Release Notes
Abstract
This technical note provides guidance for installing IBM Guardium Data Protection patch 12.0p140, including any new features or enhancements, resolved or known issues, or notices associated with the patch.
Content
Patch information
- Patch file name: SqlGuard-12.0p140_Bundle_Mar_24_2026.tgz.enc.sig
- MD5 checksum: 9b52852934933d61016a06b322286423
Finding the patch
- Select the following options to download this patch on the IBM Fix Central website and click Continue.
- Product selector: IBM Security Guardium
- Installed Version: 12.1
- Platform: All
- On the "Identify fixes" page, select Browse for fixes and click Continue.
- On the "Select fixes" page, select Appliance Bundle. Then, enter the patch information in the Filter fix details field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
- Guardium Data Protection 12.1 (see release note)
- The latest Guardium Data Protection health check patch 12.0p9997
Installation
Notes:
- This patch includes fixes for version 12.1.
- This patch is cumulative and includes all the fixes from previously released patches.
- This patch restarts the Guardium system.
- Do not reboot the appliance while the patch install is in progress. Contact IBM Support if there is an issue with patch installation.
- When changing the password of CLI and guardcli users in the Guardium command line interface, a password strength warning appears even when strong passwords are not enabled. To remove the strong password checks, execute the CLI command store user strong_password disable.
Overview:
- Download the patch and extract the compressed package outside the Guardium system.
- Review the latest version of the patch release note just before you install the patch.
- Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
- Apply the latest health check patch.
- Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
- Apply the latest quarterly DPS patch and rapid response DPS patch.
For information about installing Guardium Data protection patches, see How to install patches in the Guardium documentation.
Attention
Guardium patch signing certificate expired on 29 March 2025
The previous patch signing certificate for Guardium appliance patches expired on 29 March 2025. Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed. This patch is signed by the new patch signing certificate. Therefore, to install this patch, the patch signing certificate on your Guardium appliance must first be updated. For more information, see IBM Guardium - Patch signing certificate set to expire in March 2025 or contact IBM Support.
IBM Db2 for z/OS JDBC driver update
In 12.0p115 (see release note), the IBM Db2 for z/OS JDBC driver in Guardium Vulnerability Assessment is updated to support IBM Db2 13 for z/OS, which enables TLS 1.3 and other advantages. You might need to update your IBM Db2 JDBC license. If so, test your connection in a staging environment and contact the IBM Db2 Support team if licensing issues arise. For assistance, open a case at ibm.com/mysupport.
Enhancements
This patch includes the following enhancements.
| Issue key | Summary |
|---|---|
| GRD-92922 | Upgrade AWS KCL (Kinesis Client Library) to version 2.6.1 or later to avoid known issue with shard processing. |
| GRD-115452 | Updated Java Database Connectivity (JDBC) drivers for Oracle, Microsoft SQL Server, Apache Cassandra, and Datastax Cassandra. |
Resolved issues
This patch resolves the following issues.
| Patch | Issue key | Summary | Known issue (APAR) |
|---|---|---|---|
| 12.0p7135 | This patch includes resolved issues from 12.0p7135 (see release note) | ||
| 12.0p140 | GRD-88744 | Analytic User Feedback report unavailable in Query-Report Builder | DT451550 |
| GRD-97936 | Create grdapi of store cli_userauth command | ||
| GRD-103375 | Values Changed report shows special characters as separators between columns when downloaded to a .csv file | DT448687 | |
| GRD-105885 | Risk Spotter Not Functioning Properly and reports error "Array index out of range: 3 error" | DT448778 | |
| GRD-106072 | Emails sent from the Guardium appliance to external Microsoft email accounts are not received due to bare linefeed error | DT449550 | |
| GRD-106259 | "Test Connection" on Data Archive fails with "Invalid host name" for "AMAZON S3" and "IBM COS" protocols | DT448680 | |
| GRD-108319 | Guardium does not send email alert | DT454949 | |
| GRD-108948 | VA DM stats have mismatch between number of extracted and ingested records. | ||
| GRD-109498 | Policy rule did not work correctly | DT454346 | |
| GRD-109744 | Error "The cipherlist was corrupt and has been reset to DEFAULT" after removing ciphers with store ssl_conf command | dt461729 | |
| GRD-111612 | "License key is NULL" message appears when accepting license in GUI after collector is patched to 11.0p550 if appliance language is Japanese | DT455239 | |
| GRD-112324 | Authentication error from the Alerter if the SMTP server uses NTLM and Guardium SMTP mail is configured with AUTH set, and STARTTLS on/enabled | DT458928 | |
| GRD-112333 | Executing CLI command "show csr wildcard" returns message "Error in converting privatekey to decrypted form for tomcat" | DT457503 | |
| GRD-112360 | Guardium appliance reportis HealthAnalyzeJob fails randomly with the following exception: "Error caught executing job due to some Runtime Exception" | DT457166 | |
| GRD-113244 | Query performance improvement | DT455071 | |
| GRD-113299 | The bundle exist on the GIM clients but not available on the Guardium system | DT457512 | |
| GRD-113507 | Error message "Failed to load data!" appears when clicking the Save Order button In Policy Builder for Files | DT458667 | |
| GRD-114073 | Deployment Inventory GUI screen does not display active S-TAPs | DT457937 | |
| GRD-114739 | All managed units stay in inactive state on new primary central manager after disaster recovery drill | DT459564 | |
| GRD-114851 | Installing ad-hoc patch SqlGuard-12.0p129 may cause GUI slowness and login page may fail to load | DT461463 | |
| GRD-115058 | After upgrading Guardium to version 12.2 the Risk Spotter policy disappeared | DT457592 | |
| GRD-115152 | Datastreams Event Hub config disappeared from GUI but still in TURBINE DB on central manager. | DT458319 | |
| GRD-115545 | Unable to change SCP port from the default 22 | DT458241 | |
| GRD-115876 | Custom sniffer certificate from an appliance where a backup was taken is not restored to a second appliance where the backup was restored | DT458239 | |
| GRD-116344 | Central manager reset-managed-cli command fails to reset the CLI password on all managed units | DT458396 | |
| GRD-116567 | Non-admin users able to access details about users using API calls | DT460790 | |
| GRD-117245 | Freshly built Guardium 12.2 appliance running on an HPE server shows high space consumption for the efivar file-system partition | DT463455 | |
| GRD-117260 | Undefined subroutine &main::confirm_yes_no called at /opt/IBM/Guardium/cli/subs_ciphers.pl line 545 running “grdapi secure_settings component=ciphers type=<type> disable=<cipher name>" | DT463691 | |
| GRD-117472 | OpenSSH ssh function vulnerability (CVE-2025-61984) | DT463011 | |
| GRD-117851 | Primary network NIC gets changed for a Guardium appliance using Red Hat Virtualization which leads to appliance being unreachable after 12.0p100_GPU installation | DT463173 | |
| GRD-118200 | CLI password reset is not logged into audit trail | DT463581 | |
| GRD-118871 | Installing bundle patch fails with: ERROR 1062 (23000) at line 208433: Duplicate entry <parameter name> key 'LOAD_BALANCER_PARAMS.PARAM_NAME' | DT463570 | |
| GRD-119269 | Fixed an issue affecting Amazon Kinesis data streams connection. For more information, see Appliance patch p135 causes Amazon Kinesis Data Streams capture failure. | DT462924 | |
| GRD-119286 | Enterprise S-TAP report Encrypted column contains value 9801 for Windows S-TAP, which is not expected, Expected values are TLS or Unencrypted. | DT464684 | |
| GRD-119317 | Archive s3 port setting not saved when using GRDAPI command | DT463958 | |
| GRD-119784 | Fixed CVE-2025-15467 (OpenSSL) vulnerability | DT464263 |
Security fixes
This patch resolves the following issues.
| Patch | Issue key | Summary | CVE |
|---|---|---|---|
| 12.0p7135 | This patch includes security fixes from 12.0p7135 (see release note) | ||
| 12.0p140 | GRD-112135 | PSIRT: PVR0669678, PVR0669059, PVR0696387 - netty-codec-4.1.125.Final.jar -- datastream | CVE-2025-58057, CVE-2025-67735 |
| GRD-113088 | PSIRT: PVR0682763 - bcpkix-jdk18on-1.78.1.jar (Publicly disclosed vulnerability found by Scanner) | CVE-2025-8916 | |
| GRD-114000 | PSIRT: PVR0685736 - mssql-jdbc-13.2.0.jre11.jar (Publicly disclosed vulnerability found by Scanner) | CVE-2025-59250 | |
| GRD-114008 | PSIRT: PVR0685130 - IBM SDK, Java Technology Edition Quarterly CPU - Oct 2025 - Includes Oracle October 2025 CPU | CVE-2025-53066, CVE-2025-53057 | |
| GRD-116955 | PSIRT: PVR0702018, PVR0702017 - SE - Pen Testing GDP - 2025 - 3 issues found (2 high, 1 medium) | ||
| GRD-118868 | PSIRT; PVR0709814 : Openssl rpm | CVE-2025-15467, CVE-2025-69419 | |
| GRD-119114 | PSIRT : PVR0707166 protobuf-3.18.3-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Publicly disclosed vulnerability found by Scanner) | CVE-2026-0994 | |
| GRD-119194 | PSIRT : PVR0707575 IBM Java (Publicly disclosed vulnerability found by Scanner) | CVE-2026-21945, CVE-2026-21932, CVE-2026-21933, CVE-2026-21925 | |
| GRD-119470 | PSIRT: PVR0667170 - http2-common-10.0.22.jar (Publicly disclosed vulnerability found by Mend) | CVE-2025-5115 | |
| GRD-119521 | PSIRT: PVR0712254 - azure-eventhubs-2.3.2.jar (Publicly disclosed vulnerability found by Scanner) | CVE-2020-16971 | |
| GRD-122383 | PSIRT: PVR0736740 - Pen Testing - path traversal vulnerability | ||
| GRD-122387 | PSIRT: PVR0736741 - Pen Testing - Cross-Site Scripting vulnerability | ||
| GRD-122458 | PSIRT: PVR0736742 - Pen Testing - DOM-based XSS | ||
| GRD-91110 | PSIRT: PVR0559560, PVR0571236 - multiple spring-components (Publicly disclosed vulnerability found by Mend) - webapps | CVE-2024-38820, CVE-2024-38827 |
[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.1.0"}]
Was this topic helpful?
Document Information
Modified date:
22 April 2026
UID
ibm17268201