IBM Support

Release of Guardium Data Protection patch 12.0p125

Release Notes


Abstract

This technical note provides guidance for installing IBM Guardium Data Protection patch 12.0p125, including any new features or enhancements, resolved or known issues, or notices associated with the patch.

Content

Patch information
  • Patch file name: SqlGuard-12.0p125_Bundle_Sep_09_2025.tgz.enc.sig
  • MD5 checksum: 2fdef73169361ee4798e275c9c734a0e

Finding the patch

  1. Select the following options to download this patch on the IBM Fix Central website and click Continue.
    • Product selector: IBM Security Guardium
    • Installed Version: 12.1
    • Platform: All
  2. On the "Identify fixes" page, select Browse for fixes and click Continue.
  3. On the "Select fixes" page, select Appliance Bundle. Then, enter the patch information in the Filter fix details field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
  • Guardium Data Protection 12.1 (see release note)
  • The latest Guardium Data Protection health check patch 12.0p9997

Installation

Notes:
  • This patch is an appliance bundle that includes fixes for version 12.1.
  • This patch is cumulative and includes all the fixes from previously released patches.
  • This patch restarts the Guardium system.
  • Do not reboot the appliance while the patch install is in progress. Contact IBM Support if there is an issue with patch installation.
  • When changing the password of CLI and guardcli users in the Guardium command line interface, a password strength warning appears even when strong passwords are not enabled. To remove the strong password checks, execute the CLI command store user strong_password disable.
Overview:
  1. Download the patch and extract the compressed package outside the Guardium system.
  2. Review the latest version of the patch release note just before you install the patch.
  3. Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
  4. Apply the latest health check patch.
  5. Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
  6. Apply the latest quarterly DPS patch and rapid response DPS patch.
For information about installing Guardium Data protection patches, see How to install patches in the Guardium documentation.
Attention

Guardium patch signing certificate expired on 29 March 2025

The current patch signing certificate for Guardium appliance patches expired on 29 March 2025. Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed.
This patch is signed by the new patch signing certificate. Therefore, to install this patch, the patch signing certificate on your Guardium appliance must first be update For more information, see IBM Guardium - Patch signing certificate set to expire in March 2025 or contact IBM Support.
IBM Db2 for z/OS JDBC driver update       
In 12.0p115 (see release note), the IBM Db2 for z/OS JDBC driver in Guardium Vulnerability Assessment is updated to support IBM Db2 13 for z/OS, which enables TLS 1.3 and other advantages. You might need to update your IBM Db2 JDBC license. If so, test your connection in a staging environment and contact the IBM Db2 Support team if licensing issues arise. For assistance, open a case at ibm.com/mysupport.
Enhancements
This patch includes the following enhancements.
Issue key Summary
GRD-96891

Enhanced GIM Installed Modules and GIM Client Status reports for uninterrupted GIM client-server communication.
GRD-97814
Add two new ServiceNow reports to improve ingestion performance
GRD-100432
Guardium supports Red Hat Enterprise Linux 9.6
GRD-103256
Adjusted universal connector Kafka Connect heap size
Resolved issues
This patch resolves the following issues.
Patch
 Issue key Summary Known issue (APAR)
12.0p120
This patch includes resolved issues from 12.0p120 (see release note)
12.0p125
 GRD-97821
Comment at the beginning of the SQL is not logged-in properly if store antlr3_remove_comments is disabled
 DT438012
GRD-97826
Remove DM_EXTRACTION_STATE and DM_POST_EXTRACTION_STATE tables from data and config backup to prevent issues with export to Guardium Data Security Center
 DT438580
GRD-98173
Archive failing for Tivoli Storage Manager
 DT437902
GRD-98248
Unable to change the max_repeats value with the store password requirements max_repeats command
 DT437912
GRD-98757 Risk spotter stopped working DT446409
GRD-99835
After exporting the role to a target central manager, permissions for the role is different between the source central manager and target central manager
 DT439490
GRD-100408 Unable to access Guardium through GUI DT448944
GRD-100655 LDAP authentication error 'javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)' after enabling only TLS 1.3 protocol on Guardium appliance DT444915
GRD-101411
Error when creating a datasource by using GuardAPI
 DT446525
GRD-101829
Copying and pasting multiple GuardAPI commands displays the following error: A parameter name cannot be specified more than once, please check the command line for duplicate parameters
 DT442976
GRD-102381 Cannot add multiple remotelog priorities - regex error in remotelog.pl  DT446553
Security fixes
This patch resolves the following issues.
Patch Issue key Summary CVE
12.0p120
This patch includes security fixes from 12.0p120 (see release note)
12.0p125
GRD-95521
PSIRT : PVR0540745, PVR0565474, PVR0566615, PVR0566745, PVR0546719, PVR0517411, PVR0540758 kernel needs to be updated
 CVE-2024-26734, CVE-2023-52881, CVE-2023-52796, CVE-2024-26851, CVE-2024-42292, CVE-2023-52478, CVE-2023-52653, CVE-2024-43855, CVE-2024-26779, CVE-2024-27056, CVE-2024-43871, CVE-2024-42322, CVE-2024-41009, CVE-2024-50192, CVE-2024-47675, CVE-2024-35876, CVE-2024-53113, CVE-2024-53197, CVE-2024-50302, CVE-2023-52922, CVE-2024-53150, CVE-2024-53141, CVE-2024-26743, CVE-2024-26872, CVE-2022-49022, CVE-2025-21785, CVE-2024-50264, CVE-2024-46826
GRD-98601
PVR0586696 - SE - Pen Testing On-prem 2024 - Solr Vulnerability- TZAVW-0018 - 9.8 - Critical - pages 16-18
 CVE-2023-32732, CVE-2015-1832, CVE-2024-45772, CVE-2023-22737, CVE-2021-47400, CVE-2022-31122, CVE-2023-33953, CVE-2018-1313, CVE-2024-45217, CVE-2024-3596
GRD-98939
Tenable Scan - buildah and podman rpm need to update version 12.x
 CVE-2024-34156, CVE-2024-34158, CVE-2024-9341, CVE-2024-34155, CVE-2024-11218, CVE-2025-22869
GRD-98940
Tenable Scan - openssl rpm need to update version 12.x
CVE-2024-5535, CVE-2024-12797
GRD-98942
Tenable Scan - libtiff rpm need to update v12.x
CVE-2024-7006
GRD-98943 Tenable Scan - Skopeo rpm need to update version 12.x CVE-2024-24788
GRD-99026
Tenable Scan - emacs rpm need to update version 12.x
 CVE-2024-30205, CVE-2024-30204, CVE-2024-30203, CVE-2024-53920
GRD-99027
Tenable Scan - tpm2-tools rpm need to update version
12.x
 CVE-2024-29039, CVE-2024-29038
GRD-99028
Tenable Scan - xorg-x11-server rpm need to update version 12.x
CVE-2024-31080, CVE-2024-31081, CVE-2024-31083
GRD-99032
 
Tenable Scan - jose rpm need to update v12.x
CVE-2023-50967, CVE-2024-28176
GRD-99033
Tenable Scan - perl-App-cpanminus rpm need to update v12.x
CVE-2024-45321
GRD-99036 Tenable Scan - bzip2 rpm need to update version 12.x CVE-2019-12900
GRD-99037 Tenable Scan - NetworkManager rpm need to update version 12.x CVE-2024-3661
GRD-99042 Tenable Scan - libpq rpm need to update version 12.x CVE-2025-1094
GRD-99867 PSIRT: PVR0641659 - IBM Guardium Data Protection is vulnerable to a Tomcat vulnerability
CVE-2025-31650
GRD-100365 PSIRT : PVR051689, PVR0537017, PVR0542007, PVR0541987, PVR0541471, PVR0541371
CVE-2022-3424, CVE-2022-48989, CVE-2022-49006, CVE-2024-27398, CVE-2024-35934, CVE-2024-35963, CVE-2024-35965, CVE-2024-35966, CVE-2024-36880, CVE-2024-36968, CVE-2024-42133, CVE-2024-42253, CVE-2024-42265, CVE-2024-42291, CVE-2024-42294, CVE-2024-42302, CVE-2024-42312, CVE-2024-42315, CVE-2024-42316, CVE-2024-43821, CVE-2024-43846, CVE-2024-43853, CVE-2024-43871, CVE-2024-43873, CVE-2024-43882, CVE-2024-43884, CVE-2024-43889, CVE-2024-43914, CVE-2024-44934, CVE-2024-44958, CVE-2024-44975, CVE-2024-45000, CVE-2024-45010, CVE-2024-45022, CVE-2024-46800, CVE-2024-46805, CVE-2024-46806, CVE-2024-46807, CVE-2024-46819, CVE-2024-46820, CVE-2024-46822, CVE-2024-46828, CVE-2024-46835, CVE-2024-46853, CVE-2024-46864, CVE-2024-46871, CVE-2024-47141, CVE-2024-47660, CVE-2024-47668, CVE-2024-47678, CVE-2024-47685, CVE-2024-47687, CVE-2024-47692, CVE-2024-47700, CVE-2024-47703, CVE-2024-47705, CVE-2024-47706, CVE-2024-47710, CVE-2024-47713, CVE-2024-47715, CVE-2024-47718, CVE-2024-47719, CVE-2024-47737, CVE-2024-47738, CVE-2024-47739, CVE-2024-47745, CVE-2024-47745, CVE-2024-47748, CVE-2024-48873, CVE-2024-49569, CVE-2024-49851, CVE-2024-49856, CVE-2024-49860, CVE-2024-49862, CVE-2024-49870, CVE-2024-49875, CVE-2024-49878, CVE-2024-49881, CVE-2024-49882, CVE-2024-49883, CVE-2024-49884, CVE-2024-49885, CVE-2024-49886, CVE-2024-49889, CVE-2024-49904, CVE-2024-49927, CVE-2024-49928, CVE-2024-49929, CVE-2024-49930, CVE-2024-49933, CVE-2024-49934, CVE-2024-49935, CVE-2024-49937, CVE-2024-49938, CVE-2024-49939, CVE-2024-49946, CVE-2024-49948, CVE-2024-49950, CVE-2024-49951, CVE-2024-49954, CVE-2024-49959, CVE-2024-49960, CVE-2024-49962, CVE-2024-49968, CVE-2024-49971, CVE-2024-49973, CVE-2024-49974, CVE-2024-49975, CVE-2024-49977, CVE-2024-49983, CVE-2024-49991, CVE-2024-49993, CVE-2024-49994, CVE-2024-49995, CVE-2024-49999, CVE-2024-50002, CVE-2024-50006, CVE-2024-50008, CVE-2024-50009, CVE-2024-50013, CVE-2024-50014, CVE-2024-50015, CVE-2024-50019, CVE-2024-50022, CVE-2024-50023, CVE-2024-50024, CVE-2024-50027, CVE-2024-50028, CVE-2024-50029, CVE-2024-50033, CVE-2024-50035, CVE-2024-50038, CVE-2024-50039, CVE-2024-50044, CVE-2024-50046, CVE-2024-50047, CVE-2024-50055, CVE-2024-50057, CVE-2024-50058, CVE-2024-50058, CVE-2024-50064, CVE-2024-50067, CVE-2024-50073, CVE-2024-50074, CVE-2024-50075, CVE-2024-50077, CVE-2024-50078, CVE-2024-50081, CVE-2024-50082, CVE-2024-50093, CVE-2024-50101, CVE-2024-50102, CVE-2024-50106, CVE-2024-50106, CVE-2024-50106, CVE-2024-50107, CVE-2024-50107, CVE-2024-50109, CVE-2024-50117, CVE-2024-50120, CVE-2024-50121, CVE-2024-50126, CVE-2024-50127, CVE-2024-50127, CVE-2024-50128, CVE-2024-50130, CVE-2024-50141, CVE-2024-50143, CVE-2024-50150, CVE-2024-50151, CVE-2024-50152, CVE-2024-50153, CVE-2024-50162, CVE-2024-50163, CVE-2024-50169, CVE-2024-50182, CVE-2024-50186, CVE-2024-50189, CVE-2024-50189, CVE-2024-50191, CVE-2024-50191, CVE-2024-50197, CVE-2024-50197, CVE-2024-50199, CVE-2024-50199, CVE-2024-50200, CVE-2024-50200, CVE-2024-50201, CVE-2024-50201, CVE-2024-50215, CVE-2024-50216, CVE-2024-50235, CVE-2024-50236, CVE-2024-50237, CVE-2024-50256, CVE-2024-50256, CVE-2024-50261, CVE-2024-50271, CVE-2024-50272, CVE-2024-50272, CVE-2024-50278, CVE-2024-50282, CVE-2024-50299, CVE-2024-50304, CVE-2024-53042, CVE-2024-53044, CVE-2024-53047, CVE-2024-53050, CVE-2024-53051, CVE-2024-53055, CVE-2024-53057, CVE-2024-53059, CVE-2024-53060, CVE-2024-53060, CVE-2024-53070, CVE-2024-53072, CVE-2024-53074, CVE-2024-53082, CVE-2024-53085, CVE-2024-53091, CVE-2024-53091, CVE-2024-53093, CVE-2024-53093, CVE-2024-53095, CVE-2024-53095, CVE-2024-53096, CVE-2024-53097, CVE-2024-53103, CVE-2024-53105, CVE-2024-53110, CVE-2024-53117, CVE-2024-53118, CVE-2024-53120, CVE-2024-53121, CVE-2024-53123, CVE-2024-53124, CVE-2024-53134, CVE-2024-53136, CVE-2024-53142, CVE-2024-53146, CVE-2024-53152, CVE-2024-53156, CVE-2024-53160, CVE-2024-53161, CVE-2024-53164, CVE-2024-53166, CVE-2024-53173, CVE-2024-53174, CVE-2024-53190, CVE-2024-53194, CVE-2024-53203, CVE-2024-53208, CVE-2024-53213, CVE-2024-53222, CVE-2024-53224, CVE-2024-53237, CVE-2024-53681, CVE-2024-54460, CVE-2024-56535, CVE-2024-56551, CVE-2024-56558, CVE-2024-56562, CVE-2024-56566, CVE-2024-56570, CVE-2024-56590, CVE-2024-56591, CVE-2024-56600, CVE-2024-56601, CVE-2024-56602, CVE-2024-56604, CVE-2024-56605, CVE-2024-56611, CVE-2024-56614, CVE-2024-56616, CVE-2024-56623, CVE-2024-56631, CVE-2024-56642, CVE-2024-56644, CVE-2024-56647, CVE-2024-56653, CVE-2024-56654, CVE-2024-56663, CVE-2024-56664, CVE-2024-56667, CVE-2024-56688, CVE-2024-56693, CVE-2024-56729, CVE-2024-56757, CVE-2024-56760, CVE-2024-56779, CVE-2024-56783, CVE-2024-57798, CVE-2024-57809, CVE-2024-57843, CVE-2024-57879, CVE-2024-57884, CVE-2024-57888, CVE-2024-57890, CVE-2024-57898, CVE-2024-57929, CVE-2024-57931, CVE-2024-57940, CVE-2024-58005, CVE-2024-58007, CVE-2024-58069, CVE-2024-58099, CVE-2025-21633, CVE-2025-21646, CVE-2025-21663, CVE-2025-21666, CVE-2025-21668, CVE-2025-21669, CVE-2025-21689, CVE-2025-21694, CVE-2025-21756, CVE-2025-21764, CVE-2025-21927, CVE-2025-21927, CVE-2025-21964, CVE-2025-21966, CVE-2025-21993, CVE-2025-37749
GRD-100367
libxml2 need to be updated in Guardium versions 11.x and 12.x
CVE-2024-56171, CVE-2025-24928, CVE-2022-49043
GRD-101164
 PSIRT: PVR0641659 - IBM Guardium Data Protection is vulnerable to a Tomcat vulnerability
CVE-2025-31650
GRD-101437
PSIRT: PVR0645679 - 3RD PARTY: H1-3160021: 'Sensitive Information Disclosure'
GRD-101939
MySQL Upgrade needed for April 2025 CPU
 CVE-2025-21577, CVE-2025-30682, CVE-2025-30687, CVE-2025-30688, CVE-2025-21574, CVE-2025-21575, CVE-2025-30693, CVE-2025-30695, CVE-2025-30715, CVE-2025-21583, CVE-2025-21584, CVE-2025-21580,       
CVE-2025-21588, CVE-2025-21581, CVE-2025-21585, CVE-2025-30689, CVE-2025-21579, CVE-2025-30696, CVE-2025-30705, CVE-2025-30683, CVE-2025-30684, CVE-2025-30685, CVE-2025-30699, CVE-2025-30704,       
CVE-2024-13176, CVE-2025-30721, CVE-2025-30703, CVE-2025-30681
GRD-102085
 PSIRT: PVR0646930 - commons-beanutils-1.9.2.jar (Publicly disclosed vulnerability found by Mend) - tomcat
CVE-2025-48734
GRD-102086
 PSIRT: PVR0646930 - commons-beanutils-1.9.2.jar (Publicly disclosed vulnerability found by Mend) - datastreams
CVE-2025-48734
GRD-102283
 PSIRT: PVR0649071 - kafka-clients-3.9.0.jar (Publicly disclosed vulnerability found by Mend) - datastreams
CVE-2025-27818, CVE-2025-27817
GRD-102285
 PSIRT: PVR0649071 - kafka-clients-3.9.0.jar (Publicly disclosed vulnerability found by Mend) - webapps
CVE-2025-27818, CVE-2025-27817
GRD-102286
 PSIRT: PVR0649071 - kafka-clients-3.9.0.jar (Publicly disclosed vulnerability found by Mend) - kafka
CVE-2025-27818, CVE-2025-27817
GRD-103891
 PSIRT: PVR0653945 - commons-fileupload-1.4.jar (Publicly disclosed vulnerability found by Mend)
CVE-2025-48976
Known issues

This patch contains the following known issues.
 

Issue key Summary
GRD-105394
Error related ojdbc8.jar while saving the Oracle Unified Audit (OUA) template configuration after complete round trip. This will be fixed in a future patch.
GRD-108485 If the Kafka Connect services are not restarted after applying patch 12.0p125, then restart the Kafka cluster from the Kafka Cluster Management page.
GRD-108655
After switch from central manager to backup central manager, the cruise control functionality present in Kafka Cluster Management will not work on the new central manager.
GRD-109618
OUA profiles configured with limited user privileges.
Workaround: Users must upload the latest OUA packages from the Universal Connector > Package Management user interface (UI) and install create and install new profiles in the Datasource Management UI.
GRD-110248
While rebooting a Kafka node machine or its UI, if the central manager is not up and reachable, the Kafka node machine tries to remove itself from an established Kafka cluster. This leads to the instability of the Kafka cluster, which affects cruise control monitoring and hence Kafka Dashboard is not be populated.
Workaround: First, start or restart the central manager. After the central manager comes up, verify that the UI is up and running fine. Then boot up the Kafka node machines.
GRD-110250
While rebooting a Kafka node machine or its UI, if the central manager is not up and reachable, the Kafka node machine tries to remove itself from an established Kafka cluster. This leads to the instability of the Kafka cluster and potential traffic monitoring loss if universal connectors are active.
Workaround: First, start or restart the central manager. After the central manager comes up, verify that the UI is up and running fine. Then boot up the Kafka node machines.
GRD-110421
Kafka node is stuck in "Node initializing" state after restarting the Kafka cluster.
Workaround: Run the GuardAPI command grdapi change_tracker_reset host= <hostname> on the central manager with the hostname of the Kafka node that is stuck in the initialization state.
GRD-110440
After applying patch 12.0p125, the dynamic auditing policy setup on Risk Spotter is removed from the UI.
Workaround: Go to Active Risk Spotter > Policy and related modules > Dynamic Auditing and select the policy that is installed on the collector from the list.
GRD-110056
The Kafka Connect process is generating heap dumps frequently, which are consuming all available disk space in the root (/) directory as default.     
Workaround: Remove the heap dump file from the Kafka node and restart the Kafka node.

[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.1.0"}]

Document Information

Modified date:
18 September 2025

UID

ibm17242547

Page Feedback