IBM Support

Release of QRadar 7.2.3 patch 3 (7.2.3.931999)

Release Notes


Abstract

A list of the installation instructions and fixes for IBM Security QRadar 7.2.3 patch 3 (7.2.3.931999).

Content

If your deployment is installed with QRadar 7.1 MR2 or later, you can install fix pack 7.2.3-QRADAR-QRSIEM-931999.

Note: The 7.2.3-QRADAR-QRSIEM-931999 fix pack can upgrade QRadar 7.1 MR2 and above to the latest software version. However, this document does not cover all of the installation messages and requirements. For information on upgrading from QRadar 7.1 MR2 to QRadar 7.2, see http://www.ibm.com/support/docview.wss?uid=swg27038439.


Before you begin

Ensure that you take the following precautions:

  • Back up your data before you begin any software upgrade. For more information about backup and recovery, see the IBM Security QRadar Administration Guide.
  • To avoid access errors in your log file, close all open QRadar sessions.
  • The fix pack for QRadar cannot be installed on a managed host that is at a different software version from the Console. All appliances in the deployment must be at the same software revision to patch the entire deployment.
  • Verify that all changes are deployed on your appliances. The patch cannot install on appliances that have changes that are not deployed.

About this task

Fix packs are cumulative software updates to fix known software issues in your QRadar deployment. QRadar fix packs are installed by using an SFS file. The fix pack can update any appliance that is attached to the QRadar Console that is at the same software version as the Console.


Procedure

    1. Download the fix pack 7.2.3-QRADAR-QRSIEM-931999 from the IBM Fix Central website: https://ibm.biz/BdFPyY (IBM shortened link to the download this Fix Pack)
    2. Using SSH, log in to your system as the root user.
    3. Copy the fix pack to the /tmp directory on the QRadar Console.
      Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
    4. To create the /media/updates directory, type the following command: mkdir -p /media/updates
    5. Change to the directory where you copied the patch file. For example, cd /tmp
    6. To mount the patch file to the /media/updates directory, type the following command:
      mount -o loop -t squashfs 723_QRadar_patchupdate-7.2.3.931999.sfs /media/updates
    7. To run the patch installer, type the following command:
      /media/updates/installer

      The first time that you run the fix pack, there might be a delay before the fix pack installation menu is displayed.
    8. Using the patch installer, select all.

      The all option updates the software on all systems in your deployment. In HA deployments, primary HA appliances are patched and replicate the patch update to the secondary HA appliance.

      If you do not select the all option, you must copy the update to each appliance in your deployment and install the fix pack. If you manually install fix packs in your deployment, you must update your appliances in the following order:

      1. Console
      2. Event Processors
      3. Event Collectors
      4. Flow Processors
      5. Flow Collectors

      If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes.
    9. After the install completes, administrators and users should clear their browser cache before logging in to the Console.

Results

A summary of the fix pack installation advises you of any managed host that were not updated. If the fix pack fails to update a managed host, you can copy the fix pack to the host and run the installation locally.

After all hosts are updated, administrators can send an email to their team to inform them that they will need to clear their browser cache before logging in to the QRadar SIEM interface.

Resolved issues



Since QRadar 7.2.3 patch 3 is a cumulative release, the release notes listed below include fixes assigned to 7.2.3 and the issues resolved in 7.2.3 patch 1 and 7.2.3 patch 3.

Issues resolved in 7.2.3 patch 3
Number Description
IV54177CPU LOAD MIGHT BE EXCEPTIONALLY HIGH WHEN HOSTCONTEXT STARTS DISK MAINTENANCE ON A CONSOLE OR A MANAGED HOST.
IV54633EVENTS AND FLOWS STOP COMING IN WHEN THE SNMP DAEMON IS ENABLED
IV59932ARIELSEARCH FORM MAY NOT LOAD ON CHROME - SYSTEM ERROR BOX "THERE WAS A PROBLEM HANDLING THE RESPONSE FROM THE SERVER..."
IV61368NULLPOINTEREXCEPTION LOADING CUSTOM EVENT PROPERTIES
IV61872WINCOLLECT "LAST HEART BEAT" NO LONGER UPDATING AFTER UPGRADING TO WINCOLLECT 7.2
IV62701REIMPLEMENT VIS DISCOVERY EVENTS
IV62924SHARED SAVED SEARCHES ADD THE USERNAME OF THE SEARCH CREATOR TO THE BEGINNING OF THE SAVED SEARCH NAME.
IV63343A LOG SOURCE EXTENSION (LSX) THAT CONTAINS A MATCHER WITH NO FIELD WILL CAUSE DSM PARSING FAILURES
IV63344QRADAR UI ALLOWS THE IMPORTING OF AN LSX WITH AN INVALID MATCHER FIELD NAME
IV63345ERROR MESSAGE "INVALID BACKUP ARCHIVE" WHEN TRYING TO RESTORE A CONFIG BACKUP
IV63366TXSENTRY MESSAGES CAUSED BY AN ASSET DATABASE TABLE THAT IS ALLOWED TO GROW TOO LARGE FOR QVM
IV63371SOME OF THE DROP DOWN OPTIONS IN THE RULE RESPONSE, RULE ACTION, MAGNITUDE ADJUSTMENTS DO NOT WORK
IV64142GENERATED REPORTS CONTAIN NO DATA WHEN THE REPORT CONTAINS A CUSTOM PROPERTY WHICH WAS DELETED
IV64300GREATLY REDUCED QRADAR USER INTERFACE RESPONSIVENESS DUE TO NULL POINTER EXCEPTION
IV64746PATCHING AN XX28 CONSOLE WILL COMPLETE BUT WITH ERRORS
IV64748QVM - RUNNING SCANS USING CENTRALIZED CREDENTIALS CAUSES MULTIPLE COPIES OF AUTHENTICAED SCAN TOOLS
Issues resolved in 7.2.3 patch 2
Number Description
IV63729EMPTY TIMESERIES AND REPORTS WHERE RESULTS OF ACCUMULATED DATA ARE EXPECTED
IV63857THE 'DOES NOT EQUAL' SEARCH FILTER FOR LOG SOURCE GROUPS RETURNS RESULTS WHEN IT SHOULD NOT
IV63936ROOT FILESYSTEM MAY FILL ON MANAGED HOSTS DUE TO QVM RPMS
IV64155UNABLE TO LOAD SAVED SEARCHES THAT WERE CREATED PRIOR TO PATCHING
Issues resolved in 7.2.3 Patch 1
Number Description
IV63725OUT OF MEMORY SYSTEM NOTIFICATION MESSAGES CAUSED BY ASSETPROFILER
Issues resolved in 7.2.3
Number Description
IV40246BACKUP UNABLE TO DETERMINE DISK SPACE ON PARTITIONS WITH FILESYSTEM IN THE NAME
IV42534WHEN RUNNING SETUP -T PRETEST BEFORE UPGRADING TO QRADAR SIEM 7.1, IT MAY SET A LOGGING DIRECTORY TO THE INCORRECT VERSION
IV46482THE ECS SERVICE MIGHT DISPLAY AN ERROR WHEN A DNS LOOKUP OCCURS ON A HOST NAME THAT MAPS TO MORE THAN 100 IP ADDRESSES.
IV48470ACTIVE DIRECTORY AUTHENTICATION DELAYS OCCUR WHEN UDP COMMUNICATION IS BLOCKED
IV49239HOSTCONTEXT AND AUTOUPDATEDEPLOY SERVICES MIGHT START ECS AT THE SAME TIME
IV49256OFFENSES REPORTS MIGHT DISPLAY MULTIPLE (N) INCORRECTLY
IV50351'SYSTEM ERROR' POPUP MESSAGE IN QRADAR SIEM 7.2.0 WHEN OPENING VULNERABILITY DETAILS PANEL
IV50570DASHBOARD TIME SERIES GRAPHS MIGHT DISPLAY INCORRECT DATA SETS
IV50571SNMP RESPONSE IN AN OFFENSE RULE MIGHT FAIL
IV50734PATCHING A 7.2 HA SYSTEM MIGHT FAIL DUE TO TIMING ISSUE
IV54266LOG SOURCE GROUPING REMOVED WHEN USER IS DELETED
IV54289"ACCUMULATED DATA IS NOT AVAILABLE" ERROR IN GENERATED REPORT ONLY WHEN USING TABLE VIEW
IV54484ROUTING RULES INTERFACE MIGHT NOT DISPLAY CORRECTLY WHEN THE RULE CONTAINS A BACKSLASH (\) CHARACTER.
IV54494REPORTS MAY FAIL TO BE EMAILED BY THE SYSTEM IF THE SIZE OF THE GENERATED REPORT EXCEEDS 10 MB.
IV54495HIGH-AVAILABILITY SECONDARY SYSTEMS IN STANDBY MODE MIGHT ACCUMULATE LOG FILES AND EXPERIENCE HIGH DISK USAGE
IV54517THE EVENT DETAILS PAGE IS NOT SHOWING THE CORRECT IDENTITY IP FOR THE RELATED ASSET
IV54650REPORTS THAT USE THE INCLUDE LINK TO REPORT CONSOLE CHECK BOX MIGHT GENERATE A CERTIFICATE ERROR.
IV54684ARIELCLIENT COMMANDS RETURNING A STRING|VALUE INSTEAD OF JUST THE VALUE
IV54689HA SECONDARY APPLIANCE WITH ISCSI MIGHT EXPERIENCE AN ISSUE WHERE THE SECONDARY SYSTEM GOES OFFLINE AFTER AN HOUR.
IV55697WINCOLLECT - APPLICATION ERROR WHEN ADDING NEW LOG SOURCES FROM GROUP
IV55746OFFENSE RULE SNMP TRAP MISSING DATASOURCE_ID AND DATASOURCE_NAME
IV56400VULNERABILITY COUNT FOR ASSET SOMETIMES SHOWS 0 EVEN THOUGH THE ACTUAL COUNT IS NOT 0
IV56797SPECIAL CHARACTERS SUCH AS AMPERSAND CANNOT BE ESCAPED IN RULE
IV57314UNABLE TO SORT ON ASSET DETAIL USER LIST SCREEN, COLUMNS CANNOT BE SORTED IN ASCENDING ORDER OR DESCENDING ORDER
IV57315UPDATE MEMORY AND DISK SPACE REQUIREMENTS DOCUMENTATION WITH CORRECT 1299 MEMORY REQUIREMENTS
IV57319OFFENSE SEARCH WITH SOURCE IP SPECIFIED IN SEARCH PARAMETER DOES NOT RETURN OFFENSES THAT HAVE MULTIPLE SOURCE IP
IV57322OFFENSE "REASON FOR CLOSING" WINDOW IS NOT DISPLAYED FROM PAGES INCLUDES OFFENSECATEGORYLIST, OFFENSERULELIST, ETC.
IV58665APPLICATION ERROR IN SYSTEM AND LICENSE MANAGEMENT DETAILS PANEL
IV59086EVENTTHROTTLEFILTERQUEUE ON DISK CHUNK SIZE IS TOO SMALL RESULTING IN ECS PIPELINE FAILURE AND SHUTDOWN
IV59162WHEN CUSTOMIZING THE RIGHT-CLICK MENU THE USER CAN STILL ACCESS OPTIONS WITHOUT THE CAPABILITIES DEFINED IN THE USER ROLE
IV59166XSS VULNERABILITY - GET METHOD
IV59182CONFIGURATION RESTORE CAN FAIL ON A SYSTEM MIGRATED FROM 7.0 - BROKEN TRIGGERS LEFT HANGING AROUND
IV59741COALESCING EVENTS OPTION MISSING FROM SYSTEM SETTINGS IN QRADAR LOG MANAGER
IV59954TWO CHARACTER USER NAMES NOT ALLOWED IN QVM SCAN SETUP
IV60000CRE 'LOCAL NETWORK' TEST SHOULD CHECK BOTH SIDES OF A SUPERFLOW
IV60231ORDERBY TABLE ALIAS INCORRECTLY DEFINED IN SNMPEVENT.CREATEEVENTFROMOFFENSE
IV60572HTTP-ONLY KEYWORDS NOT SET IN COOKIES
IV60579SEARCH CRITERIA FOR INACTIVE OFFENSES DOES NOT FUNCTION AS DOCUMENTED FROM THE OFFENSES SEARCH SCREEN
IV60746QRADAR IS USING AN OLDER VERSION OF WEBMIN
IV60998SYSTEM NOTIFICATIONS CAN STRESS TOMCAT IN EXTREME CASES
IV61258SQL EXCEPTION IN OFFENSE TAB
IV61369EVENT EXPORT FOR CSV OR XML MISSING FIRST COLUMN
IV61741RULES THAT ACCESS REFERENCE SET DATA MAY CAUSE SYSTEM PERFORMANCE DEGRADATION MESSAGES
IV61745EVENT PARSING ORDER NOT PROPERLY RESPECTED BY THE EVENT PIPELINE AFTER PARSING ORDER IS CHANGED
IV61915SEARCH FAILURES DUE TO /STORE/ARIEL/PERSISTENT_DATA PARTITION BECOMING FULL
IV61915SEARCH FAILURES DUE TO /STORE/ARIEL/PERSISTENT_DATA PARTITION BECOMING FULL
IV62007VULNERABILITY RHSA-2014-0164
IV62698FORENSICS/PCAP IPTABLES LINE NUMBER ERROR PREVENTS RULE UPDATES
IV63101PAIRED CONSOLE HA PRIMARY AND SECONDARY APPLIANCES MAY EXPERIENCE HIGH DISK LOAD
IV63102THE QRADAR UI SESSION MAY NOT REQUIRE LOGIN RE-AUTHENTICATION IN SOME SESSION TIMEOUT INSTANCES
IV63115IF A REFERENCE SET IS NOT FOUND WHEN CALLED BY A RULE, ANY SUBSEQUENT REFERENCE SETS WILL NOT BE CALLED
IV63116EMPTY REFERENCE SETS FROM EARLIER QRADAR REVISIONS THAT ARE MIGRATED DURING A PATCH CANNOT BE USED/REFERENCED
IV63119AN ERROR MESSAGE APPEARS WHEN TRYING TO OPEN THE "MANAGE SEARCH RESULTS" SCREEN
IV63121"LAST SEEN ACTIVE" FOR ASSETS WITH SERVICES REMAINS BLANK AFTER AN INITIAL VA SCAN, BUT POPULATES AFTER A SUBSEQUENT SCAN



Where do I find more information?
If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Documentation","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg27043495