Release Notes
Abstract
This technical note provides guidance for installing IBM Guardium Data Protection patch 11.0p570, including any new features or enhancements, resolved or known issues, or notices associated with the patch.
Content
Patch information
- Patch file name: SqlGuard-11.0p570_Bundle_Jul_22_2025.tgz.enc.sig
- MD5 checksum: d7ae2271999c4da900458194fd7e6759
Finding the patch
- Select the following options to download this patch on the IBM Fix Central website and click Continue.
- Product selector: IBM Security Guardium
- Installed version: 11.5
- Platform: All
- On the "Identify fixes" page, select Browse for fixes and click Continue.
- On the "Select fixes" page, select Appliance Patch (GPU and Ad-Hoc). Then, enter the patch information in the Filter fix details field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
-
Guardium 11.0p500 (see release note)
-
The latest Guardium health check patch 11.0p9997
-
The latest Guardium patch signing certificate on your Guardium appliance. For more information, see IBM Guardium - Patch signing certificate set to expire in March 2025.
Installation
Notes:
- This patch is an appliance bundle that includes fixes for version 11.5.
- This patch is cumulative and includes all the fixes from previously released patches.
- This patch restarts the Guardium system.
- Do not reboot the appliance while the patch install is in progress. Contact IBM Support if there is an issue with patch installation.
- When changing the password of CLI and guardcli users in the Guardium command line interface, a password strength warning appears even when strong passwords are not enabled. To remove the strong password checks, execute the CLI command store user strong_password disable.
- If you have single sign-on enabled and are upgrading from below 11.0p530, you must re-download metadata from the upgraded central manager and apply it on the identity provider.
Overview:
- Download the patch and extract the compressed package outside the Guardium system.
- Be sure to check the latest version of this patch release note online just before you install this patch.
- Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
- Apply the latest health check patch.
- Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
- Apply the latest quarterly DPS patch and rapid response DPS patch.
For information about installing patches, see Installing patches in the Guardium documentation.
Attention
Guardium appliance bundle upgrade time extended due to MySQL tables conversion
Following MySQL support requirements, most tables are converted from MyISAM to InnoDB starting with Guardium appliance bundle versions 11.0p550 and later, and versions 12.0p25 and later. Due to the large size of some tables, which are mostly static tables, the conversion might consume more time than usual during an appliance bundle upgrade. Note: Do not cancel the patch installation process. If you have any concerns, contact IBM Support.
For more information, see Guardium appliance bundle upgrade time extended due to MySQL tables conversion.
Guardium sniffer certification expired on 3 March 2025
The previous sniffer default certificate expired on 3 March 2025 and you must install a Guardium appliance patch to renew the certificate. For Guardium 11.5 systems, appliance bundle patch 11.0p545 or later provides an updated certificate. For more information, see IBM Guardium sniffer certification expires March 2025.
The previous sniffer default certificate expired on 3 March 2025 and you must install a Guardium appliance patch to renew the certificate. For Guardium 11.5 systems, appliance bundle patch 11.0p545 or later provides an updated certificate. For more information, see IBM Guardium sniffer certification expires March 2025.
Guardium patch signing certificate expired on 29 March 2025
Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed. The previous patch signing certificate for Guardium appliance patches expired on 29 March 2025.
This patch, 11.0p570, is signed by the new patch signing certificate. Therefore, to install this patch, your Guardium appliance must be prepared by installing an ad hoc or bundle patch with the fix that allows patches signed by old or new certificates to be installed. See IBM Guardium - Patch signing certificate set to expire in March 2025 and follow the steps in the "What to do after March 29th 2025" section if the patch signing certificate was not renewed.
SHA256 GIM client certificates
After applying patch 11.0p530 or later, Guardium supports SHA256 Guardium Installation Manager (GIM) certificates. This has the following implications:
After applying patch 11.0p530 or later, Guardium supports SHA256 Guardium Installation Manager (GIM) certificates. This has the following implications:
- The default certificates could be either SHA256 or SHA128, depending on the GIM server certificate setup. Custom certificates that use SHA256 are more secure and are recommended for GIM connections. Note that GIM connectivity is not interrupted after applying this patch.
- GIM only verifies bundles signed with SHA256 and requires installation of a transitional GIM bundle to support the GIM client change from SHA128 to SHA256.
For more information, see Updating Guardium Data Protection GIM clients with SHA256 certificates.
Microsoft certificates expired on 20 May 2024
Microsoft certificates (microsoftca1-4) expired on 20 May 2024. The following Guardium patches provide updated certificates:
Microsoft certificates (microsoftca1-4) expired on 20 May 2024. The following Guardium patches provide updated certificates:
- 11.3 systems that use patch 11.0p392 or later
- 11.4 systems that use patch 11.0p485 or later
- 11.5 systems that use patch 11.0p535 or later
- 12.0 systems that use patch 12.0p5 or later
Install the correct patch for your Guardium systems to use the updated certificates. For more information, see https://www.ibm.com/support/pages/node/7080145
Enhancements
This patch includes the following enhancements.
| Issue key | Summary |
|---|---|
| GRD-84384 | Improve customer visibility for patch upgrade process |
| GRD-86114 | Set maximum size for universal connector log file by using new grdapi set_uc_log_file_size uc_log_file_size command |
| GRD-86309 | Update SNMP and SMTP grdapi commands |
| GRD-89938 | Backport CLI command replace certificate gim algorithm to replace GIM certificate from SHA1 to SHA2 on appliance |
| GRD-95352 | Fix bugs found in MongoDB 7 |
| GRD-96891 | Enhance GIM Installed Modules and GIM Client Status reports for uninterrupted GIM client-server communication |
| GRD-97814 | Add two new ServiceNow reports to improve ingestion performance |
Resolved issues
This patch resolves the following issues.
|
Patch
|
Issue key
|
Summary
|
Known issue (APAR)
|
|---|---|---|---|
| 11.0p565 | See release note for patch 11.0p565 | ||
|
11.0p570
|
GRD-92132
|
HSTS (HTTP Strict Transport Security) missing from HTTPS server vulnerability reported on port 8444 | DT437964 |
|
GRD-93299
|
Vulnerability HTTP Verb Tampering observed on Guardium appliances after penetration testing | DT439632 | |
|
GRD-95201
|
Grdapi create_stap_inspection_engine fails with duplicate message when there are no duplicates | N/A | |
|
GRD-95320
|
After applying patch 11.0p555, the purge days started increasing from 2 days to over 1000 days | DT437871 | |
| GRD-95418 | Alerter gets stuck when Guardium sends Syslog messages | DT443393 | |
|
GRD-95663
|
Vulnerability Test ID 727 shows both inactive service and user accounts but does not specify whether each account reported with the issue is a service or user account | DT437983 | |
| GRD-96966 | Support for multiple proxies under one federated environment | N/A | |
|
GRD-97821
|
Comment at the beginning of the SQL is not logged-in properly if store antlr3_remove_comments is disabled | DT438012 | |
|
GRD-97826
|
Remove DM_EXTRACTION_STATE and DM_POST_EXTRACTION_STATE tables from data and config backup to prevent issues with export to Guardium Data Security Center | DT438580 | |
| GRD-98173 | Archive failing for Tivoli Storage Manager | DT437902 | |
|
GRD-98248
|
Unable to change the max_repeats value with the store password requirements max_repeats command | DT437912 | |
|
GRD-98631
|
EMEA-SYSLOG and SMTP Alerts inactive when the appliance reboots after weekend maintenance | DT438058 | |
|
GRD-99835
|
After exporting the role to a target central manager, permissions for the role is different between the source central manager and target central manager | DT439490 |
Security fixes
This patch contains the following security fixes.
|
Patch
|
Issue key
|
Summary
|
CVE
|
|---|---|---|---|
| 11.0p565 | See release note for patch 11.0p565 | ||
|
11.0p570
|
GRD-91689
|
PSIRT: PVR0586685 - SE - Pen Testing On-prem 2024 - Privilege escalation by SUID binary - multiple findings TZAVW-0008, TZAVW-0003, TZAVW-0006, TZAVW-0007, TZAVW-0013, TZAVW-0014 - 6.7 Medium - page 6-7 - Due 4/30/2025 |
CVE-2025-25024
|
|
GRD-97237
|
PSIRT: PVR0630123 - RHEL7 kernel update
|
CVE-2024-36971, CVE-2024-53197, CVE-2024-50302, CVE-2023-52922, CVE-2024-53150 | |
|
GRD-98200
|
Tenable Scan - bind rpm need to update version 11.x
|
CVE-2024-1975, CVE-2024-1737, CVE-2024-11187 | |
|
GRD-98305
|
PSIRT: PVR0636917 - IBM Guardium Data Protection is vulnerable to multiple Tomcat vulnerabilities | CVE-2025-24813, CVE-2024-50379 | |
|
GRD-98466
|
PSIRT: PVR0586685: Priv Escalation: TZAVW-0003: cp_wrapper | ||
|
GRD-98467
|
PSIRT: PVR0586685: Priv Escalation: TZAVW-0006: log_access_wrapper | ||
|
GRD-98468
|
PSIRT: PVR0586685: Priv Escalation: TZAVW-0007: guard_chown_wrapper | ||
| GRD-98551 | PSIRT: PVR0586685: Priv Escalation: TZAVW-0008: tar_wrapper | ||
|
GRD-98554
|
PSIRT: PVR0586685: Priv Escalation: TZAVW-0013: iptables_wrapper | ||
|
GRD-98555
|
PSIRT: PVR0586685: Priv Escalation: TZAVW-0014: server_receiver.pl | ||
| GRD-98925 | Tenable Scan - libndp rpm need to be update in version 11.x | CVE-2024-5564 | |
| GRD-98936 | Tenable Scan - python-setuptools rpm need to update version 11.x | CVE-2024-6345 | |
|
GRD-99867
|
PSIRT: PVR0641659 - IBM Guardium Data Protection is vulnerable to a Tomcat vulnerability | CVE-2025-31650 | |
|
GRD-100367
|
libxml2 need to be updated in Guardium versions 11.x and 12.x | CVE-2024-56171, CVE-2025-24928, CVE-2022-49043 | |
| GRD-100763 | Tenable Scan - postgresql rpm need to update version 11.x | CVE-2025-1094 | |
| GRD-100764 | Tenable Scan - grub2 rpm need to update version 11.x | CVE-2025-0624 | |
| GRD-100772 | Tenable Scan - kernel rpm need to update version 11.x | CVE-2024-53141 | |
| GRD-101164 | PSIRT: PVR0641659 - IBM Guardium Data Protection is vulnerable to a Tomcat vulnerability - CVE-2025-31650 | CVE-2025-31650 | |
|
GRD-101437
|
PSIRT: PVR0645679 - 3RD PARTY: H1-3160021: 'Sensitive Information Disclosure' | ||
|
GRD-101939
|
MySQL upgrade needed for April 2025 CPU
|
CVE-2025-21577, CVE-2025-30682,
CVE-2025-30687, CVE-2025-30688,
CVE-2025-21574, CVE-2025-21575,
CVE-2025-30693, CVE-2025-30695,
CVE-2025-30715, CVE-2025-21583,
CVE-2025-21584, CVE-2025-21580,
CVE-2025-21588, CVE-2025-21581,
CVE-2025-21585, CVE-2025-30689,
CVE-2025-21579, CVE-2025-30696,
CVE-2025-30705, CVE-2025-30683, CVE-2025-30684, CVE-2025-30685,
CVE-2025-30699, CVE-2025-30704, CVE-2024-13176, CVE-2025-30721,
CVE-2025-30703, CVE-2025-30681 |
|
|
GRD-102085
|
PSIRT: PVR0646930 - commons-beanutils-1.9.2.jar (Publicly disclosed vulnerability found by Mend) - tomcat |
CVE-2025-48734
|
|
|
GRD-102086
|
PSIRT: PVR0646930 - commons-beanutils-1.9.2.jar (Publicly disclosed vulnerability found by Mend) - datastreams |
CVE-2025-48734
|
|
|
GRD-102283
|
PSIRT: PVR0649071 - kafka-clients-3.9.0.jar (Publicly disclosed vulnerability found by Mend) - datastreams | CVE-2025-27818, CVE-2025-27817 | |
|
GRD-102285
|
PSIRT: PVR0649071 - kafka-clients-3.9.0.jar (Publicly disclosed vulnerability found by Mend) - webapps | CVE-2025-27818, CVE-2025-27817 | |
|
GRD-102286
|
PSIRT: PVR0649071 - kafka-clients-3.9.0.jar (Publicly disclosed vulnerability found by Mend) - kafka | CVE-2025-27818, CVE-2025-27817 |
Known issues
This patch contains the following known issues.
| Issue key | Summary |
|---|---|
| GRD-106352 |
After upgrading to 11.0p570, if the universal connector is enabled on the machine, the time setting might become invalid. Workaround: Fix the time setting and run grdapi run_universal_connector overwrite_old_instance="true" debug=3 |
[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.5.0"}]
Was this topic helpful?
Document Information
Modified date:
04 August 2025
UID
ibm17240506