Release Notes
Abstract
This technical note provides guidance for installing IBM Security Guardium Data Protection patch 12.0p15, including any new features or enhancements, resolved or known issues, or notices associated with the patch.
Content
Patch information
- Patch file name: SqlGuard-12.0p15_Bundle_Apr_23_2024.tgz.enc.sig
- MD5 checksum: fa7134a9759d00dd67ff75fe1d812b74
Finding the patch
Make the following selections to locate this patch for download on the IBM Fix Central website:
Make the following selections to locate this patch for download on the IBM Fix Central website:
- Product selector: IBM Security Guardium
- Installed version: 12.0
- Platform: All
- Click "Continue," select "Browse for fixes," and click "Continue" again.
- Select "Appliance patch (GPU and ad hoc)" and enter the patch information in the "Filter fix details" field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
- The latest health check patch 12.0p9997
Installation
Notes:
- This patch is an appliance bundle that includes all fixes for 12.0 except sniffer fixes.
- This patch restarts the Guardium system.
- Do not reboot the appliance while the patch install is in progress. Contact Guardium support if there is an issue with patch installation.
- When changing the password of CLI and guardcli users in the Guardium command line interface, a password strength warning appears even when strong passwords are not enabled. To remove the strong password checks, execute the CLI command store user strong_password disable.
Overview:
- Download the patch and extract the compressed package outside the Guardium system.
- Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
- Apply the latest health check patch.
- Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
- Apply the latest quarterly DPS patch and rapid response DPS patch even if these patches were applied before the upgrade.
For information about installing Guardium Data protection patches, see How to install patches in the Guardium documentation.
Attention
Guardium GIM SHA128 certificates expire in May 2024
Guardium GIM SHA128 certificates are set to expire in May 2024. If the certificates are not renewed by the expiration date, GIM client-server communication will be affected.
Guardium GIM SHA128 certificates are set to expire in May 2024. If the certificates are not renewed by the expiration date, GIM client-server communication will be affected.
Please note that data monitoring activity through S-TAP or Universal Connector will not be disrupted.
Remediation:
- To renew GIM server (appliance) certificates, install Guardium patch 12.0p10 or later.
- After patch installation, allow a few hours for automatic distribution of the renewed GIM certificates to execute on the agents. Check status using the “GIM Certificate Deployment Status” report.
For more information about the certificate distribution mechanism, see: https://www.ibm.com/docs/en/guardium/12.0?topic=management-creating-managing-custom-gim-certificates
Refer to the following Flash alert for more information:
https://www.ibm.com/support/pages/node/7115129
https://www.ibm.com/support/pages/node/7115129
Microsoft certificates expire on May 20, 2024
Microsoft certificates (microsoftca1-4) expire on May 20, 2024. The following Guardium patches provide updated certificates:
Microsoft certificates (microsoftca1-4) expire on May 20, 2024. The following Guardium patches provide updated certificates:
- 11.3 systems use patch 11.0p392 or later
- 11.4 systems use patch 11.0p485 or later
- 11.5 systems use patch 11.0p535 or later
- 12.0 systems use patch 12.0p5 or later
Install the correct patch for your Guardium systems to use the updated certificates. For more information, see https://www.ibm.com/support/pages/node/7080145
Enhancements
This patch includes the following enhancements:
| Issue key | Summary |
|---|---|
| GRD-80768 | Add Label action parameter to action Ignore Request |
| GRD-80119 | Add verification algorithm to SERVER DATA and STATEMENT in SLP |
| GRD-79058 | Universal Connector support is required for OCI - Autonomous Databases |
| GRD-78976 | DPS 2024 Q1 |
| GRD-78598 | Upgrade or older sniffer patch should not convert tables from InnoDB back to MyISAM |
| GRD-78400 | Remove option for customers to create new MyISAM CUSTOM tables |
| GRD-78055 | Include all Custom Tables, Custom Domains, and Custom Queries when Exporting a Complete GDP Policy |
| GRD-76441 | Adv Stap Verify: Support MS SQL Cluster |
| GRD-76186 | Possibility to set flag STAP_GLOBAL_KEY by update GLOBAL_SESSION_KEY configuration parameter using GuardApi command and STAP Control. |
| GRD-75165 | Adv Stap Verify: Improve error messages - Could not reach S-TAP Host n.n.n.n |
| GRD-75105 | VA Performance Enhancement development phase 1 |
| GRD-73114 | GDP : Custom datamarts execution modes during streaming configuration |
| GRD-70440 | Custom email template for Audit process alerts |
| GRD-69928 | Performance enhancement between Central Manager and Managed Units for VA |
| GRD-67083 | Enhanced S-TAP Verification including IE Verification Status with other fixes and scenario handling |
| GRD-65057 | Investigation spike: Support for Namespaces with Hashicorp Vault integration |
| GRD-64146 | Provide alert/notification about status (different than success) of classification |
Resolved issues
This patch resolves the following issues:
| Patch | Issue key | Summary | APAR |
|---|---|---|---|
| 12.0p10 | This patch includes fixes from 12.0p10 (see release notes) | ||
| 12.0p15 | GRD-80720 | M7 appliances reboot constantly following p6003 | DT365699 |
| GRD-80246 | SMTP configuration Authentication error mails in WAIT status | DT378190 | |
| GRD-80064 | [GDP][Cosan] - Regex'es missing from Session Policies after patch aplication (p535) | DT364427 | |
| GRD-79754 | During Restore from Backup v10.6 to v11.5 Guardium tries to read the archive through an incorrect port (and does not allow modification) | DT276383 | |
| GRD-78855 | Backup restore didn't restore the SAML and CyberArk configuration from v11.5 to v12 | DT276401 | |
| GRD-78817 | In v12.0 TLS 1.0 and 1.1 are enabled and cannot be disabled | DT276324 | |
| GRD-78795 | Guardium 12.0 cause backup issue with AIX backup server | DT258902 | |
| GRD-78775 | v12 grdapi update_assessment_test bug | DT277154 | |
| GRD-78417 | Archive fails after deleting scplog.log using diag utility | DT259993 | |
| GRD-78416 | Increase mysql-error.log history and include all in must gather | -- | |
| GRD-78382 | Enable port 8444 to be disabled even if GIM clients are registered | -- | |
| GRD-78308 | v12 failed at post install action - Migrator check | DT276355 | |
| GRD-78031 | Unit Utilization is very high | DT276388 | |
| GRD-77659 | Include GIM_SYSTEM_MODULES in deploy_agent Must Gather | -- | |
| GRD-77615 | Deployment Health Table - disk space status does not get reset after a disk full condition has been resolved | DT259580 | |
| GRD-77581 | enabled auto_install_on_db_server_os_upgrade=1 S-TAP not running | DT276403 | |
| GRD-77579 | Resource deployment on Central Manager doesn't show all MongoDB servers (Monitored by UC) | DT276393 | |
| GRD-77523 | Aliasing is not working for Health Deployment table | GA18499 | |
| GRD-77441 | Importing WIN GIM/STAP Bundles Resulted in "Unexpected error ocurred. Please contact the system administrator during import" | DT276407 | |
| GRD-77411 | CVE- Scan Results for oracle 19.17. 0.0.0 Version | DT257073 | |
| GRD-77003 | Archive failing with Error:1815; Message:Internal error: Failed to generate partition syntax,MESSAGE_TEXT | DT277206 | |
| GRD-76970 | TSM Vulnerability Mitigation | DT258503 | |
| GRD-76913 | Error in disabling custom Java ciphers | DT270396 | |
| GRD-76624 | V11.5 Clicking "Search Users" button in "Audit Process To-Do List" Page Always Returned Error | GA18482 | |
| GRD-76021 | Ciphers re-enabled after installing V11 P530 | GA18483 | |
| GRD-76012 | Adv Stap Verify: java.net.UnknownHostException: <string>: Name or service not known | DT259362 | |
| GRD-75831 | Account lockout configuration is getting reset to default after every GPU patch installation | DT259386 | |
| GRD-75781 | Adv Stap Verify: "handshake failed": unable to find valid certification path to requested target | DT259356 | |
| GRD-74765 | java.lang.ArrayIndexOutOfBoundsException error when classification is run on some tables | DT270218 | |
| GRD-74216 | Sniffer Crashing - Session inference query | DT259811 | |
| GRD-74093 | Snowflake VA report run long time and eventually time out | DT270085 | |
| GRD-72998 | Qualys Reports Vulnerability on Guardium port 3129 | DT259327 | |
| GRD-72735 | V11.3 upgrade to V11.5: Issue to send reports under SNMP message type after applied patches P520/P4057. | DT270196 | |
| GRD-71384 | Adv Stap Verify: java.lang.Exception: Too Many records returned | DT259358 | |
| GRD-70966 | Aggregator Query Performance | DT276414 | |
| GRD-65026 | After cli password expires when changing to new password guardium cli forces to change the password twice instead of once | GA18118 |
Known limitations
This patch contains the following known limitations:
| Issue key | Summary |
|---|---|
| GRD-82833 | Do not install this patch if you're using GCP, OCI, Azure. The fixes for these users will be delivered through a separate patch. AWS is not affected. |
| GRD-80777 |
To use Azure Mysql Universal connector plugin you need to upload the plugin before you configure the connection.
|
| GRD-81400 |
If customer has cloudwatch_logs Universal connector plugin configured to work with "role_arn" then user needs to upload "offline-logstash-input-cloudwatch_log_1_0_5.zip", follow relevant README for more details.
|
Security fixes
This patch contains the following security fixes:
| Issue key | Summary | CVEs |
|---|---|---|
| 12.0p6005 | This patch includes fixes from 12.0p6005 and all previous ones (see release notes) | |
| GRD-79312 | PSIRT: PVR0468086, PVR0472300,PVR0480239, PVR0473509-- kernel upgrade required | CVE-2023-5345, CVE-2023-5633, CVE-2023-1192, CVE-2023-6679 |
| GRD-79308 | PSIRT: PVR0484990,PVR0476693,PVR0484985 -- Gnu GnuTLS upgrade required | CVE-2024-0553, CVE-2024-0567, CVE-2023-5981 |
| GRD-79284 | PSIRT: PVR0466432 - [All] kernel - CVE-2023-42753 (Publicly disclosed vulnerability) | CVE-2023-42753 |
| GRD-78874 | PSIRT: PVR0482970, PVR0470863, PVR0470250 - Multiple RPM updates needed for vulnerable components - 11.x and 12.0 | CVE-2023-6377, CVE-2023-5367, CVE-2023-6478, CVE-2022-3550, CVE-2022-4283, CVE-2022-46340, CVE-2022-46341, CVE-2022-46342, CVE-2022-46343, CVE-2022-46344, CVE-2023-0494, CVE-2023-1393, CVE-2023-46847, CVE-2020-22218, CVE-2023-34058, CVE-2023-34059, CVE-2023-3611, CVE-2023-3776, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208 |
| GRD-78257 | PSIRT: PVR0475474 - [All] PostgreSQL - CVE-2023-5869 (Publicly disclosed vulnerability) | CVE-2023-5869 |
| GRD-78200 | PSIRT: PVR0475474, PVR0475502, PVR0475446 - [All] PostgreSQL - CVE-2023-5869 (Publicly disclosed vulnerability) | CVE-2023-5869, CVE-2023-5870, CVE-2023-5868 |
| GRD-77917 | PSIRT: PVR0477215, PVR0476180 - reactor-netty-1.0.24.jar (Publicly disclosed vulnerability found by Mend) - datastreams |
CVE-2023-34054,
CVE-2023-34062
|
| GRD-77429 | PSIRT: PVR0476700, PVR0476723 - IBM Security Guardium is vulnerable to multiple vulnerabilities in open-vm-tools component |
CVE-2023-34059,
CVE-2023-34058
|
| GRD-77311 | PSIRT: PVR0476001 - IBM Security Guardium is vulnerable to a Out of Bounds vulnerability | CVE-2023-5367 |
| GRD-77266 | PSIRT: PVR0475695- IBM SDK, Java Technology Edition Quarterly CPU - Oct 2023 |
CVE-2023-22081,
CVE-2023-22067,
CVE-2023-5676,
CVE-2023-22025
|
| GRD-76927 | PSIRT: PVR0474271 - SE - Pen Testing On-prem - October, 2023 - GIM module upload functionality can be used to upload any file | CVE-2023-47711 |
| GRD-76918 | PSIRT: PVR0474272 - SE - Pen Testing On-prem - October, 2023 - Privilege escalation from tomcat to root (server_receiver.pl) | CVE-2023-47712 |
| GRD-76398 | Upgrade of BigFix client needed for appliances |
CVE-2022-22576,
CVE-2022-27544,
CVE-2022-27545,
CVE-2022-27775,
CVE-2022-27776
|
| GRD-76367 | PSIRT: PVR0468745 - http2-common-9.4.44.v20210927.jar (Publicly disclosed vulnerability found by Mend) - datastreams | CVE-2023-44487 |
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
22 May 2024
UID
ibm17149993