Release Notes
Abstract
This technical note provides guidance for installing IBM Guardium Data Protection patch 11.0p575, including any new features or enhancements, resolved or known issues, or notices associated with the patch.
Content
Patch information
- Patch file name: SqlGuard-11.0p575_Bundle_Nov_07_2025.tgz.enc.sig
- MD5 checksum: e744032b308301cd541d6f7ef386c579
Finding the patch
- Select the following options to download this patch on the IBM Fix Central website and click Continue.
- Product selector: IBM Security Guardium
- Installed version: 11.5
- Platform: All
- On the "Identify fixes" page, select Browse for fixes and click Continue.
- On the "Select fixes" page, select Appliance Bundle. Then, enter the patch information in the Filter fix details field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
- Guardium 11.0p500 (see release note)
- The latest Guardium health check patch 11.0p9997
- The latest Guardium patch signing certificate on your Guardium appliance. For more information, see IBM Guardium - Patch signing certificate set to expire in March 2025.
Installation
Notes:
- This patch is an appliance bundle that includes fixes for version 11.5.
- This patch is cumulative and includes all the fixes from previously released patches.
- This patch restarts the Guardium system.
- Do not reboot the appliance while the patch install is in progress. Contact IBM Support if there is an issue with patch installation.
- When changing the password of CLI and guardcli users in the Guardium command line interface, a password strength warning appears even when strong passwords are not enabled. To remove the strong password checks, execute the CLI command store user strong_password disable.
- If you have single sign-on enabled and are upgrading from below 11.0p530, you must re-download metadata from the upgraded central manager and apply it on the identity provider.
Overview:
- Download the patch and extract the compressed package outside the Guardium system.
- Be sure to check the latest version of this patch release note online just before you install this patch.
- Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
- Apply the latest health check patch.
- Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
- Apply the latest quarterly DPS patch and rapid response DPS patch.
For information about installing patches, see Installing patches in the Guardium documentation.
Attention
Guardium appliance bundle upgrade time extended due to MySQL tables conversion
Following MySQL support requirements, most tables are converted from MyISAM to InnoDB starting with Guardium appliance bundle versions 11.0p550 and later, and versions 12.0p25 and later. Due to the large size of some tables, which are mostly static tables, the conversion might consume more time than usual during an appliance bundle upgrade. Note: Do not cancel the patch installation process. If you have any concerns, contact IBM Support. For more information, see Guardium appliance bundle upgrade time extended due to MySQL tables conversion.
Guardium sniffer certification expired on 3 March 2025
The previous sniffer default certificate expired on 3 March 2025 and you must install a Guardium appliance patch to renew the certificate. For Guardium 11.5 systems, appliance bundle patch 11.0p545 or later provides an updated certificate. For more information, see IBM Guardium sniffer certification expires March 2025.
The previous sniffer default certificate expired on 3 March 2025 and you must install a Guardium appliance patch to renew the certificate. For Guardium 11.5 systems, appliance bundle patch 11.0p545 or later provides an updated certificate. For more information, see IBM Guardium sniffer certification expires March 2025.
Guardium patch signing certificate expired on 29 March 2025
Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed. The previous patch signing certificate for Guardium appliance patches expired on 29 March 2025.
This patch, 11.0p575, is signed by the new patch signing certificate. Therefore, to install this patch, your Guardium appliance must be prepared by installing an ad hoc or bundle patch with the fix that allows patches signed by old or new certificates to be installed. See IBM Guardium - Patch signing certificate set to expire in March 2025 and follow the steps in the "What to do after March 29th 2025" section if the patch signing certificate was not renewed.
SHA256 GIM client certificates
After applying patch 11.0p530 or later, Guardium supports SHA256 Guardium Installation Manager (GIM) certificates. This has the following implications:
After applying patch 11.0p530 or later, Guardium supports SHA256 Guardium Installation Manager (GIM) certificates. This has the following implications:
- The default certificates could be either SHA256 or SHA128, depending on the GIM server certificate setup. Custom certificates that use SHA256 are more secure and are recommended for GIM connections. Note that GIM connectivity is not interrupted after applying this patch.
- GIM only verifies bundles signed with SHA256 and requires installation of a transitional GIM bundle to support the GIM client change from SHA128 to SHA256.
For more information, see Updating Guardium Data Protection GIM clients with SHA256 certificates.
Microsoft certificates expired on 20 May 2024
Microsoft certificates (microsoftca1-4) expired on 20 May 2024. The following Guardium patches provide updated certificates:
Microsoft certificates (microsoftca1-4) expired on 20 May 2024. The following Guardium patches provide updated certificates:
- 11.3 systems that use patch 11.0p392 or later
- 11.4 systems that use patch 11.0p485 or later
- 11.5 systems that use patch 11.0p535 or later
- 12.0 systems that use patch 12.0p5 or later
Install the correct patch for your Guardium systems to use the updated certificates. For more information, see https://www.ibm.com/support/pages/node/7080145
Enhancements
This patch includes the following enhancements.
| Issue key | Summary |
|---|---|
| GRD-84384 | Improve customer visibility for patch upgrade process |
| GRD-110014 | Changes to the outliers‚ input DM from GDP - GDP side |
Resolved issues
This patch resolves the following issues.
Patch | Issue key | Summary | Known issue (APAR) |
|---|---|---|---|
| 11.0p570 | See release note for patch 11.0p570 | ||
| 11.0p575 | GRD-93414 | Missing S3 me-central-1 zone during configuration of backup | DT444696 |
| GRD-100092 | Universal connector becomes Inactive with error <Seahorse::Client::NetworkingError: 503 "Service Unavailable"> logged | DT438540 | |
| GRD-100498 | guard-DHCP error while executing "show network verify" command | DT438968 | |
| GRD-100739 | In Deployment Health Table, AWS collector shows as unavailable despite no connectivity issues between it and the central manager | DT446788 | |
| GRD-102381 | Cannot add multiple remotelog priorities - regex error in remotelog.pl | DT446553 | |
| GRD-102717 | Command 'show remotelog test' sends message with MARK priority to SIEM that was not logged to Guardium messages log file | DT446520 | |
| GRD-102722 | grdapi list_expiration_dates_for_restored_days returns ERR=3000 | DT444670 | |
| GRD-103092 | DPS file upload has wrong file name, wrong version, or wrong date | DT448785 | |
| GRD-103375 | Values Changed report shows special characters as separators between columns when downloaded to a .csv file | DT448687 | |
| GRD-103728 | Change tracker alive task might fail in LD due to lack of alive check concurrency with timeout limit | N/A | |
| GRD-104440 | fileserver not working - The url returned by the fileserver command fails to open | DT447272 | |
| GRD-105885 | Risk Spotter Not Functioning Properly and reports error "Array index out of range: 3 error" | DT448778 | |
| GRD-106406 | IBM Storage Protect client installed on Guardium appliance contains libxmlutil library that is vulnerable to several CVEs | DT448724 | |
| GRD-106949 | Unable to log in to the GUI on appliance configured to authenticate through SSO SAML | DT448715 | |
| GRD-109113 | Patch username not updated if patch is installed with 'cli' user after the patch was installed from the central manager using the Patch Distribution GUI option | DT450744 |
Security fixes
This patch contains the following security fixes.
Patch | Issue key | Summary | CVE |
|---|---|---|---|
| 11.0p570 | See release note for patch 11.0p570 | ||
11.0p575 | GRD-105568 | Tenable Scan - Zlib rpm update | CVE-2016-9840 |
| GRD-105565 | Tenable Scan - systemd rpm update | CVE-2023-26604 | |
| GRD-105655 | PSIRT: PVR0659972 - MySQL Server July 2025 CPU | CVE-2024-37891, CVE-2025-50076, CVE-2025-50077, CVE-2025-50078, CVE-2025-50079, CVE-2025-50080, CVE-2025-50082, CVE-2025-50083, CVE-2025-50084, CVE-2025-50085, CVE-2025-50086, CVE-2025-50087, CVE-2025-50088, CVE-2025-50089, CVE-2025-50091, CVE-2025-50092, CVE-2025-50093, CVE-2025-50094, CVE-2025-50095, CVE-2025-50096, CVE-2025-50097, CVE-2025-50098, CVE-2025-50099, CVE-2025-50100, CVE-2025-50101, CVE-2025-50102, CVE-2025-50103, CVE-2025-50104, CVE-2025-53023, CVE-2025-53032, CVE-2025-5399 | |
| GRD-112369 | PSIRT: PVR0682104 - cxf-core-3.5.10.jar | CVE-2025-48913 | |
| GRD-111470 | PSIRT: PVR0679977: Azure Image Permits Root Access | --- | |
| GRD-105567 | Tenable Scan - libxslt rpm update | CVE-2024-55549, CVE-2025-24855 | |
| GRD-105570 | Tenable Scan - microcode_ctl rpm update | CVE-2025-20623, CVE-2025-24495, CVE-2024-28956, CVE-2025-20012, CVE-2024-43420, CVE-2024-45332 | |
| GRD-105571 | Tenable Scan - kernel rpm update | CVE-2025-22004, CVE-2022-50066 | |
| GRD-105566 | Tenable Scan - xorg-x11-server update | CVE-2025-26594, CVE-2025-26597, CVE-2025-26598, CVE-2025-26595, CVE-2025-26596, CVE-2025-26601, CVE-2025-26599, CVE-2025-26600 | |
| GRD-101787 | Qualys Scan: xorg-x11-server rpm update | CVE-2025-26597, CVE-2025-26598, CVE-2025-26595, CVE-2025-26596, CVE-2025-26601, CVE-2025-26599, CVE-2025-26600, CVE-2025-49175, CVE-2025-49176, CVE-2025-49178, CVE-2025-49179, CVE-2025-49180, CVE-2025-26594 | |
| GRD-106820 | Tenable Scan - libxml2 rpm update | CVE-2025-32414, CVE-2025-49794, CVE-2025-49796, CVE-2025-6021 | |
| GRD-105549 | Tenable Scan - sudo rpm update | CVE-2025-32462 | |
| GRD-105442 | Tenable Scan - glibc rpm update | CVE-2025-4802 |
Known issues
This patch contains the following known issues.
| Issue key | Summary |
|---|---|
| GRD-108496 | While viewing managed unit appliance status updates within central manager, you might experience a brief delay in status updates when incomplete data syncing issues between the appliance and central manager are being identified and resolved. |
[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.5.0"}]
Was this topic helpful?
Document Information
Modified date:
19 November 2025
UID
ibm17251640