Release of Guardium Data Protection patch 11.0p550

Release Notes

Abstract

This technical note provides guidance for installing IBM Guardium Data Protection patch 11.0p550, including any new features or enhancements, resolved or known issues, or notices associated with the patch.

Content

Patch information

Patch file name: SqlGuard-11.0p550_Bundle_Sep_28_2024.tgz.enc.sig
MD5 checksum: b0c6e3327f5476e7b09aa0e112f12b79

Finding the patch

Select the following options to download this patch on the IBM Fix Central website and click Continue.
- Product selector: IBM Security Guardium
- Installed Version: 11.0
- Platform: All
On the "Identify fixes" page, select Browse for fixes and click Continue.
On the "Select fixes" page, select Appliance patch (GPU and Ad-Hoc). Then, enter the patch information in the Filter fix details field to locate the patch.

For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.

Prerequisites

Guardium 11.0p500 (see the 11.0p500 release notes for more information)
The latest health check patch 11.0p9997

Installation

Notes:

This patch is an appliance bundle that includes all fixes for 11.5 except sniffer fixes.
This patch is cumulative and includes all the fixes from previously released patches.
This patch restarts the Guardium system.
Do not reboot the appliance while the patch install is in progress. Contact IBM Support if there is an issue with patch installation.
When changing the password of CLI and guardcli users in the Guardium command line interface, a password strength warning appears even when strong passwords are not enabled. To remove the strong password checks, execute the CLI command store user strong_password disable.
If you have single sign-on enabled and are upgrading from below 11.0p530, you must re-download metadata from the upgraded central manager and apply it on the identity provider.

Overview:

Download the patch and extract the compressed package outside the Guardium system.
Be sure to check the latest version of this patch release notes online just before you install this patch.
Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
Apply the latest health check patch.
Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
Apply the latest quarterly DPS patch and rapid response DPS patch even if these patches were applied before the upgrade.

For information about installing Guardium Data protection patches, see How to install patches in the Guardium documentation.

Attention

Guardium appliance bundle upgrade time extended due to MySQL tables conversion

Following MySQL support requirements, most tables are converted from MyISAM to InnoDB starting with Guardium appliance bundle versions 11.0p550 and later, and versions 12.0p25 and later. Due to the large size of some tables, which are mostly static tables, the conversion might consume more time than usual during an appliance bundle upgrade. Note: Do not cancel the patch installation process. If you have any concerns, contact IBM Support.

For more information, see Guardium appliance bundle upgrade time extended due to MySQL tables conversion.

Renewed Guardium patch signing certificate
Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed. This patch is signed by a new patch signing certificate. Therefore, to install this patch, the patch signing certificate on your Guardium appliance must first be updated by installing ad hoc patch 11.0p1057 (see release note) or an appropriate appliance bundle listed in the IBM Guardium - Patch signing certificate set to expire in March 2025 support document.

Guardium sniffer certification expires on 3 March 2025
The current sniffer default certificate will expire on 3 March 2025 and you must install a Guardium appliance patch to renew the certificate. For Guardium 11.5 systems, appliance bundle patch 11.0p545 or later provides an updated certificate. For more information, see IBM Guardium sniffer certification expires March 2025.

SHA256 GIM client certificates
After applying patch 11.0p530 or later, Guardium supports SHA256 Guardium Installation Manager (GIM) certificates. This has the following implications:

The default certificates could be either SHA256 or SHA128, depending on the GIM server certificate setup. Custom certificates that use SHA256 are more secure and are recommended for GIM connections. Note that GIM connectivity is not interrupted after applying this patch.
GIM only verifies bundles signed with SHA256 and requires installation of a transitional GIM bundle to support the GIM client change from SHA128 to SHA256.

For more information, see Updating Guardium Data Protection GIM clients with SHA256 certificates.

Microsoft certificates expired on 20 May 2024
Microsoft certificates (microsoftca1-4) expired on 20 May 2024. The following Guardium patches provide updated certificates:

11.3 systems that use patch 11.0p392 or later
11.4 systems that use patch 11.0p485 or later
11.5 systems that use patch 11.0p535 or later
12.0 systems that use patch 12.0p5 or later

Install the correct patch for your Guardium systems to use the updated certificates. For more information, see https://www.ibm.com/support/pages/node/7080145

Enhancements

This patch includes the following enhancements.

Issue key	Summary
GRD-81705	During system config backup, all certificates from the Guardium appliance are added to the backup file. Those certificates are restored on a Guardium 12.1 or later appliance by running the restore backup command from the CLI.
GRD-84656	Add CERTIFICATE_EXPIRATION parameter to the generate_ssl_key_universal_connector API

Resolved issues

This patch resolves the following issues.

Patch	Issue key	Summary	APAR
11.0p545		See the 11.0p545 release notes for more information
11.0p550	GRD-79722	Support server feature missing on 11.5 appliance
	GRD-80681	CVE test fails for Sybase 15.7SP#141 recommending to install SP#141 that is already installed	DT380819
	GRD-81148	EMEA-Import job failing on aggregator	DT386513
	GRD-81863	100% CPU usage on multiple collectors after 11.0p535 upgrade	DT394196
	GRD-81913	EMEA-Guardium taking old CEF-ArcSight template	DT390815
	GRD-82017	Venafi commands failing on Guardium appliances 11.4 and 11.5	DT394191
	GRD-82299	Custom GIM certificates managed by Venafi. Unable to complete the setup.	DT393955
	GRD-82527	Issue in central manager CLI. Failed to query server: Connection timed out	DT392818
	GRD-82556	grdapi export_config type=remotelog not working when pushing to group	DT391870
	GRD-82731	p1234 needing to be installed more than once on central manager	DT391476
	GRD-82825	SNMP alerts are Failed to Send to SNMP (Tivoli Netcool Omnibus) - All Guardium appliances	DT392864
	GRD-82881	Health analyzer job runtime exception	DT390044
	GRD-82989	EMEA-CLI store system SNMP versions 2 and 3 both show as enabled	DT392878
	GRD-83014	Managed unit's audit process run stopped after central manager "Distribute Uploaded Jar Files"	DT386932
	GRD-83064	Unable to delete config from UI, since config was not present in /var/IBM/Guardium/uc/config
	GRD-83537	cli_userauth appliance attempting to renew UNIX password	DT392817
	GRD-83664	NIC not recognized after p535 on M7 physical appliance	DT396979
	GRD-83759	Version 11.5 aggregator MySQL occasionally crashed during data archive	DT392751
	GRD-83801	GIM bundles show status not available on Guardium system and missing version data	DT393161
	GRD-84021	Make instance name optional for dynamic Microsoft SQL Server data source definition
	GRD-84446	gdmmonitor script for Postgres on Amazon Relational Database Service (RDS) runs into an error

Security fixes

This patch contains the following security fixes.

Patch	Issue key	Summary	CVE
11.0p6509		See the 11.0p6509 release notes for more information
11.0p550	GRD-76934	SE - Pen Testing On Prem - October 2023 - Components have known vulnerabilities with proof of concept exploits - platform
	GRD-82306	PSIRT: PVR0507058 zlib-v1.2.12 (publicly disclosed vulnerability found by Mend)	CVE-2022-37434
	GRD-82996	PSIRT: PVR0510300 - bcprov-jdk15on-1.56.jar (publicly disclosed vulnerability found by Mend) - webapps, gimserver
	GRD-82997	PSIRT: PVR0510300 - bcprov-jdk15on-1.56.jar (publicly disclosed vulnerability found by Mend) - datastreams
	GRD-82998	PSIRT: PVR0510300 - bcprov-jdk15on-1.56.jar (Publicly disclosed vulnerability found by Mend) - solr
	GRD-83492	PSIRT: PVR0506186, PVR0510604, PVR0510640, PVR0510586, PVR0510622 - [All] GNU glibc - CVE-2024-2961, CVE-2024-33599 (publicly disclosed vulnerability)	CVE-2024-2961 CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602
	GRD-84116	PSIRT: PVR0498203 and PVR0498442 - ZooKeeper - Kafka	CVE-2017-5637 CVE-2018-8012 CVE-2019-0201 CVE-2023-44981 CVE-2024-23944
	GRD-85072	botan-1.10.5-01.el7.x86_64 rpm has vulnerabilities	CVE-2015-5726 CVE-2015-5727 CVE-2015-7824 CVE-2015-7825 CVE-2015-7826 CVE-2015-7827 CVE-2016-2194 CVE-2016-2195 CVE-2016-6878 CVE-2016-9132

[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.5.0"}]

Tips

Release of Guardium Data Protection patch 11.0p550

Release Notes

Abstract

Content

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?