IBM Support

Release of Guardium Data Protection patch 12.0p120

Release Notes


Abstract

This technical note provides guidance for installing IBM Guardium Data Protection patch 12.0p120, including any new features or enhancements, resolved or known issues, or notices associated with the patch.

Content

Patch information
  • Patch file name: SqlGuard-12.0p120_Bundle_May_28_2025.tgz.enc.sig
  • MD5 checksum: bb4ea193b805e959d04451bf7d6b49e3
 

Finding the patch

  1. Select the following options to download this patch on the IBM Fix Central website and click Continue.
    • Product selector: IBM Security Guardium
    • Installed Version: 12.1
    • Platform: All
  2. On the "Identify fixes" page, select Browse for fixes and click Continue.
  3. On the "Select fixes" page, select Appliance patch (GPU and Ad-Hoc). Then, enter the patch information in the Filter fix details field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
 
 
Prerequisites
  • Guardium Data Protection 12.1 (see release note)
  • The latest Guardium Data Protection health check patch 12.0p9997
 
 

Installation

Notes:
  • This patch is an appliance bundle that includes fixes for 12.1.
  • This patch is cumulative and includes all the fixes from previously released patches.
  • This patch restarts the Guardium system.
  • Do not reboot the appliance while the patch install is in progress. Contact IBM Support if there is an issue with patch installation.
  • When changing the password of CLI and guardcli users in the Guardium command line interface, a password strength warning appears even when strong passwords are not enabled. To remove the strong password checks, execute the CLI command store user strong_password disable.
 
Overview:
  1. Download the patch and extract the compressed package outside the Guardium system.
  2. Review the latest version of the patch release note just before you install the patch.
  3. Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
  4. Apply the latest health check patch.
  5. Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
  6. Apply the latest quarterly DPS patch and rapid response DPS patch.
 
For information about installing Guardium Data protection patches, see How to install patches in the Guardium documentation.
 
 
Attention
 

Guardium patch signing certificate expired on 29 March 2025

The current patch signing certificate for Guardium appliance patches expired on 29 March 2025. Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed.
 
This patch, 12.0p120, is signed by the new patch signing certificate. Therefore, to install this patch, the patch signing certificate on your Guardium appliance must first be updated by installing ad hoc patch 12.0p1012 (see release note), appliance bundle 12.0p25 (see release note), or appliance bundle 12.0p30 (see release note).
 
For Guardium 12.0 systems, appliance bundle patch 12.0p25 or later provides an updated certificate. For more information, see IBM Guardium - Patch signing certificate set to expire in March 2025.
 
 
IBM Db2 for z/OS JDBC driver update   
In 12.0p115 (see release note), the IBM Db2 for z/OS JDBC driver in Guardium Vulnerability Assessment is updated to support IBM Db2 13 for z/OS, which enables TLS 1.3 and other advantages. You might need to update your IBM Db2 JDBC license. If so, test your connection in a staging environment and contact the IBM Db2 Support team if licensing issues arise. For assistance, open a case at ibm.com/mysupport.
 
 
Enhancements
This patch includes the following enhancements.
 
Issue keySummary
GRD-82941Manage Apache Kafka clusters by using Cruise control
GRD-84183Support added for installing and uninstalling profiles to a managed unit group
GRD-86114Set maximum size for universal connector log file by using new grdapi set_uc_log_file_size uc_log_file_size command
GRD-86286Verified upload of custom tables for Amazon Redshift data source
GRD-86309Update SNMP and SMTP GuardAPI commands
GRD-86446Added support for creating a data source of Milvus Database type for an S-TAP Verification Application type
GRD-87158Ability to scan vulnerabilities in Couchbase Capella database
GRD-87161Ability to scan vulnerabilities in Amazon DocumentDB database
GRD-87165Ability to scan vulnerabilities in Amazon ElastiCache database
GRD-88705[Microsoft SQL Server] Improved the handling of unavailable database connections during classification scan
GRD-89094Fixed version check logic for Neo4j to correctly compare versions with decimals
GRD-89695Added entitlements for Yugabyte data source
GRD-90865Bulk configuration of data source profiles from central manager
GRD-90869Added support for Amazon DocumentDB data source
GRD-91366Backported entitlements for Yugabyte data source to version 12.1
GRD-92070Connection to the data source happens automatically after rebooting the data source
GRD-92386When upgrading from Guardium version 11.5 to version 12.0, special characters are allowed in the password for SCP backup server
GRD-92522Download the profile template for a plug-in by using Download import profile template in the Guardium UI
GRD-92524Create or update multiple data source profiles in the Guardium UI by uploading CSV files from the Upload import file tab in the Create profile window 
GRD-93932Install or uninstall data source profiles on the Guardium appliance by using the Run now option
GRD-93934Delete multiple data source profiles by using the Guardium UI
GRD-94307Add force option to CLI command replace certificate gim algorithm
GRD-94434Cleanup Kafka clusters by using grdapi delete_kafka_cluster clusterName="<cluster_name>" command
GRD-94556Change Manage > Universal Connector > Plugin Management to Manage > Universal Connector > Package Management 
GRD-94622When you update a profile, the Name field is not editable
GRD-94703Removed old patch signing certificates from appliance and UI after March 2025
GRD-94997Update Entrust Certificate Authority root certificate (entrust_g3) signature algorithm to SHA2 
GRD-95786Test connection for a “Ready profile" by using the Guardium UI and GuardAPI command
GRD-95942Change the maximum number of restarts for Kafka-connect
GRD-95943Add a Label column to group profiles in Datasource Profile Management 
GRD-95967Create GuardAPI commands to download the template, upload CSV, and install, uninstall, and delete multiple profiles
GRD-96440Create grdapi universal_connector_export_profiles profileNames="<profile_name>l" command to export profiles and create a CSV file
GRD-96442Export profiles with the same connector type and create a CSV file by using the Guardium UI
GRD-96793Change the Kafka connect value.converter property with the protobuf converter
GRD-96803When you install a profile, create sink connector by using the Guardium UI 
GRD-96855On the Datasource Profile Management page, view the progress of the test connection to the data source with the progress indicator in the Status column
GRD-96927Guardium UI changes on the Datasource Profile Management page
GRD-96934View the detailed health information about universal connectors by using View UC Health link on the Datasource Profile Management page
GRD-97589Allocate more resources to Kafka, Kafka connect, and Apache ZooKeeper processes
  
 
 
Resolved issues
This patch resolves the following issues.
 
PatchIssue keySummaryKnown issue (APAR)
12.0p115 This patch includes resolved issues from 12.0p115 (see release notes) 
12.0p120GRD-78772Guardium GUI certificate renewal error: guardium Venafi retrieve script error 80333 trying to import Venafi certificateDT389660
 GRD-81983Aggregator GUI is slow and unresponsive DT395091
 GRD-84011Test collector stopped sending policy alerts to user facilityDT394214
 GRD-84052rsyslog test fails intermittently and randomlyDT397061
 GRD-84662When changing the password for the cli user after it has expired, the Guardium appliance forces to change the password twice instead of onceDT419649
 GRD-85772Enterprise Load Balancer not relocating STAPs (Software TAPs) when collector database is getting fullDT419735
 GRD-87129After configuring A-TAP on collector with Oracle Exadata databases, the collector reports a high CPU usageDT420527
 GRD-87135Unable to send files from Guardium to COS bucket on IBM CloudDT431894
 GRD-87282EMEA - GUI showing SNMP version 2 but CLI and traffic in SNMP version 3DT400637
 GRD-87529Add TUPLE_PARAMETERS table to translationN/A
 GRD-87718GUI certificate size still running in 1024 bites in central managerDT422234
 GRD-88890

Backup configuration through SFTP protocol failed with the error message: connection corrupted

DT426747
 GRD-89081CLI command show port open scans for the open port instead of making an actual connectionN/A
 GRD-89153Schedule job exception: PEStatusJob trigger: siGroup.PEStatusJobError caught executing job due to some runtime exceptionDT419637
 GRD-89290support reset_managed_cli command does not set change for CLI userDT409177
 GRD-89562Inconsistent hostname in syslog message header for Guardium sniffer and audit processDT423305
 GRD-89704EMEA - aggregation/archive log warning - admDT420186
 GRD-89881Guardium File Acitivty Monitoring (FAM) policy for adding another action cannot be savedDT419254
 GRD-89910Guardium 12.1 central manager still accepts TLS 1.0 and 1.1 connectionsDT431893
 GRD-90989EMEA - email not sent through SMTPDT434614
 GRD-91695Resolved security vulnerabilityN/A
 GRD-91913

In GIM Clients Status report, the GIM client install date is displayed in UTC timezone with the column header: GIM Client Install Date (UTC)

DT431919
 GRD-92530Deployment Health Table / Dashboard on the central manager shows unavailable status (blue) for all managed unitsDT425251
 GRD-92686GuardAPI command to upload custom table is not working when using only data source group is attached to the custom tableDT431864
 GRD-93189Unable to log in to the appliance after configuring multi-factor authentication for DUO on GuardiumDT422702
 GRD-93684

For grdapi change_cli_password command, the following error appears: User has insufficient privileges for the requested API function

DT431874
 GRD-93729

After the failover to the backup central manager, the managed units are unable to sync license

DT424816
 GRD-94015Managed unit registration to the central manager does not succeed due to mismatch in the strength of the system shared secretDT424713
 GRD-94293EMEA - Syslog sending junk messagesDT434622
 GRD-95201grdapi create_stap_inspection_engines command fails with duplicate message when there are no duplicatesN/A
 GRD-95306Solr certificate for version 11.5 expired on 12 January 2025DT436468
 GRD-97506Azure data streams connection not workingDT436626
 GRD-98054Fixed issue with dynamic tuple group when creating and editing session level policyDT436686
 GRD-98631EMEA - Syslog and SMTP alerts inactive after Guardium rebootDT438058
    
 
 
Security fixes
This patch resolves the following issues.
 
PatchIssue keySummaryCVE
12.0p115 This patch includes security fixes from 12.0p115 (see release notes) 
12.0p120
GRD-91689
 
 
 
PSIRT: PVR0586685 - SE - Pen Testing On-prem 2024 - Privilege escalation by SUID binary - multiple findings  TZAVW-0008, TZAVW-0003, TZAVW-0006, TZAVW-0007, TZAVW-0013, TZAVW-0014 - 6.7 Medium - page 6-7 - Due 4/30/2025
CVE-2025-25024
 
 
 
 
GRD-92006
 
SE - Pen Testing On-prem 2024 - Extraneous information revealed in detailed error messages - TZAVW-0019 - 5.3 Medium - page 11CVE-2025-25028
 GRD-92007PSIRT: PVR0586693 - SE - Pen Testing On-prem 2024 - Incorrect Authorization of Setup functions - TZAVW-0021 - 5.0 Medium - pages 11-12 11CVE-2025-25026
 GRD-92008PSIRT: PVR0586689 - SE - Pen Testing On-prem 2024 - Download any file from server by backup/export function - TZAVW-0005 - 4.9 - Medium - page 14CVE-2025-25029
 GRD-92009PSIRT: PVR0586686 - SE - Pen Testing On-prem 2024 - User information is available to all users - TZAVW-0012 - 4.3 Medium - pages 14-15CVE-2025-25025
 GRD-92011PVR0586696 - SE - Pen Testing On-prem 2024 - Multiple data stream vulnerabilities - TZAVW-0018 - 9.8 - Critical - pages 16-18

CVE-2025-25025, CVE-2015-1832,

CVE-2024-45772, CVE-2023-22737,
CVE-2021-47400, CVE-2022-31122,
CVE-2023-33953, CVE-2018-1313,
CVE-2024-45217, CVE-2024-3596
 GRD-92031PSIRT: PVR0552042 - commons-io-2.11.0.jar (Publicly disclosed vulnerability found by Mend) - kafkaCVE-2024-47554
 GRD-92032PSIRT: PVR0557444 - jetty-http-9.4.53.v20231009.jar (Publicly disclosed vulnerability found by Mend) - kafkaCVE-2024-6763
 GRD-92040PSIRT: PVR0567482 - netty-common-4.1.108.Final.jar (Publicly disclosed vulnerability found by Mend) - kafkaCVE-2024-47535
 GRD-92046PSIRT: PVR0568961  - Kafka - CVE-2024-31141 (Publicly disclosed vulnerability)  - data streamsCVE-2024-31141
 GRD-92047PSIRT:  PVR0575094 - struts2-core-2.5.33.jar (Publicly disclosed vulnerability found by Mend)  - webappsCVE-2024-53677
 GRD-93251PSIRT: PVR0586099 - cxf-core-3.5.6.jar (Publicly disclosed vulnerability found by Mend) 
 
GRD-93632
 
 
 
 
 
 
 
 
PSIRT: PVR0562183 - MySQL Upgrade needed for October 2024 CPU
 
 
 
 
 
 
 
 
CVE-2024-21193, CVE-2024-21194, 
CVE-2024-21197, CVE-2024-21198,
CVE-2024-21199, CVE-2024-21200, 
CVE-2024-21201, CVE-2024-21204, 
CVE-2024-21209, CVE-2024-21212, 
CVE-2024-21213, CVE-2024-21231, 
CVE-2024-21236, CVE-2024-21237, 
CVE-2024-21241, CVE-2024-21243,
CVE-2024-21244, CVE-2024-21247, 
CVE-2024-21262, CVE-2024-21272
 GRD-93688Tenable Scan - rsync rpm need to be installed latest in version 12CVE-2024-12085
 GRD-94118Tenable Scan - krb5 rpm need to updateCVE-2024-3596
 GRD-94137Tenable Scan - tuned rpm in version 12.xCVE-2024-52337
 
GRD-94326
 
 
 
 
 
 
Tenable Scan - KERNEL need to be updated
 
 
 
 
 
 
CVE-2024-53088, CVE-2024-38598,
CVE-2024-35927, CVE-2024-43879,
CVE-2024-35898, CVE-2024-35913,
CVE-2024-35973, CVE-2024-35824,
CVE-2024-35809, CVE-2024-38562,
CVE-2024-35859, CVE-2023-28746,
CVE-2024-50256, CVE-2024-40907
 GRD-94913PSIRT: PVR0595976,  PVR0596141 - multiple netty vulnerabilities (Publicly disclosed vulnerability found by Mend)CVE-2025-25193, CVE-2025-24970
 GRD-95020Tenable Scan - glib2 rpm need to be updatedCVE-2024-34397
 
GRD-95022
 
Tenable Scan - podman and buildah rpm need to be updated
 
CVE-2024-9675, CVE-2024-9407,
CVE-2024-9676
 
GRD-95023
 
 
 
 
 
Tenable Scan - microcode ctl
 
 
 
 
 
CVE-2023-46103, CVE-2023-38575,
CVE-2023-45733, CVE-2023-22655,
CVE-2023-28746, CVE-2023-43490,
CVE-2023-39368, CVE-2023-46103,
CVE-2023-38575, CVE-2023-45733,
CVE-2023-22655
 GRD-95024Tenable Scan - libgcrypt we need to update to latestCVE-2024-2236
 GRD-95025Tenable Scan - nano rpm need to be updatedCVE-2024-5742
 GRD-95137Tenable Scan - vim rpm need to be updatedCVE-2021-3903
 GRD-96187Tuned-2.22.1-3.el9_4.noarchCVE-2024-52336
 GRD-96809Tenable Scan - emacs rpm needs to be updatedCVE-2025-1244
 GRD-97707PSIRT: PVR0630165 - netty-incubator-codec-classes-quic-0.0.52.Final.jar (Publicly disclosed vulnerability found by Mend)CVE-2025-29908
 GRD-97817PSIRT: PVR0631190 - 3RD PARTY: IBM Security Guardium - Stored XSS 
 GRD-98135FreeType Remote Code Execution Vulnerability - CVE-2025-27363CVE-2025-27363
 GRD-98305PSIRT: PVR0636917 - IBM Guardium Data Protection is vulnerable to multiple Tomcat vulnerabilitiesCVE-2025-24813, CVE-2024-50379
 GRD-98466PSIRT: PVR0586685: Priv Escalation: TZAVW-0003: cp_wrapper 
 GRD-98467PSIRT: PVR0586685: Priv Escalation: TZAVW-0006: log_access_wrapper 
 GRD-98468PSIRT: PVR0586685: Priv Escalation: TZAVW-0007: guard_chown_wrapper 
 GRD-98551PSIRT: PVR0586685: Priv Escalation: TZAVW-0008: tar_wrapper 
 GRD-98554PSIRT: PVR0586685: Priv Escalation: TZAVW-0013: iptables_wrapper 
 GRD-98555PSIRT: PVR0586685: Priv Escalation: TZAVW-0014: server_receiver.pl 
    
 
 
Known issues
This patch contains the following known issues.
 
Issue keySummary
GRD-86940
Universal connector Kafka cluster nodes are not part of backup. 
Workaround: This will be fixed in a future patch.
GRD-98849
GRD-98851 
 

Upgrading from 12.0p105 (see release note) to 12.0p120 and applying universal connector patch 12.0p5002 (see release note) results in two different Oracle packages. "OUA over JDBC connect 2.0" profile is recommended. Do not use the "OUA over JDBC connect" profile. 

Workaround: If Oracle data source profiles using the universal connector were installed on the system before the upgrade, uninstall the "OUA over JDBC connect" profiles, upload the same JDBC driver under a new name, and use this JAR to configure the "OUA over JDBC connect 2.0" new profile.

GRD-99009
GRD-100366
 

Replacing dead Kafka broker node with healthy nodes has the following limitations:

  • Replacing the dead broker nodes works if more than 50% of the cluster nodes are still online. If more than 50% of the nodes are offline, a new Kafka cluster must be created.
  • Results in potential data loss.
  • Certain cruise control functionality may not be available.
  • Traffic for an existing topic is redistributed among currently online nodes. The new node does not handle traffic for existing topics. However, traffic for newly created topics will be evenly distributed across all available nodes.
GRD-100109
When viewing multiple predefined Kafka Cruise Control reports, maximizing one report minimizes the others and places them as tabs at the lower-right part of the window. However, these tabs are only visible when hovering the mouse.
GRD-100601
In case of a central manager failover, if a connector was previously failing, the system might not heal itself, resulting in incomplete or missing traffic capture across deployed managed units.
GRD-100746
If the unified connector profile is installed on X collectors, and all of them remain unavailable for more than 2 hours, data loss may occur. 
GRD-100866
GRD-101053
If 1,500 or more data sources profiles are installed on a central manager, loading the universal connector pages might delay.
GRD-100934The recommended disk size of kafka-node unit is 1TB. Disk size below 1TB may result in the disk becoming full, causing the kafka cluster to fail.
GRD-101420
For "OUA over JDBC connect 2.0", one Kafka cluster can handle up to 1,250 data sources profiles.
GRD-101478
Unable to create Kafka cluster by using the grdapi In Guardium version 12.1 with patch 12.0p120 installed.
WorkaroundCreate the Kafka cluster by using the UI. For more information, see Creating Kafka clusters.
GRD-101566
Unable to use ojdbc8.jar file for bulk profile upload flow for "OUA over JDBC connect 2.0" and "OUA MultiTenant over JDBC connect 2.0" profiles. 
WorkaroundTo use the bulk upload feature, upload the ojdbc8.jar file individually with a unique name for the first data source profile of “OUA MultiTenant over JDBC connect 2.0” or “OUA over JDBC connect 2.0".
GRD-101762
In Guardium version 12.0p115 (see release note) with universal connector patch 12.0p1006 (see release note) installed, if patch 12.0p120 is applied before patch 12.0p5002 (see release note), then the profile creation of "OUA over JDBC connect 2.0" fails with an error.
Workaround: In Guardium version 12.0p115 with universal connector patch 12.0p1006 installed, first apply patch 12.0p5002 and then apply patch 12.0p120.
 
 
 

[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.1.0"}]

Document Information

Modified date:
12 September 2025

UID

ibm17233715

Page Feedback