Release of QRadar 7.2.7 Patch 3 (7.2.7.20160906164309)

Release Notes

Abstract

This release note describes the fixed issues and installation procedures for IBM Security QRadar 7.2.7 Patch 3 (7.2.7.20160906164309).

Content

About

QRadar 7.2.7 Patch 3 resolves 14 issues reported in previous released of QRadar 7.2.7. The update must be installed on the Console first, then all other appliances can be updated. Administrators can use the patch 'ALL' option to upgrade the entire deployment.

Prerequisites

If your deployment is installed with QRadar 7.2.4 (any patch level) or later, you can install fix pack 7.2.7-QRADAR-QRSIEM-20160906164309.

Note: The 7.2.7-QRADAR-QRSIEM-20160906164309 fix pack can upgrade QRadar 7.2.4 to 7.2.6 (any patch level) and above to the latest software version. However, this document does not cover all of the installation messages and requirements. For information on upgrading from QRadar 7.2.4 or later, see the QRadar Upgrade Guide.

Before you begin

Ensure that you take the following precautions:

Back up your data before you begin any software upgrade. For more information about backup and recovery, see the IBM Security QRadar Administration Guide.
To avoid access errors in your log file, close all open QRadar sessions.
The fix pack for QRadar cannot be installed on a managed host that is at a different software version from the Console. All appliances in the deployment must be at the same software revision to patch the entire deployment.
Verify that all changes are deployed on your appliances. The patch cannot install on appliances that have changes that are not deployed.

About this task

Fix packs are cumulative software updates to fix known software issues in your QRadar deployment. QRadar fix packs are installed by using an SFS file. The fix pack can update any appliance that is attached to the QRadar Console that is at the same software version as the Console.

Procedure

Download the fix pack 7.2.7-QRADAR-QRSIEM-20160906164309 from the IBM Fix Central website: http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=Linux&function=fixId&fixids=7.2.7-QRADAR-QRSIEM-20160906164309&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc
Using SSH, log in to your system as the root user.
Copy the fix pack to the /tmp directory on the QRadar Console.

Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
To create the /media/updates directory, type the following command: mkdir -p /media/updates
Change to the directory where you copied the patch file. For example, cd /tmp
To mount the patch file to the /media/updates directory, type the following command:
mount -o loop -t squashfs 727_QRadar_patchupdate-7.2.7.20160906164309.sfs /media/updates
To run the patch installer, type the following command: /media/updates/installer
Note: The first time that you run the fix pack, there might be a delay before the fix pack installation menu is displayed.
Using the patch installer, select all.

The all option updates the software on all appliances in the following order:

1. Console
2. Event Processors
3. Event Collectors
4. Flow Processors
5. Flow Collectors
If you do not select the all option, you must select your Console appliance.

As of QRadar 7.2.6 Patch 3 and later, administrators are only provided the option to update all or update the Console appliance as the managed hosts are not displayed in the installation menu. After the Console is patched, a list of managed hosts that can be updated is displayed in the installation menu. This change was made starting with QRadar 7.2.6 Patch 3 to ensure that the Console appliance is always updated before managed hosts to prevent upgrade issues.

If administrators want to patch systems in series, they can update the Console first, then copy the patch to all other appliances and run the patch installer individually on each managed host. The Console must be patched before you can run the installer on managed hosts.

If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes.

After the patch completes and you have exited the installer, type the following command: umount /media/updates
Administrators and users should clear their browser cache before logging in to the Console.

Results
A summary of the fix pack installation advises you of any managed host that were not updated. If the fix pack fails to update a managed host, you can copy the fix pack to the host and run the installation locally.

After all hosts are updated, administrators can send an email to their team to inform them that they will need to clear their browser cache before logging in to the QRadar SIEM interface.

Resolved issues

As QRadar 7.2.7 Patch 3 is a cumulative release, the release notes listed below include additional tables for issues resolved in previous 7.2.7 patch updates. Note: Some APAR links in the table below might take 24 hours to display properly after a software release.

**Issues resolved in 7.2.7 Patch 3**
Product	Number	Description
QRADAR VULN. MANAGER	IV83769	NAVIGATING TO THE 'MY ASSIGNED VULNERABILITIES' SCREEN CAN HANG AND THE USER INTERFACE CAN BECOME INACCESSIBLE
QRADAR	IV84648	SINGLE SHARED DASHBOARD FROM A USER ROLE DISPLAYS FOR ALL MEMBERS OF THE USER ROLE WHEN THEY LOGIN
QRADAR	IV84681	DASHBOARD TIME SERIES CHARTS DO NOT SHOW THEIR FULL TITLE IF THE TEXT CONTAINS PARENTHESIS
QRADAR	IV84730	A NULLPOINTER EXCEPTION MIGHT OCCUR DURING SEARCHES/REPORTS AFTER DELETING A SECURITY PROFILE THAT HAS NO ASSIGNED USERS
QRADAR	IV85363	PERFORMING AN ASCENDING OR DESCENDING SORT OF LOG SOURCES BY 'STATUS' DOES NOT PROPERLY SORT THE ENTRIES
QRADAR	IV85595	'DEVICE STOPPED SENDING EVENTS' RULE DOES NOT DISPATCH A NEW EVENT
QRADAR	IV85758	QRADAR 'DEPLOY CHANGES' CAN SOMETIMES FAIL ON A REMOTE MANAGED HOST, WITH ENCRYPTION, AND SLOW LINK TO CONSOLE
QRADAR	IV86076	THE ROUTING RULES OPTION 'PREFIX A SYSLOG HEADER IF IT IS MISSING OR INVALID' DOES NOT WORK FOR OFFLINE FOWARDING
QRADAR	IV86685	REPLICATION OF QRM DATA FROM CONSOLE TO MANAGED HOSTS CAN CAUSE A REPLICATION PERFORMANCE ISSUE ON MANAGED HOSTS
QRADAR VULN. MANAGER	IV86845	'SCANS COMPLETED' VULNERABILITY MANAGEMENT DASHBOARD CAN BE SLOW OR FAIL TO LOAD
QRADAR	IV87515	"TYPEERROR: CANNOT READ PROPERTY '1' OF UNDEFINED" WHEN ACCESSING RULES PAGE USING CHROME BROWSER VERSION 53. THIS DEFECT IS CLONED FORWARD FROM 7.2.7 PATCH 2.
QRADAR	IV87565	XML EXPORT HAS INCORRECTLY FORMATED CDATA FIELD
QRADAR	IV87575	CUSTOM RULE ENGINE COMMON RULE TYPES DO NOT ALWAYS DISPLAY AS OPTIONS

**Issues resolved in 7.2.7 Patch 2**
Product	Number	Description
QRADAR	IV87973	AFTER PATCHING TO 7.2.7 PATCH 1, THE /VAR/LOG/ PARTITION CAN RUN OUT OF FREE SPACE, CAUSING QRADAR SERVICES TO SHUTDOWN
QRADAR	IV87515	"TYPEERROR: CANNOT READ PROPERTY '1' OF UNDEFINED" WHEN ACCESSING RULES PAGE USING CHROME BROWSER VERSION 53

**Issues resolved in 7.2.7 Patch 1**
Product	Number	Description
QRADAR	IV71970	NO ACCUMULATED DATA FOR 'SOURCE NETWORK GROUP' COLUMN
QRADAR	IV74147	REPORTS RUN ON ADVANCED SEARCHES CONTAINING THE 'HAVING' CLAUSE PRODUCE DUPLICATE COLUMNS
QRADAR	IV76224	ERROR 'PATCH ABORTED' WHEN PATCHING QRADAR MANAGED HOSTS FROM THE CONSOLE USING THE PATCH ALL OPTION
QRADAR	IV77615	QFLOW PROCESS ON QRADAR 1310 APPLIANCES CAN SOMETIMES STOP WORKING CAUSING NO FLOWS TO BE RECEIVED
QRADAR	IV80159	REPORTS USING AN ADVANCED SEARCH WITH MULTIPLE 'ORDER BY' COLUMNS CAN FAIL TO BE GENERATED SUCCESSFULLY
QRADAR	IV80662	REPORTS CONTAINING TABLES BASED ON SOME ADVANCED SEARCHES CAN CONTAIN EXTRA COLUMNS AND/OR BE MISSING COLUMNS
QRADAR	IV81818	CHANGES MADE TO THE GLOBAL SYSTEM NOTIFICATION, SYSTEM LOAD, VALUES ARE NOT RECOGNIZED BY QRADAR
QRADAR	IV82018	DEPLOY FUNCTION FAILS AFTER REMOVING ENCRYPTION USING SYSTEM AND LICENSE MANAGEMENT OPTIONS
QRADAR	IV82557	'ERROR OCCURED WHILE SEARCHING FOR DEPENDENTS' MESSAGE WHEN ATTEMPTING TO DELETE A RULE FROM THE USER INTERFACE
QRADAR	IV82813	SOME TIME SERIES DASHBOARD GRAPHS ONLY SHOW LAST SIX MINUTES OF EVENTS
QRADAR	IV82814	OFFENSE SEARCH BY 'DESTINATION IP' CAN CAUSE A TOMCAT TXSENTRY MAKING THE USER INTERFACE TEMPORARILY INACCESSIBLE
QRADAR VULN. MANAGER	IV83527	QRADAR VULNERABILITY MANAGER SCANS CAN FAIL WHEN THERE ARE TOO MANY IP EXCLUSIONS DEFINED
QRADAR VULN. MANAGER	IV83534	QRADAR VULNERABILITY MANAGER PROCESSOR FAILS TO START WHEN A SCANNER INSTANCE NAME IS TOO LONG
QRADAR	IV83692	UNABLE TO DELETE CUSTOM EVENT PROPERTIES WHEN THEY ARE USED WITH MULTIPLE LOG SOURCE TYPES AND SEARCHES
QRADAR	IV83769	NAVIGATING TO THE 'MY ASSIGNED VULNERABILITIES' SCREEN CAN HANG AND THE USER INTERFACE CAN BECOME INACCESSIBLE
QRADAR	IV83969	UNABLE TO CREATE NEW NETFLOW FLOW SOURCE FORWARDS OR EDIT ANY THAT ARE ALREADY CREATED
QRADAR	IV84004	USING A LOG SOURCE EXTENSION (LSX) SET TO 'PARSING OVERRIDE' ON A STANDARD DSM CAN CHANGE THE EVENT SEVERITY LEVEL
QRADAR VULN. MANAGER	IV84031	RUNNING QRADAR VULNERABILITY MANAGER SCANS DISTRIBUTED ACROSS MULTIPLE SCANNER INSTANCES WITH CENTRALISED CREDENTIALS MAY FAIL
QRADAR	IV84058	MANAGE VULNERABILITY DEPLOYMENT SCREEN 'SAVE' BUTTON IS NOT USABLE IN SOME CIRCUMSTANCES
QRADAR	IV84603	DEPLOYMENT_INFO.SH AND GET_LOGS.SH CAN FAIL TO COMPLETE IN A QRADAR ENVIRONMENT THAT CONTAINS NAT'D HOSTS
QRADAR	IV84678	QRADAR USER INTERFACE SCREEN MOVES ERRATICALLY WHEN USING SPECIFIC CHARACTERS IN THE OFFENSE CLOSING 'NOTE' SECTION
QRADAR	IV85031	EVENT COUNT CONTIBUTING TO AN OFFENSE DOES NOT MATCH THE NUMBER OF EVENTS WHEN DISPLAYED IN LOG ACTIVITY
QRADAR	IV85157	COMPLEX ADVANCED SEARCHES CAN CAUSE ACCUMULATOR_ROLLUP TO RUN OUT OF MEMORY
QRADAR	IV85207	'COULD NOT DESERIALIZE QUERY HANDLE...-ASYNCHRONOUS' NULLPOINTEREXCEPTIONS REPETITIVELY APPEARING IN QRADAR
QRADAR VULN. MANAGER	IV85252	THE MANAGE VULNERABILITY PAGE IN THE QRADAR USER INTERFACE CAN SOMETIMES TAKE A LONGER THAN EXPECTED TIME TO LOAD
QRADAR VULN. MANAGER	IV85261	AN 'APPLICATION ERROR' CAN BE SOMETIMES BE GENERATED WHEN CLICKING A HYPERLINK ON THE SCAN RESULTS PAGE
QRADAR	IV85370	QRADAR PATCHES CAN SOMETIMES TAKE AN UNEXPECTEDLY LONG TIME TO COMPLETE
QRADAR	IV85415	'APPLICATION ERROR' ON THE CONFIGURATION MONITOR SCREEN WHEN ATTEMPTING TO VIEW A DEVICE SUMMARY
QRADAR	IV85447	REPORTS AND DASHBOARDS BASED ON SOME ADVANCED (AQL) SEARCHES MIGHT NOT WORK AS EXPECTED
QRADAR VULN. MANAGER	IV85449	THE QRADAR VULNERABILITY MANAGER 'SCAN RESULTS' SCREEN CAN TAKE A LONGER THAN EXPECTED TIME TO LOAD/POPULATE
QRADAR	IV85599	APPLICATION ERROR CAN SOMETIMES OCCUR WHEN ATTEMPTING TO CLOSE AN OFFENSE CAUSING A BLANK USER INTERFACE BROWSER WINDOW
QRADAR VULN. MANAGER	IV85635	'AN ERROR OCCURRED - UNABLE TO RETRIEVE SCAN RESULTS' ERROR DIALOG CAN SOMETIMES APPEAR WHEN OPENING SCAN RESULTS
QRADAR VULN. MANAGER	IV85757	QRADAR VULNERABILITY MANAGER SCHEDULED SCANS CAN SOMETIMES FAIL TO START
QRADAR RISK MANAGER	IV85870	UNABLE TO SEE ROUTE TO INTERNET IN TOPOLOGY WHEN PERFORMING A PATH SEARCH WHEN ROUTE IS THROUGH AN UNCLASSIFIED ISP ROUTER
QRADAR	IV86402	THE VALUES ENTERED FOR REFERENCE SET DATA 'TIME TO LIVE' DAYS AND HOURS ARE SWAPPED AFTER CLICKING THE SUBMIT BUTTON
QRADAR	IV86686	REPORTS BASED ON AN ADVANCED SEARCH (AQL) CAN SOMETIMES CAUSE REPORTING_EXECUTOR TO OUT OF MEMORY
QRADAR	SECURITY BULLETIN	IBM JAVA AS USED IN IBM QRADAR SIEM IS VULNERABLE TO INFORMATION DISCLOSURE. (CVE-2016-3426)
QRADAR	SECURITY BULLETIN	OPENSSL AS USED IN IBM QRADAR SIEM IS VULNERABLE TO MULTIPLE CVES

**Issues resolved in 7.2.7**
Product	Number	Description
QRADAR	IV50320	WINCOLLECT AGENTS CONTAIN A DEFAULT EVENT THROTTLE THAT MIGHT NOT BE SUFFICIENT FOR HIGH EPS WINDOWS SYSTEMS
QRADAR	IV67458	RULES THAT COMPARE A NUMERICALLY FORMATTED CUSTOM PROPERTY TO A NUMERICAL REFERENCE SET FAIL TO MATCH
QRADAR	IV72794	THE QRADAR/STORE/TRANSIENT PARTITION CAN EXCEED 95% DISK SPACE USAGE CAUSING SERVICES TO STOP
QRADAR	IV73253	QRADAR UNABLE TO ADD REFERENCE TABLE ELEMENTS WHEN USING PORT, IP, OR NUMERIC REFERENCE TABLES
QRADAR	IV76726	GEOGRAPHIC COUNTRY/REGION DATA POPULATED INTO REFERENCE TABLES IS NOT USED CONSISTENTLY WHEN TESTING AGAINST OTHER RULES
QRADAR	IV78329	UNABLE TO PERFORM RULE OR ADVANCED QUERY COMPARISONS USING 'DATE' TYPE REFERENCE DATA
QRADAR	IV78720	OFFENSES CAN SOMETIMES STOP GENERATING OR UPDATING IN CERTAIN 'FLOW SOURCE STOPPED SENDING FLOWS' SCENARIOS
QRADAR	IV79198	SYSTEM NOTIFICATIONS RELATED TO 'BERKELEY DB LIBRARY' CAN SOMETIMES BE GENERATED WITHIN QRADAR
QRADAR	IV79686	NO SYSTEM HEALTH DATA IS DISPLAYED AFTER PERFORMING A QRADAR CONFIGURATION RESTORE
QRADAR	IV79698	NON-ADMIN USERS ASSIGNED TO A DOMAIN ARE UNABLE TO SWITCH REPORT GROUPS
QRADAR	IV79930	CREATING AN ASSET MANUALLY CAN TAKE A LONGER THAN EXPECTED AMOUNT OF TIME AND/OR APPEARS TO HANG INDEFINITELY
QRADAR VULN MANAGER	IV81997	AN ARIEL_PROXY_SERVER 'OUT OF MEMORY' CAN SOMETIMES OCCUR DURING EVENT AND/OR FLOW SEARCHES
QRADAR	IV82160	CRE FAILED TO READ RULES MESSAGES IN QRADAR LOGGING AFTER PERFORMING A CONTENT MANAGEMENT TOOL IMPORT
QRADAR	IV83455	DATA NODE REBALANCING PROCESS CAN SOMETIMES FAIL AND RESTART TAKING A LONGER THAN EXPECTED TIME TO REBALANCE
QRADAR	IV83535	REPORT ON TOP OFFENSES THAT ARE BASED ON SAVED SEARCHES CONTAINING DOMAIN FILTERS DO NOT WORK AS EXPECTED
QRADAR	IV83748	AN ERROR OCCURRED POSITIONING THE RESULT SET RETURNED FROM THE SERVER TO ROW 1...ERROR MESSAGE DISPLAYED IN SEARCH RESULTS
QRADAR	IV84025	UNABLE TO DELETE RULES THAT ARE ADDED TO THE GROUP 'ANOMALY'
QRADAR	IV84056	ADVANCED SEARCHES (AQL) THAT CONTAIN 'LOG SOURCE GROUP' FILTER OR COLUMN CAN APPEAR TO HANG
QRADAR	IV84062	QRADAR USER INTERFACE ACTION BAR IS MISSING FROM MULTIPLE UI SCREENS
QRADAR	IV84390	ERROR POP-UP OR BLANK WINDOW CAN OCCUR WHEN USING CHROME OR INTERNET EXPLORER BROWSER IN SPECIFIC FILTER SEARCH INSTANCES
QRADAR	IV81461	LARGE NUMBER OF SIEM-AUDIT-2 SYSTEM GENERATED EVENTS WITHIN QRADAR
QRADAR	IV84511	UNABLE TO REMOVE THE 'OPTIMIZE PARSING FOR RULES, REPORTS AND SEARCHES' FLAG ON CUSTOM EVENT/FLOW PROPERTIES
QRADAR	IV84682	QRADAR VIS COMPONENT DOES NOT GET RE-ADDED TO QFLOW APPLIANCE WHEN A QFLOW IS REMOVED AND RE-ADDED TO A DEPLOYMENT
QRADAR	IV84689	OFFLINE FORWARDING FROM DATA NODES DOES NOT WORK
QRADAR	IV84733	QRADAR CAN FAIL TO PARSE EVENTS THAT HAVE UNRESOLVED DNS NAMES
QRADAR	IV85210	INVALID BACKUP ARCHIVE MESSAGE WHEN ATTEMPTING TO UPLOAD A BACKUP FILE FROM WITHIN THE QRADAR USER INTERFACE

---------
Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Documentation","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

Release of QRadar 7.2.7 Patch 3 (7.2.7.20160906164309)

Release Notes

Abstract

Content

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?