolves the following security issues.
| Patch | Issue key | Summary | CVE |
|---|---|---|---|
|
12.0p05
|
This patch includes security fixes from patch 12.0p05 | ||
| 12.0p10 |
GRD-78092
|
PSIRT: PVR0479010 - Apache Struts 2 CVE-2023-50164 vulnerability
|
CVE-2023-50164
|
|
GRD-75494
|
PSIRT: PVR0466861 - snappy-java-1.1.10.1.jar (Publicly disclosed vulnerability found by Mend) - UC
|
CVE-2023-43642
|
[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.0.0"}]
Was this topic helpful?
Document Information
Modified date:
18 April 2025
UID
ibm17231330