page-brochureware.php

QRADAR APARS 101

QRadar information related to known issues, important alerts and problem resolutions.

What are APARs?

QRadar uses Authorized Program Analysis Reports (APARs) to track issues reported by users. These problem reports include the status of the issue for the end user, either as an ONGOING or CLOSED problem. This page is intended to help users locate known issues who have not yet subscribed to IBM My Notifications or to view alerts on APARs that QRadar Support feels are important.

Searching the APAR table

The QRadar Support team created this QRadar APARs 101 page to make APARs more searchable for users and administrators. The search field in the table below allows you to search for specific versions or keywords. Administrators who want to filter by a specific version can use a combination of keywords or use the version buttons and sort by keyword using the Search bar.


Last update: 3 December 2021: Resolves an issue in the table where a security bulletin didn’t display properly for QRadar 7.3.3 Fix Pack 10. This change allows users to see all 12 security bulletins related 7.4.3 Fix Pack 4 and 7.3.3 Fix Pack 10 software releases.
Component Number Description Status More information Date
SECURITY BULLETIN CVE-2021-20400 A vulnerability in IBM Java SDK and IBM Java Runtime affects IBM QRadar SIEM CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Affected versions
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
  • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
Issue
CVE-2021-20400: IBM QRadar uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. CVSS Base score: 5.9
30 November 2021
SECURITY BULLETIN CVE-2021-2161 A vulnerability in IBM Java SDK and IBM Java Runtime affects IBM QRadar SIEM CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Affected versions
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
  • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
Issue
CVE-2021-2161: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. CVSS Base score: 5.9
30 November 2021
SECURITY BULLETIN CVE-2021-29779 IBM QRadar SIEM Performs Key Exchange Without Entity Authentication on Inter-Host Communications CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Affected versions
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
  • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
Issue
CVE-2021-29779: IBM QRadar could allow an attacker to obtain sensitive information due to the server performing key exchange without entity authentication on inter-host communications using man in the middle techniques. CVSS Base score: 5.9
30 November 2021
SECURITY BULLETIN CVE-2020-12362
CVE-2020-12363
CVE-2020-12364
CVE-2020-27170
CVE-2020-8648
CVE-2021-3347
CVE-2020-24489
CVE-2020-24511
CVE-2020-24512
CVE-2020-24513
Linux Kernel as used by IBM QRadar SIEM contains multiple vulnerabilities CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Affected versions
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
  • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
Issue
  • CVE-2020-12362: Intel Graphics Drivers could allow a local authenticated attacker to gain elevated privileges on the system, caused by an integer overflow in the firmware. An attacker could exploit this vulnerability to gain elevated privileges on the system. CVSS Base score: 7.5
  • CVE-2020-12363: Intel Graphics Drivers are vulnerable to a denial of service, caused by improper input validation. A local authenticated attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 1.9
  • CVE-2020-12364: Intel Graphics Drivers are vulnerable to a denial of service, caused by a NULL pointer reference error. A local authenticated attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 1.9
  • CVE-2020-27170: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by an out-of-bounds loads flaw. By executing specially-crafted BPF programs, an attacker could exploit this vulnerability to obtain contents of kernel memory, and use this information to launch further attacks against the affected system. CVSS Base score: 5.5
  • CVE-2020-8648: Linux kernel could allow a remote attacker to obtain sensitive information, caused by a use-after-free in the n_tty_receive_buf_common function of drivers/tty/n_tty.c. An attacker could exploit this vulnerability to read memory that should not be available for access. CVSS Base score: 5.3
  • CVE-2021-3347: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a kernel stack use-after-free during fault handling in PI futexes. An attacker could exploit this vulnerability to gain elevated privileges and execute arbitrary code in the kernel. CVSS Base score: 7.8
  • CVE-2020-24489: Multiple Intel Virtualization Technology for Directed I/0 (VT-d) products could allow a local authenticated attacker to gain elevated privileges on the system, caused by an incomplete cleanup. An attacker could exploit this vulnerability to gain elevated privileges on the system. CVSS Base score: 8.8
  • CVE-2020-24511: Intel Processors could allow a local authenticated attacker to obtain sensitive information, caused by improper isolation of shared resources. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.6
  • CVE-2020-24512: Intel Processors could allow a local authenticated attacker to obtain sensitive information, caused by the observable timing discrepancy issue. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 2.8
  • CVE-2020-24513: Intel Atom could allow a local authenticated attacker to obtain sensitive information, caused by domain-bypass transient execution vulnerability. A local attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.6
30 November 2021
SECURITY BULLETIN CVE-2021-32028
CVE-2021-32027
PostgreSQL as used by IBM QRadar SIEM is vulnerable to information disclosure CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Affected versions
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
  • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
Issue
  • CVE-2021-32028: PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by a memory disclosure vulnerability when using an INSERT … ON CONFLICT … DO UPDATE command on a purpose-crafted table. By creating prerequisite objects, an attacker could exploit this vulnerability to read arbitrary bytes of server memory. CVSS Base score: 6.5
  • CVE-2021-32027: PostgreSQL could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an integer overflow while modifying certain SQL array values. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
30 November 2021
SECURITY BULLETIN CVE-2021-31811
CVE-2021-31812
Apache PDFBox as used by IBM QRadar SIEM is vulnerable to denial of service CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Affected versions
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
  • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
Issue
  • CVE-2021-31811: Apache PDFBox is vulnerable to a denial of service, caused by an out-of-memory exception while loading a file. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 5.5
  • CVE-2021-31812: Apache PDFBox is vulnerable to a denial of service, caused by an error while loading a file. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to cause the system to enter into an infinite loop. CVSS Base score: 5.5
30 November 2021
SECURITY BULLETIN CVE-2021-30468 Apache CXF as used by IBM QRadar SIEM is vulnerable to denial of service (DOS) CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Affected versions
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
  • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
Issue
CVE-2021-30468: Apache CXF is vulnerable to a denial of service, caused by an infinite loop flaw in the JsonMapObjectReaderWriter function. By sending a specially-crafted JSON to a web service, a remote attacker could exploit this vulnerability to consume available CPU resources. CVSS Base score: 7.5
30 November 2021
SECURITY BULLETIN CVE-2021-29849 IBM QRadar SIEM is vulnerable to cross-site scripting (XSS) CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Affected versions
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
  • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
Issue
CVE-2021-29849: IBM QRadar SIEM is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 5.4
30 November 2021
SECURITY BULLETIN CVE-2021-29863 IBM QRadar SIEM is vulnerable to server side request forgery (SSRF) CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Affected versions
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
  • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
Issue
CVE-2021-29863: IBM QRadar SIEM is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. This vulnerability is due to an incomplete fix for CVE-2020-4786. CVSS Base score: 5.4
30 November 2021
SECURITY BULLETIN MULTIPLE (69 CVEs) IBM QRadar SIEM Application Framework Base Image is vulnerable to using components with Known Vulnerabilities CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Affected versions
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
  • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
Issue
  • CVE-2021-3541: GNOME libxml2 is vulnerable to a denial of service, caused by an exponential entity expansion attack which bypasses all existing protection mechanisms. A remote authenticated attacker could exploit this vulnerability to consume all available resources. CVSS Base score: 6.5
  • CVE-2021-3516: libxml2 could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in xmlEncodeEntitiesInternal() in entities.c. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.8
  • CVE-2021-3520: lz4 could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow. By sending a specially crafted file, an attacker could invoke memmove() on a negative size argument leading to memory corruption and trigger an out-of-bounds write or cause the library to crash. CVSS Base score: 8.6
  • CVE-2017-14502: libarchive is vulnerable to a buffer overflow, caused by improper bounds checking by the read_header function in archive_read_support_format_rar.c. By persuading a victim to open a specially-crafted RAR file, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base score: 7.8
  • CVE-2021-20271: RPM could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the signature check function. By persuading a victim to open a specially-crafted package file, an attacker could exploit this vulnerability to cause RPM database corruption and execute arbitrary code on the system. CVSS Base score: 6.7
  • CVE-2021-33503: urllib3 is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw due to catastrophic backtracking. By sending a specially-crafted URL request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.3
  • CVE-2019-20387: libsolv is vulnerable to a denial of service, caused by a heap-based buffer over-read in the repodata_schema2id function in repodata.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 7.5
  • CVE-2020-29361: p11-glue p11-kit are vulnerable to a denial of service, caused by multiple integer overflows when allocating memory for arrays of attributes and object identifiers. By sending a specially-crafted request using realloc or calloc function, an attacker could exploit this vulnerability to cause a denial of service or possibly execute arbitrary code on the system. CVSS Base score: 7.5
  • CVE-2020-29363: p11-glue p11-kit is vulnerable to a denial of service, caused by a heap-based buffer overflow in the RPC protocol. By sending a serialized byte array in a CK_ATTRIBUTE, a remote attacker could overflow a buffer and cause a denial of service. CVSS Base score: 7.5
  • CVE-2020-15358: SQLite is vulnerable to a denial of service, caused by a heap-based buffer overflow in the mishandling of query-flattener optimization in select.c. By sending a specially-crafted query, a local authenticated attacker could overflow a buffer and cause the application to crash. CVSS Base score: 5.5
  • CVE-2020-13776: systemd could allow a local authenticated attacker to gain elevated privileges on the system, caused by the mishandling of numerical usernames. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain elevated privileges as root. CVSS Base score: 6.7
  • CVE-2018-18751: GNU gettext is vulnerable to a denial of service, caused by a double free flaw in the default_add_message function in read-catalog.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
  • CVE-2019-18276: GNU Bash could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw in the disable_priv_mode in shell.c. By sending a specially-crafted command, an attacker could exploit this vulnerability to escalate privileges. CVSS Base score: 8.8
  • CVE-2020-9951: Apple Safari could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in the WebKit component. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.8
  • CVE-2020-13543: Webkit WebKitGTK could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in the WebSocket functionality. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code or cause the application to crash. CVSS Base score: 8.8
  • CVE-2020-13584: Webkit WebKitGTK could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in the ImageDecoderGStreamer functionality. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code or cause the application to crash. CVSS Base score: 8.8
  • CVE-2019-14889: libssh could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a flaw in the ssh_scp_new(). By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. CVSS Base score: 8.8
  • CVE-2019-20916: pypa pip package for python could allow a remote attacker to traverse directories on the system, caused by a flaw when installing package via a specified URL. An attacker could use a specially-crafted Content-Disposition header with filename containing “dot dot” sequences (/../) to overwrite arbitrary files on the system. CVSS Base score: 8.2
  • CVE-2021-20305: Nettle could allow a remote attacker to bypass security restrictions, caused by a flaw related to several signature verification functions result in the Elliptic Curve Cryptography point (ECC) multiply function being invoked with out-of-range scalers. An attacker could exploit this vulnerability to force an invalid signature, causing an assertion failure or possible validation. CVSS Base score: 8.1
  • CVE-2020-14352: Librepo could allow a remote authenticated attacker to traverse directories on the system, caused by the failure to sanitize paths in remote repository metadata. An attacker could send a specially-crafted URL request containing directory traversal sequences to copy files outside of the destination directory and compromise the system. CVSS Base score: 8
  • CVE-2020-24977: GNOME libxml2 is vulnerable to a buffer overflow, caused by improper bounds checking by the xmlEncodeEntitiesInternal function in libxml2/entities.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base score: 7.8
  • CVE-2020-8285: cURL libcurl is vulnerable to a denial of service, caused by a stack-based buffer overflow in the wildcard matching function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 7.5
  • CVE-2020-8286: cURL libcurl could allow a remote attacker to bypass security restrictions, caused by improper OCSP response verification. By sending a specially-crafted request, an attacker could exploit this vulnerability to breach a TLS server. CVSS Base score: 7.5
  • CVE-2019-25013: GNU glibc is vulnerable to a denial of service, caused by a buffer over-read in iconv feature. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a SIGSEGV. CVSS Base score: 7.5
  • CVE-2021-3326: GNU C Library (aka glibc or libc6) is vulnerable to a denial of service, caused by an assertion failure when processing invalid input sequences in the ISO-2022-JP-3 encoding in the iconv function. By sending specially-crafted input, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 7.5
  • CVE-2020-28196: MIT Kerberos 5 (aka krb5) is vulnerable to a denial of service, caused by an unbounded recursion flaw in lib/krb5/asn.1/asn1_encode.c. By sending a specially-crafted ASN.1-encoded Kerberos message, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5
  • CVE-2020-7595: GNOME libxml2 is vulnerable to a denial of service, caused by an error in xmlStringLenDecodeEntities in parser.c. An attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 7.5
  • CVE-2021-3449: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in signature_algorithms processing. By sending a specially crafted renegotiation ClientHello message from a client, a remote attacker could exploit this vulnerability to cause the TLS server to crash. CVSS Base score: 7.5
  • CVE-2020-14422: Python is vulnerable to a denial of service, caused by improper computing hash values in the IPv4Interface and IPv6Interface classes in Lib/ipaddress.py. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5
  • CVE-2020-13434: SQLite is vulnerable to a denial of service, caused by an integer overflow in the sqlite3_str_vappendf function. By sending a specially-crafted request, a remote attacker could overflow a buffer and cause a denial of service. CVSS Base score: 7.5
  • CVE-2020-13777: GnuTLS could allow a remote attacker to obtain sensitive information, caused by the use of incorrect cryptography for encrypting a session ticket. By using man-in-the-middle attack techniques, an attacker could exploit this vulnerability to obtain previous conversations in TLS and bypass the authentication process. CVSS Base score: 7.4
  • CVE-2021-3450: OpenSSL could allow a remote attacker to bypass security restrictions, caused by a a missing check in the validation logic of X.509 certificate chains by the X509_V_FLAG_X509_STRICT flag. By using any valid certificate or certificate chain to sign a specially crafted certificate, an attacker could bypass the check that non-CA certificates must not be able to issue other certificates and override the default purpose. CVSS Base score: 7.4
  • CVE-2019-9169: GNU glibc is vulnerable to a heap-based buffer overflow, caused by a buffer over-read flaw in the proceed_next_node function in posix/regexec.c. By sending a specially-crafted argument using a case-insensitive regular-expression match, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base score: 7.3
  • CVE-2019-14866: GNU cpio could allow a local authenticated attacker to gain elevated privileges on the system, caused by the failure to properly validate input files when generating TAR archives. An attacker could exploit this vulnerability to inject any tar content and compromise the system. CVSS Base score: 6.7
  • CVE-2020-8284: cURL libcurl could allow a remote attacker to obtain sensitive information, caused by improper validation of FTP PASV responses. By persuading a victim to connect a specially-crafted server, an attacker could exploit this vulnerability to obtain sensitive information about services, and use this information to launch further attacks against the affected system. CVSS Base score: 6.5
  • CVE-2020-26116: Python is vulnerable to CRLF injection, caused by improper validation of user-supplied input in http.client. By inserting CR and LF control characters in the first argument of HTTPConnection.request, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. CVSS Base score: 6.5
  • CVE-2020-9948: Apple Safari could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion in the WebKit component. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 6.3
  • CVE-2020-9983: Apple Safari could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the WebKit component. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 6.3
  • CVE-2020-9983: Apple Safari could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the WebKit component. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 6.3
  • CVE-2019-16935: Python is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the python/Lib/DocXMLRPCServer.py. A remote attacker could exploit this vulnerability using the server_title field to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. CVSS Base score: 6.1
  • CVE-2020-24659: GnuTLS is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending specially-crafted messages, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.9
  • CVE-2019-13627: libgcrypt20 cryptographic library could allow a remote attacker to obtain sensitive information, caused by a ECDSA timing attack. An attacker could exploit this vulnerability to obtain private key information, and use this information to launch further attacks against the affected system. CVSS Base score: 5.9
  • CVE-2021-23336: Python CPython could allow a remote attacker to bypass security restrictions, caused by a web cache poisoning flaw via urllib.parse.parse_qsl and urllib.parse.parse_qs. By sending a specially-crafted request parameter cloaking, an attacker could exploit this vulnerability to cause a difference in the interpretation of the request between the proxy and the server. CVSS Base score: 5.9
  • CVE-2020-27618: GNU C Library (aka glibc or libc6) is vulnerable to a denial of service, caused by an error when processing some invalid inputs from several IBM character sets in the iconv function. By sending invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, IBM1399 encodings, a local authenticated attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 5.5
  • CVE-2019-20907: Python is vulnerable to a denial of service, caused by a flaw in the tarfile module in Lib/tarfile.py. By persuading a victim to open a specially-craft a TAR archive, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 5.5
  • CVE-2020-8927: Brotli is vulnerable to buffer overflow. By controlling the input length of a “one-shot” decompression request to a script, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base score: 5.3
  • CVE-2020-8177: cURL could allow a remote attacker to overwrite arbitrary files on the system, caused by the improper handling of certain parameters when using -J (–remote-header-name) and -I (–include) in the same command line. An attacker could exploit this vulnerability to overwrite a local file. CVSS Base score: 5.3
  • CVE-2020-8231: cURL libcurl could allow a remote attacker to obtain sensitive information, caused by the improper handling of the CURLOPT_CONNECT_ONLY option. The raw data is sent over that connection to the wrong destination. An attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3
  • CVE-2019-19906: cyrus-sasl is vulnerable to a denial of service, caused by an off-by-one error in _sasl_add_string in common.c. By sending a malformed LDAP packet, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
  • CVE-2019-15903: libexpat is vulnerable to a denial of service, caused by a heap-based buffer over-read in XML_GetCurrentLineNumber. By using a specially-crafted XML input, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
  • CVE-2016-10228: GNU C Library (glibc) is vulnerable to a denial of service, caused by an error in the iconv program. By processing invalid multi-byte input sequences, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 5.3
  • CVE-2019-13050: GNU Privacy Guard (GnuPG) is vulnerable to a denial of service, caused by a certificate spamming attack when referring to a host on the SKS keyserver network in the keyserver configuration. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.3
  • CVE-2020-1730: libssh is vulnerable to a denial of service, caused by the use of uninitialized AES-CTR ciphers. A remote attacker could exploit this vulnerability to crash the implemented counterpart. CVSS Base score: 5.3
  • CVE-2020-29362: p11-glue p11-kit could allow a remote attacker to obtain sensitive information, caused by a heap-based buffer over-read flaw in the RPC protocol. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain up to 4 bytes of memory past the heap allocation, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3
  • CVE-2019-20454: PCRE is vulnerable to a denial of service, caused by an out-of-bounds read in the do_extuni_no_utf function in pcre2_jit_compile.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
  • CVE-2020-8492: Python is vulnerable to a denial of service, caused by a flaw in the urllib.request.AbstractBasicAuthHandler. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a Regular Expression Denial of Service (ReDoS). CVSS Base score: 5.3
  • CVE-2020-27619: An unspecified error with CJK codec tests call eval() on content retrieved throug HTTP in multibytecodec_support.py in Python has an unknown impact and attack vector. CVSS Base score: 5.3
  • CVE-2021-23240: sudo could allow a local authenticated attacker to launch a symlink attack. The selinux_edit_copy_tfiles() and selinux_edit_create_tfiles functions creates temporary files insecurely. An attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to overwrite arbitrary files on the system with elevated privileges. CVSS Base score: 5.3
  • CVE-2019-3842: systemd could allow a local authenticated attacker to gain elevated privileges on the system, caused by the failure to properly sanitize the environment before using the XDG_SEAT variable by pam_systemd. By spoofing an active session to PolicyKit, an authenticated attacker could exploit this vulnerability to gain additional PolicyKit privileges. CVSS Base score: 4.5
  • CVE-2018-1000858: GnuPG is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by dirmngr. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. CVSS Base score: 4.3
  • CVE-2020-11080: Node.js is vulnerable to a denial of service, caused by an error in the HTTP/2 session frame which is limited to 32 settings by default. By sending overly large HTTP/2 SETTINGS frames, an attacker could exploit this vulnerability to consume all available CPU resources. CVSS Base score: 3.7
  • CVE-2018-20843: libexpat is vulnerable to a denial of service, caused by an error in the XML parser. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to consume all available CPU resources. CVSS Base score: 3.3
  • CVE-2019-13012: GNOME GLib could allow a local attacker to bypass security restrictions, caused by improper permission control in the keyfile settings backend. An attacker could exploit this vulnerability to bypass access restrictions. CVSS Base score: 3.3
  • CVE-2019-19221: libarchive is vulnerable to a denial of service, caused by an out-of-bounds read in the archive_wstring_append_from_mbs in archive_string.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
  • CVE-2019-19956: libxml2 is vulnerable to a denial of service, caused by a memory leak in xmlParseBalancedChunkMemoryRecover in parser.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 3.3
  • CVE-2019-2708: An unspecified vulnerability in Oracle Berkeley DB related to the Data Store component could allow an authenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.3
  • CVE-2019-20388: GNOME libxml2 could allow a remote attacker to obtain sensitive information, caused by a xmlSchemaValidateStream memory leak in xmlSchemaPreRun in xmlschemas.c. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 3.3
  • CVE-2021-23239: sudo could allow a local authenticated attacker to obtain sensitive information, caused by a race condition in sudoedit. By using symlink attack techniques, an attacker could exploit this vulnerability to obtain directory information, and use this information to launch further attacks against the affected system. CVSS Base score: 3.3
30 November 2021
SECURITY BULLETIN CVE-2020-7226
CVE-2021-29425
CVE-2021-28165
CVE-2021-28169
CVE-2021-28163
CVE-2021-22696
CVE-2020-13954
CVE-2018-8029
CVE-2020-9492
CVE-2018-11768
CVE-2017-15713
CVE-2018-18751
CVE-2019-9924
CVE-2021-3715
CVE-2020-27777
CVE-2021-22555
CVE-2021-29154
CVE-2021-29650
CVE-2021-32399
IBM QRadar SIEM is vulnerable to using components with know vulnerabilities CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Affected versions
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
  • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
Issue
  • CVE-2020-7226: Cryptacular is vulnerable to a denial of service, caused by an excessive memory allocation during a decode operation in CiphertextHeader.java. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
  • CVE-2021-29425: Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper input validation by the FileNameUtils.normalize method. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the system. CVSS Base score: 7.5
  • CVE-2021-28165: Eclipse Jetty is vulnerable to a denial of service, caused by improper input valistion. By sending a specially-crafted TLS frame, a remote attacker could exploit this vulnerability to cause CPU resources to reach to 100% usage. CVSS Base score: 7.5
  • CVE-2021-28169: Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the ConcatServlet. By sending a specially-crafted request using a doubly encoded path, an attacker could exploit this vulnerability to obtain sensitive information from protected resources within the WEB-INF directory, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3
  • CVE-2021-28163: Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain webapp directory contents information, and use this information to launch further attacks against the affected system. CVSS Base score: 2.7
  • CVE-2021-22696: Apache CXF is vulnerable to a denial of service, caused by improper validation of request_uri parameter by the OAuth 2 authorization service. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition on the authorization server. CVSS Base score: 7.5
  • CVE-2020-13954: Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using the styleSheetPath in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. CVSS Base score: 6.1
  • CVE-2018-8029: Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system. An attacker could exploit this vulnerability to run arbitrary commands as root user. CVSS Base score: 8.8
  • CVE-2020-9492: Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper validation of SPNEGO authorization header. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges to trigger services to send server credentials to a webhdfs path for capturing the service principal. CVSS Base score: 8.8
  • CVE-2018-11768: Apache Hadoop is vulnerable to a denial of service, caused by a mismatch in the size of the fields used to store user/group information between memory and disk representation. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the user/group information to be corrupted across storing in fsimage and reading back from fsimage. CVSS Base score: 7.5
  • CVE-2017-15713: Apache Hadoop could allow a remote authenticated attacker to obtain sensitive information. By using a specially-crafted file, a remote attacker could exploit this vulnerability to expose private files. CVSS Base score: 4.3
  • CVE-2018-18751: GNU gettext is vulnerable to a denial of service, caused by a double free flaw in the default_add_message function in read-catalog.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
  • CVE-2019-9924: Bash could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by the failure to prevent the shell user from modifying BASH_CMDS in the rbash. By modifying BASH_CMDS, an attacker could exploit this vulnerability to execute arbitrary commands on the system with the permissions of the shell. CVSS Base score: 8.8
  • CVE-2021-3715: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free in route4_change() in net/sched/cls_route.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to escalate privileges. CVSS Base score: 7.8
  • CVE-2020-27777: Linux Kernel for PowerPC could allow a local authenticated attacker to bypass security restrictions, caused by a flaw with the Run-Time Abstraction Services (RTAS) interface. By sending a specially-crafted request, an attacker could exploit this vulnerability to overwrite some parts of memory, including kernel memory. CVSS Base score: 6.8
  • CVE-2021-22555: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a heap out-of-bounds write flaw in net/netfilter/x_tables.c. By sending a specially-crafted request through user name space, an authenticated attacker could exploit this vulnerability to gain elevated privileges or cause a denial of service condition. CVSS Base score: 7.8
  • CVE-2021-29154: Linux Kernel could allow a could allow a local authenticated attacker to gain elevated privileges on the system, caused by an issue with incorrect computation of branch displacements in BPF JIT compiler. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges, and execute arbitrary code in the Kernel mode. CVSS Base score: 7.8
  • CVE-2021-29650: Linux Kernel is vulnerable to a denial of service, caused by the lack of a full memory barrier upon the assignment of a new table value in the netfilter subsystem. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause the system to crash. CVSS Base score: 6.2
  • CVE-2021-32399: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a race condition in the BlueTooth subsystem. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to execute arbitrary code with elevated privileges. CVSS Base score: 7.8
30 November 2021
UPGRADE IJ35114 QRADAR PATCH PROCESS CAN HANG FOR AN EXTENDED DURATION DURING A CONTENT MANAGEMENT EXPORT IN THE PATCHING PROCESS CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)

Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve.

Issue
The QRadar patching process can hang for a longer than expected time due to the running of a content management export from 257644.install.

This has been identified in QRadar environments that have a large number of searches (thousands) prior to patching. NOTE: The process needs to complete successfully, do not interrupt the QRadar patch. Support can determine if this issue is causing the QRadar patch process to hang
14 November 2021
RULES IJ34276 RULES WITH EMAIL RESPONSES WILL CAUSE THE CRE THREADS TO GET STUCK IN A DEADLOCK CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Workaround
Disable email responses on rules and restart ECS-EP by using the following command:
systemctl restart ecs-ep

Important: Restarting ECS-EP might result in services not being available, schedule a maintenance period before preforming this step.

Issue
Rules with email responses will cause the CRE threads to slowly get stuck in a deadlock, resulting in the CRE no longer processing events and sending them to storage if the deployment has any AQL CEP’s with “Enable for use in Rules, Forwarding Profiles and Search Indexing” enabled.

When this happens look for a similar stack trace in threads.txt that is generated by running the command:
/opt/qradar/support/threadTop.sh -p 7799 --full > threads.txt

at sun.misc.Unsafe.park(Native Method) 
at java.util.concurrent.locks.LockSupport.park(LockSupport.java:186) 
at java.util.concurrent.locks.AbstractQueuedSynchronizer.parkAndCheckInterrupt
 (AbstractQueuedSynchronizer.java:847) 
at java.util.concurrent.locks.AbstractQueuedSynchronizer.doAcquireShared(
 AbstractQueuedSynchronizer.java:978) 
at java.util.concurrent.locks.AbstractQueuedSynchronizer.acquireShared(Abstract
 QueuedSynchronizer.java:1294) 
at java.util.concurrent.locks.ReentrantReadWriteLock$ReadLock.lock(ReentrantReadWriteLock
 .java:738) 
at com.q1labs.core.shared.ariel.CustomPropertyServices.parseAllProperties(Custom
 PropertyServices.java:166) 
at com.q1labs.semsources.cre.responses.templates.CustomAlertFieldsManager.replace
CustomPropertiesNullValues(CustomAlertFieldsManager.java:536) 
at com.q1labs.semsources.cre.responses.templates.CustomAlertFieldsManager.build
 ResponseFromXML(CustomAlertFieldsManager.java:351) 
at com.q1labs.semsources.cre.responses.templates.CustomAlertFieldsManager.loadTemplate
 (CustomAlertFieldsManager.java:145) 
at com.q1labs.semsources.cre.responses.Email_Response.performResponse(Email_Response.java:51) 
at com.q1labs.semsources.cre.CustomRule.performResponses(CustomRule.java:1049) 
at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:578) 
at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:496) 
at com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342) 
at com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210) 
at com.q1labs.semsources.cre.CRERuleExecutor.processEventInAllMode(CRERuleExecutor.java:177) 
at com.q1labs.semsources.cre.GlobalRuleExecutor.processEvent(GlobalRuleExecutor.java:207) 
at com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:544) 
at com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:484)
14 November 2021
BACKUP AND RESTORE IJ35436 ‘TEST HOST ACCESS’ CAN FAIL TO WORK AS EXPECTED WHEN RESTORING A BACKUP ARCHIVE CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Workaround
If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

Issue
When restoring a backup archive created on a different Console (with Managed Host), the Test Host Access does not work as expected on the “Restore a Backup (Managed Hosts Accessibility)” window even if the iptables is stopped on the Managed Host. It displays “No Access” in the “Access Status” column. Continuing with the restore completes with “Console cannot access the host” message.
14 November 2021
QRADAR NETWORK INSIGHTS IJ33201 ICMPV6 FLOWS CAN BE MISSING IPV6 FIELD DATA CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Workaround
If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

Issue
When viewing ICMPv6 traffic in the QRadar User Interface, some fields are missing for flows and ICMPv6 traffic from QRadar Network Insights or IPFIX exporters.

These fields include IPV6 addresses (they display as 0:0:0:0:0:0:0:0), all tagged fields, QoS, ASN, IF Index, and flowid.

When this issue occurs, searches performed for these fields in ICMPv6 traffic do not work as expected.
14 November 2021
EVENT AND FLOW RETENTION IJ20880 ‘COMPRESSION’ COLUMN IS DISPLAYED ON THE EVENT/FLOW RETENTION SCREEN AND UNABLE TO EDIT EXISITING RETENTION BUCKETS CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Workaround
When editing a retention bucket, set the Compression value to Never.

Issue
It has been identified that a “Compression” column can be observed on the Event/Flow Retention window.

When this issue is occuring, editing an existing retention policy fails with an error in the QRadar User Interface. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring:
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
com.q1labs.qradar.ui.action.Retention: [ERROR]
[NOT:0000003000][IP/- -] [-/- -]Retention Bucket save failed
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
java.lang.NumberFormatException: For input string: ""
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
  at
java.lang.NumberFormatException.forInputString(NumberFormatException.java:76)
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
  at java.lang.Integer.parseInt(Integer.java:604)
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
  at java.lang.Integer.parseInt(Integer.java:627)
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
  at
com.google.gson.JsonPrimitive.getAsInt(JsonPrimitive.java:260)
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
  at
com.q1labs.qradar.ui.bean.RetentionForm$1.deserialize(RetentionForm.java:97)
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
  at
com.q1labs.qradar.ui.bean.RetentionForm$1.deserialize(RetentionForm.java:79)
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
  at
com.google.gson.internal.bind.TreeTypeAdapter.read(TreeTypeAdapter.java:69)
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
  at
com.google.gson.internal.bind.TypeAdapterRuntimeTypeWrapper.read
(TypeAdapterRuntimeTypeWrapper.java:41)
14 November 2021
Advanced Search (AQL) IJ32889 AQL SEARCHES CAN BECOME CORRUPTED AFTER A CONTENT MANAGEMENT TOOL IMPORT CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Workaround
Manually edit the affected AQL searches to remove the extra quotes from all effected searches where the extra quotes appear.

For example, “Bytes Sent(GB)”

In this example, the user can remove the interior (second and third) quotation marks, which are underlined and bolded.

Issue
AQL saved searches can become corrupted during the Content Management Tool (CMT) import after the DataExfiltration-ContentExtension-1.0.4.zip is added to QRadar causing an invalid AQL query. Affected searches can not be used. For example, some searches containing a specific AQL string pattern are affected:
SELECT DOUBLE(sum("BytesSent")) / 1073741824 As "Bytes Sent(GB)"
FROM events

When a highlighted string is used as a custom column name, the AQL search becomes corrupted. This also includes name variations with the key part being Bytes Sent followed by the brackets, such as “Bytes Sent(Megabytes)

Components that use the affected search, like reports and accumulation, are also likely to be affected as the search(es) do not complete.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
com.q1labs.ariel.ql.parser.Parser: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Parse error: missing FROM at 'Bytes'
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
com.q1labs.ariel.ql.parser.AQLParserException: Parse error:
missing FROM at 'Bytes') / 1073741824 As ""Bytes Sent"(GB)" From^
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ql.parser.AQLErrorListener.syntaxError(ParserUtils.java:84)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at org.antlr.v4.runtime.ProxyErrorListener.syntaxError(ProxyErrorListener.java:65)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at org.antlr.v4.runtime.Parser.notifyErrorListeners(Parser.java:564)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at org.antlr.v4.runtime.DefaultErrorStrategy.reportMissingToken(DefaultErrorStrategy.java:407)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at org.antlr.v4.runtime.DefaultErrorStrategy.singleTokenInsertion(DefaultErrorStrategy.java:510)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at org.antlr.v4.runtime.DefaultErrorStrategy.recoverInline(DefaultErrorStrategy.java:474)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at org.antlr.v4.runtime.Parser.match(Parser.java:227)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ql.parser.antlr.AQLParser.query(AQLParser.java:725)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ql.parser.antlr.AQLParser.batch(AQLParser.java:404)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ql.parser.ParserUtils.parse(ParserUtils.java:413)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java:1623)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java:172)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java:67)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClient.java:367)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java:308)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:136)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at java.lang.Thread.run(Thread.java:822) 
14 November 2021
SEARCH IJ32741 REAL TIME EVENT STREAMING CAN STOP WHEN A “JAVA.IO.EXCEPTION: BROKEN PIPE” ERROR OCCURS AFTER A TOMCAT PROCESS RESTART CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)
Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Workaround
Select one of the following workaround options:

A. Perform a restart of the ecs-ep process on the QRadar deployment from an SSH session to the QRadar Console:
/opt/qradar/support/all_servers.sh -C "systemctl restart ecs-ep"

OR

B. Perform a Deploy Full Configuration from the Console:
Admin > Advanced > Deploy Full Configuration.

Issue
In some instances where tomcat is restarted on the QRadar Console, a “java.io.exception error: Broken pipe” error can occur after which real time event streaming in the QRadar User Interface can stop functioning.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [ReceiverServer(0.0.0.0:7801)]
com.q1labs.core.shared.ariel.streaming.StreamConsumer$Receiver
0.0.0.0:7801: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/--]
Error: /127.0.0.1:49432 : IOException : Broken pipe
[tomcat.tomcat] [ReceiverServer(0.0.0.0:7801)]
java.io.IOException: Broken pipe
[tomcat.tomcat] [ReceiverServer(0.0.0.0:7800)]
com.q1labs.core.shared.ariel.streaming.StreamConsumer$Receiver
0.0.0.0:7800: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
-]Error: /127.0.0.1:52834 : IOException : Broken pipe
[tomcat.tomcat] [ReceiverServer(0.0.0.0:7800)]
java.io.IOException: Broken pipe
14 November 2021
FLOWS IJ33511 THE NETWORK ACTIVITY FLOW SOURCE TYPE FIELD DISPLAYS N/A CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Workaround
No workaround available.

APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
In the Network Activity tab, it has been observed in some instances that N/A is being displayed in the Flow Source field. The Flow Source field should not be displaying N/A.
14 November 2021
QRADAR NETWORK INSIGHTS IJ29680 NON-ADMIN USERS CANNOT OPEN THE EXTRACT PROPERTIES TAB WHEN A LARGE NUMBER OF LOG SOURCES EXIST CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Workaround
If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

Issue
Non-admin QRadar users can experience a time out after a longer than expected period of wait time while trying to open the extract properties tab when using Log Source Management.

This issue occurs when there are a large number of Log Sources as a permission check of all devices occurs one at a time. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
"user@127.0.0.1 (4918) /console/do/qradar/arielProperties"
Id=1835698 in RUNNABLE
at org.postgresql.core.PGStream.receive(PGStream.java:467)
at org.postgresql.core.PGStream.receiveTupleV3(PGStream.java:422)
at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2146)
at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:308)
- locked org.postgresql.core.v3.QueryExecutorImpl@cdad6869
at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:441)
at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365)
at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:143)
at org.postgresql.jdbc.PgPreparedStatement.executeQuery(PgPreparedStatement.java:106)
at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeQuery(NewProxyPreparedStatement.java:76)
at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:270)
at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingConnection$LoggingPreparedStatement.executeQuery(LoggingConnection
Decorator.java:1115)
at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268)
at org.apache.openjpa.jdbc.sql.PostgresDictionary$PostgresPreparedStatement.executeQuery(PostgresDictionary.java:1011)
at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268)
at org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedStatement.executeQuery(JDBCStoreManager.java:1800)
at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268)
at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:258)
at com.q1labs.frameworks.session.PreparedStatementWrapper.executeQuery(PreparedStatementWrapper.java:270)
at com.q1labs.core.shared.util.SqlUtil.runQuery(SqlUtil.java:177)
at com.q1labs.core.shared.util.SqlUtil.runQuery(SqlUtil.java:162)
at com.q1labs.core.util.sensors.SensorDeviceUtil.getAllLogSources(SensorDeviceUtil.java:27)
at com.q1labs.core.shared.util.UserUtils.getUserDeviceIds(UserUtils.java:803)
at com.q1labs.core.shared.util.UserUtils.userHasDevices(UserUtils.java:741)
at com.q1labs.core.shared.util.UserUtils.userHasDevices(UserUtils.java:1080)
at com.q1labs.sem.ui.semservices.UISemServices.getSensorDevicesByDe
viceType(UISemServices.java:3302)
at com.q1labs.ariel.ui.action.ArielProperty.prepareDefaultRequestOpions(ArielProperty.java:120)
at com.q1labs.ariel.ui.action.ArielProperty.executeEdit(ArielProperty.java:793)
at com.q1labs.uiframeworks.actions.DispatchAction.edit(DispatchAction.java:253)
at sun.reflect.GeneratedMethodAccessor2973.invoke(UnknownSource)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
14 November 2021
QRADAR NETWORK INSIGHTS IJ28760 QNI DATA CAN FAIL TO BE RECEIVED BY THE QRADAR CONSOLE USING DTLS DUE TO A MISSING CERTIFICATE ON THE QRADAR NETWORK INSIGHTS APPLIANCE CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Workaround
On the QRadar Network Insights appliance, copy the certificate from:
/store/configservices/staging/globalconfig/dtlspki
to:
/opt/qradar/conf/dtls/client/

Issue
The DTLS connection between an encrypted, natted, QRadar Network Insights (QNI) appliance and the Console can fail if the required certificate does not get copied to the correct directory during the connection setup on the QNI appliance.

The needed certificate resides on the QNI appliance in: /store/configservices/staging/globalconfig/dtlspki, but can fail to be copied during connection setup to: /opt/qradar/conf/dtls/client/
14 November 2021
REPORTS IJ26321 REPORTS CAN FAIL TO COMPLETE DUE TO A LOCK ON THE QRADAR DATABASE PREVENTING REPORT TEMPLATES FROM LOADING CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Workaround
Administrators can restart the reporting executor service, which allows the report templates to reload and creates a new transaction session.
  1. Log in to the QRadar Console as the root user.
  2. To restart the reporting executor, type:
    systemctl restart reporting_executor
  3. To verify the issue, manually start the report in the QRadar interface.

Issue
In some instances, QRadar report templates can fail to load due to a lock that is applied to the QRadar database preventing the database transaction from retrieving report templates. The database fails to connect as the session connection is already considered dead or previously used and closed. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[reporting_executor.reporting_executor] [Report Queue]
com.q1labs.reporting.ReportServices: [INFO]
[NOT:0000006000][xx.xx.xx.xx/- -] [-/- -]Reporting Scheduler is enabled
[reporting_executor.reporting_executor] [Report Queue]
com.q1labs.reporting.ReportServices: [ERROR]
[NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]Lock to templates
folder is acquired by another process, skipping templates reload.
[reporting_executor.reporting_executor] [Report Queue]
com.q1labs.core.shared.ariel.CustomKeyCreator: [ERROR]
[NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]Exception loading
custom property ID ed1cbe38-1f8a-4621-a838-8a6400c61384
[reporting_executor.reporting_executor] [Report Queue]
{openjpa-2.4.3-r422266:1833086 fatal general error}
org.apache.openjpa.persistence.PersistenceException: This
connection has been closed. {SELECT t0.id, t0.autodiscovered,
t0.creationdate, t0.database, t0.datepattern, t0.description,
t0.description_id, t0.editdate, t0.forceparse, t0.languagetag,
t0.propertyname, t0.sequenceid, t0.tenant_id, t0.propertytype,
t0.username FROM ariel_regex_property t0 WHERE (t0.id = ?)}
{code=0, state=08003}
FailedObject: SELECT a FROM ArielRegexProperty a WHERE a.id =
?1 [java.lang.String]
[reporting_executor.reporting_executor] [Report Queue]    at
org.apache.openjpa.jdbc.sql.DBDictionary.narrow(DBDictionary.jav
a:5003)
..
[reporting_executor.reporting_executor] [Report Queue] Caused
by:
[reporting_executor.reporting_executor] [Report Queue]
org.apache.openjpa.lib.jdbc.ReportingSQLException: This
connection has been closed. {SELECT t0.id, t0.autodiscovered,
t0.creationdate, t0.database, t0.datepattern, t0.description,
t0.description_id, t0.editdate, t0.forceparse, t0.languagetag,
t0.propertyname, t0.sequenceid, t0.tenant_id, t0.propertytype,
t0.username FROM ariel_regex_property t0 WHERE (t0.id = ?)}
14 November 2021
DATA SYNCHRONIZATION APP IJ33228 DESTINATION SITE AUTH TOKENS FAIL TO WORK PROPERLY AFTER A RESTORE IS PERFORMED USING THE QRADAR DATA SYNCHRONIZATION APP CLOSED Resolved in
QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

Workaround
  1. After the restore process completes, perform a Deploy Full Configuration: Admin > Advanced > Deploy Full Configuration.
  2. Wait for the Deploy Full Configuration to complete.
  3. Use SSH to log in to QRadar as the root user.
  4. To verify tomcat is running, type:
    systemctl status tomcat
  5. Verify tomcat is running, look for “Active: active (running)” in the status output
  6. After confirming tomcat is running, type:
    systemctl restart tomcat

Issue
After restoring a backup using the Data Synchronization app, the Destination site auth tokens are unusable and error messages similar to the following can be observed in the app logs identifying that the QRadar APIs are no longer retrieving results:
[ERROR] [Fri May 07 2021 13:12:44 GMT-0300 (Atlantic Daylight
Time)] 'An error occured retrieving backups from QRadar API: No
SEC header present in request. Please provide it via "SEC:
token". You may also use BASIC authentication parameters if this
host supports it. e.g. "Authorization: Basic base64Encoding"',
[ERROR] [Fri May 07 2021 13:12:44 GMT-0300 (Atlantic Daylight
Time)] toString: ^Function: toString] } 
14 November 2021
MANAGED HOSTS IJ33650 ‘ERRORSTREAM FLUSH-KEY-FOR-IPADDRESS’ ERROR MESSAGES BEING WRITTEN TO QRADAR LOGGING OPEN Workaround
No workaround available. APARs identified with no workaround require a software delivery to resolve.

Issue
Repeating “ErrorStream” messages can sometimes be observed in /var/log/qradar.log as well as Managed Hosts attempting to connect to other Managed Hosts over port 22.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext] [Thread-1913] ComponentOutput: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May
13 10:14:28 ::ffff:127.0.0.1 [hostcontext.hostcontext]
[Thread-1917] ComponentOutput: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May
13 10:14:28 ::ffff:127.0.0.1 [hostcontext.hostcontext]
[Thread-1919] ComponentOutput: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May
13 10:14:28 ::ffff:127.0.0.1 [hostcontext.hostcontext]
[Thread-1921] ComponentOutput: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May
13 10:14:29 ::ffff:127.0.0.1 [hostcontext.hostcontext]
[Thread-1923] ComponentOutput: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May
13 10:14:30 ::ffff:127.0.0.1 [hostcontext.hostcontext]
[Thread-1925] ComponentOutput: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4
08 JULY 2021
UPGRADE IJ32896 QRADAR PATCH PRE-TEST CAN FAIL DUE TO CHECK_YUM.SH ISSUES WHEN WINCOLLECT 7.3.1-16 INSTALLED OPEN Workaround
To work around this issue, clean the yum cache to allow the patch to run successfully.
  1. Mount the 7.4.2 Fix Pack 3 file on the appliance.
  2. Run the following command:
    /media/updates/supplementary_scripts/run_yum.py --baseurl /media/updates/repo --clean all
  3. Run the pre-test on the appliance and confirm the error no longer displays.
Note: The command in this workaround is a single command, if the code block appears split to two line.

Issue
The QRadar patch pre-test can fail when the check_yum.sh pretest does not clean out the old yum cache.

This can occur when WinCollect 7.3.1-16 has been installed prior to the QRadar patch attempt. Messages similar to the following might be visible when this issue occurs:
[INFO](testmode) Not using downloaded
qradar-upgrade-local/repomd.xml because it is older than what we have:
Current : Wed Apr 28 16:45:33 2021
Downloaded: Tue Mar 23 18:56:37 2021
01 November 2021
HIGH AVAILABILITY (HA) IJ34628 INCORRECT STATUS FOR NETWORK INTERFACES CAN BE DISPLAYED FOR HIGH AVAILABILITY HOST OPEN Workaround
Contact support for a possible workaround that might address this issue in some instances.

Issue
An incorrect status for network interfaces can be observed (example: network interface shows as down) for a High Availability (HA) host in the “Network Interfaces” tab of the “System and License Management” window when the secondary is active.
04 November 2021
UPGRADE IJ36052 HOSTCONTEXT CAN FAIL TO START ON MANAGED HOSTS AFTER PATCHING QRADAR OPEN Workaround
Contact support for a possible workaround that might address this issue in some instances.

Issue
In some instances, Managed Hosts can fail to start the hostcontext service after patching: Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[main] java.lang.NullPointerException
[main] at com.q1labs.hostcontext.HostContext.destroy(HostContext.java:1168)
[main] at com.q1labs.hostcontext.HostContext.main(HostContext.java:1319)
hostcontext[131454]: at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:106)
hostcontext[131454]: at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:529)
hostcontext[131454]: at com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource.getConnection(AbstractPoolBackedDataSource.java:128)
09 November 2021
UDP MULTILINE SYSLOG PROTOCOL IJ35316 EVENTS THAT HAVE BEEN COMBINED IN A GATEWAY CAN BECOME UNCOMBINED OPEN Workaround
No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release of the UDP Mutliline Syslog Protocol.

Issue
Events that have been combined in a gateway can become uncombined when parsed by a syslog log source with a matching Log Source Identifier (LSI).

When Open LDAP UDP Multiline events are collected with the ‘Use As A Gateway Log Source’ on its own port, they are combined correctly as configured and display as Sim Generic events. If there is a syslog log source also created that matches the LSI of these generic combined events, the events are parsed with that log source and some of them uncombine.

This only occurs with specific payloads and caused by a parsing issue with the UDPMultiline protocol.
8 October 2021
OFFENSES IJ29371 OFFENSE DETAILS REPORT IN PDF FORMAT CAN CAUSE REPORT_RUNNER TO GO OUT OF MEMORY OPEN Workaround
  1. Run the required Offense Details report on a smaller set of data.
    OR
  2. Change the report to excel/csv output instead of pdf.


  3. Issue
    The QRadar report_runner process can go out of memory when running an Offense Details report that is configured for PDF output.

    This out of memory occurs when there is too much data for the PDF rendering to handle (example: over month of data). When this occurs, the report fails to generate.
18 November 2021
tbd IJ34320 QRADAR USER INTERFACE DISPLAYS 'NULL' AND OR 'KEY NOT FOUND' IN MULTIPLE UI FIELDS OPEN Workaround
Correct the permissions on the files/directories when this issue occurs. This issue has been identified with /opt/qradar/conf/localization From an SSH session to the QRadar console, use the chmod command to set the correct permissions for /opt/qradar/conf/localization to 775:
# chmod 775 /opt/qradar/conf/localization

Issue
In some instances, lineChange.sh can cause incorrect file permissions to be set on required file/folders.

When this issue occurs, the QRadar User Interface can display "null" and or "key not found" across multiple UI fields.
13 August 2021
AQL IJ21739 'PAYLOAD CONTAINS' AQL FILTER FROM A BASIC SEARCH CAN GENERATE AN ILLEGAL ARGUMENT EXCEPTION AND INCORRECT RESULTS OPEN Workaround
Enable store payload in the Log Sources.

Issue
Using the 'Payload Contains' AQL filter generated from a basic search generates an illegal argument exception and has incorrect search results when compared with the results of the basic search. For example:
  1. Create a basic search.
  2. Add the filter "Payload Contains" Admin.
  3. Add the payload column.
  4. Save the search and run it.
  5. Notice the expected output of the payload column.
  6. Convert the search to AQL by clicking > Log Activity > Edit Search > Show AQL.
  7. Have an AQL:
    select "payload" as 'Payload',QIDNAME(qid) as 'Event
    Name',logsourcename(logSourceId) as 'Log Source',"eventCount"
    as 'Event Count',"startTime" as 'Start
    Time',categoryname(category) as 'Low Level Category',"sourceIP"
    as 'Source IP',"sourcePort" as 'Source Port',"destinationIP" as
    'Destination IP',"destinationPort" as 'Destination
    Port',"userName" as 'Username',"magnitude" as 'Magnitude' from
    events where icu4jsearch('Admin', payload) != -1 order by
    "startTime" desc LIMIT 1000 last 5 minutes
  8. Run the AQL search.

    Results
    An illegal argument exception is generated and the payload is incorrect.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException:
Error calling function
com.q1labs.ariel.ql.parser.ICU4jSearch([B@e6bc0507):
java.lang.IllegalArgumentException
at com.q1labs.frameworks.util.Utils.icu4jSearch(Utils.java:672)
at com.q1labs.frameworks.util.Utils.icu4jSearch(Utils.java:647)
at com.q1labs.ariel.ql.parser.ICU4jSearch.calculate(Functions.java:799)
at com.q1labs.ariel.ql.parser.ICU4jSearch.calculate(Functions.java:774)
31 December 2021
WINCOLLECT IJ33117 MAXIMUM OF THREE (3) WINCOLLECT AGENTS ARE DISPLAYED WHEN USING THE LOG SOURCE MANAGEMENT APP OPEN Workaround
Manually type the WinCollect Agent name to find it in the list.

Issue
When using the Log Source Management (LSM) app, the drop-down menu of WinCollect Agents displays a maximum of three (3) agents.

For example:
  1. Have more than three (3) WinCollect clients, ensure the Agents have been connected.
  2. Launch the LSM app, click New Log Source button
  3. Select Single Log Source, select LST as Microsoft Windows Security Event Log, and select WinCollect protocol type.
  4. Fill all required fields, in Configure Protocol Parameters page, scroll down to the bottom and select WinCollect Agent.

    Results
    Only the three (3) agents are displayed
17 June 2021
QRADAR NETWORK INSIGHTS IJ32209 INCIDENT RESULTS WINDOW CAN TAKE LONGER THAN EXPECTED TO LOAD OPEN Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
The Incident Results window populates from a forensics database table that is not purged even when cases are deleted through Case Management.

All entries on all pages must have a Solr request sent to determine the document count for the page which can sometimes cause the Incident Results window to take longer than expected to load.
28 April 2021
AQL IJ33665 AQL REFERENCETABLE TABLE FUNCTION USING 'LOWER' AND 'GROUP' CAN FAIL TO WORK AS EXPECTED OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
Using the AQL REFERENCETABLE function with LOWER and GROUP clause can result in inconsistent query results. Example query containing both LOWER and GROUP:
select REFERENCETABLE('test','number',LOWER(username)) as
'number',REFERENCETABLE('test','test',LOWER(username)) as
'test', username from events GROUP BY
username,'numOfParts','SHA256' ORDER BY username,'number','test'
DESC last 1 HOURS


Removing either LOWER() or GROUP clause provides correct query results.
18 July 2021
APPLICATION FRAMEWORK IJ24325 INSTALLING A NEW VERSION OF AN APP CAN LEAVE THE OLD VERSION STILL INSTALLED AND RUNNING OPEN Workaround
Remove the older QRadar App version manually from Extension Management in Admin tab of the QRadar User Interface.

Issue
Installing a newer version of a QRadar App can sometimes result in being left with both the old and new version running simultaneously. This is to say the old version does not get removed properly and is left running.

Messages similar the the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]
com.q1labs.restapi_annotations.content.exceptions.APIMappedExcep
tion: Unable to process request because Container Manager
service is unavailable
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
com.q1labs.restapi.exceptionmapper.ExceptionMapper.mapException(
ExceptionMapper.java:141)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T
askThread.java:61)
...
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
java.lang.Thread.run(Thread.java:812)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]
Caused by:
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]
com.q1labs.restapi_annotations.content.exceptions.endpointExcept
ions.ServerProcessingException: Unable to process request
because Container Manager service is unavailable
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
com.q1labs.uiframeworks.application.api.service.DefaultApplicati
onAPIService.abortIfConManIsUnavailable(DefaultApplicationAPISer
vice.java:556)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
com.q1labs.uiframeworks.application.api.service.DefaultApplicati
onAPIService.deleteApp(DefaultApplicationAPIService.java:577)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
com.q1labs.uiframeworks.application.api.v10_0.ApplicationsAPI.de
leteApplication(ApplicationsAPI.java:423)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
Impl.java:90)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
AccessorImpl.java:55)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
java.lang.reflect.Method.invoke(Method.java:508)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet
hod(APIRequestHandler.java:1031)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR
equest(APIRequestHandler.java:399)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]
... 61 more
[tomcat.tomcat] [com@127.0.0.1]
com.ibm.si.content_management.utils.AppFrameworkAPIClient:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Delete failed
for app 1101
15 May 2021
DATA SYNCHRONIZATION APP IJ34687 UNABLE TO COMPLETE FAIL BACK PROCESS DUE TO 'FAIL BACK TO MAIN SITE' OPTION NOT SELECTABLE IN DATA SYNC APP OPEN Workaround
  1. Perform a factory reset on main and destination sites:https://www.ibm.com/docs/en/qradar-common?topic=app-implementing-factory-reset.
  2. Run through the failover process again, making sure not to select 'Reactivate Main Site' until a few moments after the notification that the ariel copy is caught up.

Issue
In instances where the 'Reactivate Main Site' option is selected prior to a fail back being completed, the IBM QRadar Data Syncronization app option for 'Fail back to main site' becomes permanently un-selectable (option is greyed out) on the destination site.
29 August 2021
OFFENSES IJ34730 EVENTS MATCHING A RULE CAN SOMETIMES FAIL TO BE ASSOCIATED WITH AN OFFENSE OR GENERATE A NEW OFFENSE OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
In some instances after an offense is closed, new events that match a rule are neither associated with the offense nor generate a new offense as expected due to a race condition that can occur.
26 August 2021
SEARCH IJ19107 SEARCHES USING A CUSTOM PROPERTY CAN BE SLOWER TO COMPLETE THAN EXPECTED OPEN Workaround
Contact Support if you are experiencing slower that expected search results when using Custom Properties.

Issue
It has been identified that searches using a Custom Property can be slower than expected to return results when some ariel threads are slow to complete.

Performing an evaluation of a threaddump using the threadTop.sh command can determine if this issue is affecting your QRadar searches. A "BLOCKED" worker thread in an ariel thread dump indicates this issue is affecting your QRadar searches. For Example – Only one should be in running state and others (executing the same code) should be blocked on that one. In the below example, thread qw_2 is in the synchronized block and qw_3 is blocked on it:
"qw_2:2500ba82-b58c-4906-b20b-04f05fbed185" Id=188 in RUNNABLE
at com.q1labs.core.shared.ariel.CustomKeyCreator.createKey(CustomKeyCreator.java:95)
at com.q1labs.core.shared.ariel.CustomKeyCreator.createKey(CustomKeyCreator.java:30)
at com.q1labs.ariel.IndexPredicate$ExpressionPredicate.evaluate(IndexPredicate.java:50)
at com.q1labs.ariel.IndexPredicate.evaluate(IndexPredicate.java:247)
at com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPredicate.java:15)
at com.q1labs.ariel.searches.service.ids.FilteredSource.next(FilteredSource.java:40)
at com.q1labs.ariel.searches.tasks.QueryWorker.execute(QueryWorker.java:53)
at com.q1labs.ariel.searches.tasks.ServiceTaskBase.runTask(ServiceTaskBase.java:89)
at com.q1labs.ariel.searches.tasks.ServiceTask.runTask(ServiceTask.java:69)
at com.q1labs.ariel.searches.tasks.ServiceTaskBase$Runner.run(ServiceTaskBase.java:32)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.lang.Thread.run(Thread.java:812)
"qw_3:2500ba82-b58c-4906-b20b-04f05fbed185" Id=241 in BLOCKED
on lock=com.q1labs.core.shared.ariel.CustomKeyCreator@e58ce78d
owned by qw_2:2500ba82-b58c-4906-b20b-04f05fbed185 Id=188
at com.q1labs.core.shared.ariel.CustomKeyCreator.createKey(CustomKeyCreator.java:95)
at com.q1labs.core.shared.ariel.CustomKeyCreator.createKey(CustomKeyCreator.java:30)
at com.q1labs.ariel.IndexPredicate$ExpressionPredicate.evaluate(IndexPredicate.java:50)
at com.q1labs.ariel.IndexPredicate.evaluate(IndexPredicate.java:247)
at com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPredicate.java:15)
at com.q1labs.ariel.searches.service.ids.FilteredSource.next(FilteredSource.java:40)
at com.q1labs.ariel.searches.tasks.QueryWorker.execute(QueryWorker.java:53)
at com.q1labs.ariel.searches.tasks.ServiceTaskBase.runTask(ServiceTaskBase.java:89)
at com.q1labs.ariel.searches.tasks.ServiceTask.runTask(ServiceTask.java:69)
at com.q1labs.ariel.searches.tasks.ServiceTaskBase$Runner.run(ServiceTaskBase.java:32)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.lang.Thread.run(Thread.java:812)
25 September 2019
CUSTOM PROPERTIES IJ30032 UNABLE TO SAVE CHANGES TO DEFAULT CUSTOM EVENT PROPERTY (CEP): "OBJECT TYPE(S)" OPEN Workaround
Create a new CEP without the characters outlined in the error message. For more information on creating a custom property, see https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/t_qradar_create_cust_property.html.

Issue
A message similar to: "Property name cannot contain following characters: \ , . & ', " ( )" is generated when attempting to save changes to the Custom Event Property (CEP) "Object Type(s)".

To replicate this issue:
  1. Click the Admin tab > Custom Event Property.
  2. From Search Field, search (s)
  3. Multiple results are returned, such as "Object name(s)" and "Object type(s)", click one of them
  4. Click Save button.

    Results
    An error message is generated – "Property name cannot contain following characters: \ , . & ', " ( ) [ ]"
5 January 2021
JDBC PROTOCOL IJ30026 HOSTNAME STARTING WITH NUMBER OR SPECIAL CHARACTER FAILS VALIDATION WHEN CREATING A LOG SOURCE USING THE JDBC PROTOCOL OPEN Workaround
  1. Use a hostname starting with a letter instead of digits or special characters.
    or
  2. Contact Support for another workaround that might work in these instances.

  3. Issue
    "IP or Hostname must be a valid IPv4 address or hostname" message can be observed when attempting to create a Log Source using the JDBC protocol when the configured hostname begins with a number or special character.
5 January 2021
CUSTOM PROPERTIES IJ32194 LEADING WHITESPACE NOT BEING DISPLAYED CAN CAUSE RULES BASED ON CUSTOM EVENT PROPERTIES TO NOT WORK AS EXPECTED OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
The QRadar Log Activity page does not display the leading whitespace for a custom event property that has a whitespace at the beginning of its characters. Views within the DSM editor can also fail to properly display a leading whitespace where they exist. This can cause false visibility during rule creation due to not being able to see the blank space paresd within custom event properties.
30 April 2021
RULES IJ30033 DEVICE STOP SENDING EMAIL RULE RESPONSES CAN CONTINUE FROM THE BACKUP HOST AFTER QRADAR DATA SYNCRONIZATION APP IS CONFIGURED OPEN Workaround
Manually stop the postfix service on the backup host using the command:
# systemctl stop postfix


Issue
After completing the configuration of the QRadar Data Syncronization app, any rules configured "device stop sending events" can continue to send emails from the Backup host if using email as response is configured.
5 January 2021
APP HOST APPLIANCE IJ28640 DUPLICATE ENTRIES WITHIN IPTABLES ON AN APP HOST CAN BE GENERATED AFTER QRADAR APPS ARE STOPPED AND STARTED OPEN Workaround
From a command line (SSH session), restart docker on the App Host to reset the iptables entries:
# systemctl restart docker


Issue
When QRadar Apps are stopped and started with the API, the firewall (iptables) on an App Host is appended with duplicate entries.

The issue is caused due to the firewall (Iptables) being appended with the entries to the NAT rule when starting the app without first checking if the existing rule has already been placed in the firewall.
11 October 2020
ASSETS IJ01985 SOME ASSET IDENTITY DATABASE INFORMATION IS NOT CLEANED UP AFTER ASSETS ARE UPDATED OPEN Workaround
No workaround available.

Issue
It has been identified that in some instances, residual identity data associated to an Asset can be left in the QRadar database after the Asset is updated.

When this occurs, incorrect identity/username information associated with an Asset can sometimes be observed in generated Offenses.

An example of when this issue occurs:
View the Offense Summary screen (Offenses -> All Offenses). When the Offense Source Summary includes a username this does not correlate to the offense detected, it is based on the what is known about the asset.

This does not represent the actual user(s) that contributed to the offense. To get the details for the username associated with the offense, on the right choose Event/Flow count -> X events, the next pop up displays the captured details.
23 March 2018
NETWORK IJ29953 IPTABLES FIREWALL RULES CAN FAIL TO UPDATE PROPERLY AFTER ADDING AN ADDITIONAL IPV4 OR IPV6 INTERFACE OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
After adding an additional interface as IPv4 on an IPv6 environment or adding an additional IPv6 interface with IPv4 as a management interface, the iptables firewall rule is not updated, even after a Deploy Full Configuration is performed.
20 December 2020
FLOWS IJ34731 FLOW SOURCE FILTERS WITH RANDOM INVALID CHARACTERS CAN BE DISPLAYED IN THE QRADAR USER INTERFACE OPEN Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
In some instances, Flow Source filters with random invalid characters for a name can be displayed in the QRadar User Interface.

This can occur as some entries are not properly validated and then can be populated when overflow records (and sometimes host info and domain info) are invalid as they are read from an overflow buffer.
29 August 2021
tbd IJ34719 UNABLE TO LOGIN AFTER ADDING A SECOND LDAP GROUP MAPPING CONTAINING A SPACE IN THE NAME OPEN Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
Adding a second LDAP group to a mapping with a group that has a space in the name causes logins to stop working. This is caused by the space being escaped incorrectly resulting in the space being replaced with '%2520' instead of '%20' and no longer mapping correctly. For example:
  1. Have LDAP group based authentication.
  2. Select the '+' to add a group mapping and use a group with spaces in the name (for ex. "group with space")
  3. The group adds with the space replaced with a '%20' (this is expected)
  4. Confirm you can logon with a user in the mapping using the group with the space.
  5. Select the '+' again to add another group to the same mapping (with or without spaces.)
  6. The existing group with the space changes from '%20' to '%2520'
  7. Save the changes.
  8. Attempt to login

    Results
    Unable to login as the mapping no longer matches.
29 August 2021
DATA NODE IJ28324 DATA NODE STAYS AT 'WAITING FOR REBALANCING' STATUS WHEN DIRECTLY ADDED TO A QRADAR DEPLOYMENT IN 'ARCHIVE' MODE OPEN Workaround
From an SSH session to the QRadar Console:
  1. Confirm the /opt/qradar/conf/datanode.history appears as follows:
    {"history":[...<skipped>...],"id":8,"master_id":8,"status":{"sta
    tus":"requiresRebalancing","databases":{"flows":{"status":"requi
    resRebalancing"},"events":{"status":"requiresRebalancing"}},"mod
    e":"Active"},"nodes":[8]}
  2. Make a backup of the file.
  3. Using the vi command, edit the 3 occurrences of "requiresRebalancing" references to "ready" and save.
  4. Perform the command:
    systemctl restart ariel_proxy_server


Issue
Upon deploying a data node into the QRadar deployment directly into archive mode, it continuously displays "Waiting for Rebalancing" for it's rebalancing status. For example:
  1. Have a QRadar Console and a Data Node.
  2. Add a Data Node.
  3. Without performing a deploy after the Data Node is added, change its mode to "archive".
  4. Perform the Deploy function.
  5. The data node's rebalancing status stays as "Waiting for Rebalancing"
25 September 2020
QRADAR RISK MANAGER IJ34686 RESULTS FROM A TOPOLOGY PATH SEARCH CAN DISPLAY INCORRECT PATH RESULTS OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
A topology path search that should traverse a directly-connected network on a network device which supports virtual routers, and has no routing protocol entry for the network in any of its routing tables, fails to find the correct path. Affected device types are Cisco IOS, Juniper Junos, and F5 BIG-IP.

Messages similar to the following might be visible in the device backup log when this issue occurs:
WARN: No Interfaces are assigned to routing-instance default
25 August 2021
LOG SOURCES IJ33664 EVENTS CAN SOMETIMES FAIL TO BE DISPLAYED FOR A NEWLY AUTO DISCOVERED LOG SOURCE OPEN Workaround
Disable auto detect for the affected log source using the DSM Editor, and create the log source manually.

Issue
In some instances a new log source can be successfully created by the auto discovery feature but no events are displayed for the log source. This has only been observed on a select few log source types.
13 August 2021
QRADAR VULNERABILITY MANAGER IJ33116 QRADAR VULNERABILITY MANAGER SCAN RESULT EXPORT CAN INCLUDE ALL SCANNED ASSETS OPEN Workaround
Add the vulnerability or service to an asset or vulnerability search and then export the results.

Issue
When assets which have a specific vulnerability or open service are exported from the Scan Results screen in QRadar Vulnerability Manager, the export contains all assets that were scanned.
11 June 2021
OFFENSES IJ26094 QRADAR USER INTERFACE AND API FUNCTIONS CAN BE SLOW TO RESPOND WHEN OFFENSES HAVE A LARGE AMOUNT OF ATTACKER/TARGET DATA OPEN Workaround
Contact Support to help identify if QRadar UI or API function slowness is being caused by this issue.

If so, perform a Hard Clean of the SIM Model.
Note: Performing a Hard Clean purges all current and historical SIM data from the database, including protected offenses, source IP addresses, and destination IP addresses.

Issue
The QRadar User Interface (UI) and/or the QRadar API can become slow to respond when an Offense(s) accrues a very large amount (millions) of attacker/target data in it's data set. This slowness is caused by the amount of time being used to continually purge data by the QRadar MPC PersisterThread (used for Offenses) when these large attacker/target data sets exist in a QRadar environment.
13 July 2020
UPGRADE IJ30812 7.4.2 UPGRADE PRETEST OPTION CANNOT COMPLETE UNTIL EVENT COLLECTOR HIGH AVAILABILITY PAIRS HAVE MIGRATED TO DRBD OPEN Workaround
Migrate the Event Collector pairs in the QRadar deployment from glusterfs to DRBD, then run the upgrade pretest option. See link for more information on the required migration: https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.q radar.doc/t_qradar_up_ugrad_glusterfs_migration.html

Issue
The QRadar 7.4.2 upgrade pretest (/media/updates/installer -t) cannot be successfully completed until all Event Collector pairs in High Availability (HA) have completed the required glusterfs to DRBD migration.
16 February 2021
QRADAR NETWORK INSIGHTS IJ26733 TWO QNI TIKA INSTANCES CAN START ON THE SAME PORT DUE TO A RACE CONDITION CAUSING REPEATED MESSAGES WRITTEN TO QRADAR LOGS OPEN Workaround
Find the TikaServer port number in the parenthesis of the qradar.log file (eg. 6690 in the case described above).
  1. Check for two Tika instances on 6690.
    pgrep -af "tika.py.*6690"
        27350 /usr/bin/python
    /opt/ibm/forensics/decapper/python/tika.py watch
    /opt/ibm/forensics/decapper/decap/tika/tika.sh
    /opt/ibm/forensics/decapper/decap/tika/TikaServer.jar
    /opt/ibm/forensics/decapper/decap/tika/tika_log4j.xml 6144 6690
       45730 /usr/bin/python
    /opt/ibm/forensics/decapper/python/tika.py watch
    /opt/ibm/forensics/decapper/decap/tika/tika.sh
    /opt/ibm/forensics/decapper/decap/tika/TikaServer.jar
    /opt/ibm/forensics/decapper/decap/tika/tika_log4j.xml 6144 6690
  2. Kill any Tika instances on 6690 and let the watcher script restart Tika.
    pkill -f "tika.py.*6690"
  3. Double check there is only a single instance of Tika on that port after
    pgrep -af "tika.py.*6690"
       27350 /usr/bin/python
    /opt/ibm/forensics/decapper/python/tika.py watch
    /opt/ibm/forensics/decapper/decap/tika/tika.sh
    /opt/ibm/forensics/decapper/decap/tika/TikaServer.jar
    /opt/ibm/forensics/decapper/decap/tika/tika_log4j.xml 6144 6690

Issue
A race condition can occur where the TikaServer and Tika watcher script result in two Tika instances being started and the second TikaServer fails because the port is already in use. The Tika watcher script identifies that the 2nd instance dies and attempts to restart it in an infinite loop. Due to an instance already running on the port, the decapper continues to process without issue. Repeated log messages are written every second which can flood the /var/log/qradar.log file and appear similar to the following:
TikaServer (6690) Watcher - INFO - TikaServer (6690) is not
running
TikaServer (6690) - INFO - Starting
TikaServer (6690) - INFO - Started
10 August 2020
ASSETS IJ29372 NEW ASSETS BEING CREATED CAN HANG AT 'PENDING' IF AN ASSET IMPORT WITH INVALID IP ADDRESS HAS PREVIOULSY OCCURRED OPEN Workaround
Clean out the spillover queue files using an SSH session to the QRadar Console:
  1. Stop the asset profiler:
    systemctl stop assetprofiler
  2. Remove the spillover files (backup the files from this location prior to deleting them):
    rm /store/transient/spillover/queue/assetprofiler.assetprofiler/*
  3. Restart the assetprofiler:
    systemctl restart assetprofiler

Issue
After importing a large number of assets with invalid IP addresses and then attempting to create assets, these asset creations can stall at "pending". When this occurs, a spillover queue can sometimes need to be cleaned out of flies to correct this behavior.
18 November 2020
SEARCH IJ30810 DEPLOY CHANGES FUNCTION CAUSES IN PROGRESS SEARCHES TO ERROR WHEN AN ENCRYPTED MANAGED HOST IS IN THE QRADAR DEPLOYMENT OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
When performing a Deploy Changes function (not a Deploy Full Configuration), any search that is in progress is interrupted and goes into error as the ariel proxy service restarts when the deployment has an encrypted Managed Host. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
::ffff:x.x.x.x [tomcat.tomcat] [rhc_x.x.x.x]
com.q1labs.configservices.config.globalset.platform.GlobalArielS
erverListTransformer: [INFO] [NOT:0000006000][x.x.x.x/- -] [-/-
-]Ariel list transformer has changed the deployment file.
16 February 2021
NETWORK PACKET CAPTURE IJ32975 "SYNTAX ERROR: INVALID SYNTAX" WHEN PERFORMING A NETWORK PACKET CAPTURE INSTALLATION ON CUSTOM HARDWARE OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
QRadar Network Packet Capture installations can only be performed on computer systems with hardware that matches IBM supplied appliances. Messages similar to the following might be visible when performing the installation on hardware that does not match:
       ./setup
       File "./setup", line 86
global NTADAPTER = napatech_adapters [0]
SyntaxError: invalid syntax
17 June 2021
SEARCH IV87948 SEARCH FILTERING FOR A CUSTOM EVENT PROPERTY THAT INCLUDES NON-ENGLISH CHARACTERS DOES NOT WORK AS EXPECTED OPEN Workaround
No workaround available. This issue was reopened as a user reported that they experiences the error described in this APAR.

Issue
Adding search filters for a Customer Event Property (CEP) that includes non-English characters does not work. Event/Data with valid, matching values that should be returned is not, in these instances.
7 August 2020
CUSTOM PROPERTIES IJ34647 UPGRADING TO QRADAR 743 RESULTS IN A LIST OF DEPRECATED CUSTOM EVENT PROPERTIES BEING DISPLAYED OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
Environments upgraded to 7.4.3 might see a list of deprecated custom event properties (CEP) being displayed in event details. In some cases this list can be long and confusing as the CEP's can not be found in the CEP UI. The administrator may not be able to identify them or they look like duplicates.
27 August 2021
DSM EDITOR IJ30347 'THERE WAS A PROBLEM SAVING THE LOG SOURCE TYPE CONFIGURATION' AFTER CLICKING SAVE ON THE DSM EDITOR PAGE OPEN Workaround
Set Global autodetection to True:
  1. Admin > System & License Management > Edit Managed Host > Component Management- Event Collector- Autodetection Enabled-True Autodetection – Use Global settings -True
  2. Perform a Deploy Changes function For more information on global autodetection, see https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/t_qradar_adm_dsm_ed_auto_log_source_config.html.

Issue
A messages similar to "There was a problem saving the Log Source Type configuration" can be displayed when clicking Save on the DSM Editor page when global autodetection has been disabled in QRadar settings:
Admin > System and License Management > Edit Managed Host > Component Management > Event Collector > Autodetection Enabled-False Autodetection – Use Global settings -False
23 January 2021
DEPLOY CHANGES IJ30019 DELEGATED ADMIN CAN PERFORM 'DEPLOY CHANGES' FUNCTION OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
Delegated admin users can perform a Deploy Changes function when they should not be able to perfrom this task.
5 January 2021
IBM SECURITY IDENTITY MANAGER JDBC PROTOCOL IJ30959 : THE QRADAR IBM SECURITY IDENTITY MANAGER JDBC PROTOCOL CAN GENERATE OUT OF MEMORY ERRORS OPEN Workaround
A protocol update to the IBM Security Identity Manager JDBC protocol is required to resolve this issue. Administrators can monitor for stopped collection from IBM Security Identity Manager log sources in the Log Activity tab or review for the logs for “OutOfMemoryError: Direct buffer memory” errors.

If you experience issues with collection from your IBM Security Identity Manager JDBC protocol log sources, you can restart the ecs-ec-ingress service to restart event collection when you have a large event spike on your log source.

To restart ecs-ec-ingress:
  1. Use SSH to log in to the QRadar Console.
  2. Open an SSH session to the appliance that has stopped sending IBM Security Identity Manager JDBC events.
  3. Type the following command:
    systemctl restart ecs-ec-ingress
  4. Confirm events are received from your IBM Security Identity Manager JDBC log source. To force the JDBC protocol to collect events you can disable, then enable the IBM Security Identity Manager log source from the Log Source Management application.

    Note: In most cases, administrators only need to restart ecs-ec-ingress on one appliance that polls their IBM Security Identity Manager JDBC database. Administrators can restart ecs-ec-ingress globally on all appliances from the Admin tab in QRadar if you have a number of IBM Security Identity Manager appliances. The navigation bar includes an Advanced menu. Selecting ?Restart Event Collection Service? halts event collection globally while the ecs-ec-ingress service restarts.

Issue
An issue has been identified where the IBM Security Identity Manager JDBC protocol can experience a memory condition when it attempts to process events from the spillover cache. Administrators can experience this issue when an event burst (incoming EPS spike) for the IBM Security Identity Manager JDBC protocol is large enough, the IBMSIMJDBCEventConnector can run out of available memory. When the memory error occurs, the ecs-ec-ingress service cannot move events from the direct memory buffer for IBMSIMJDBCEventConnector to the event pipeline. Events expected to be viewable from the Log Activity tab might not return search results as they did not enter the event pipeline as expected from the ecs-ec-ingress service.

Note: This issue only affects IBM Security Identity Manager JDBC protocol integrations, other QRadar integrations that use JDBC are not affected by this memory issue.

When this issue occurs, the following message is displayed in in /var/log/qradar.log:
[ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.
semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnector1954]
java.lang.OutOfMemoryError: Direct buffer memory::Please use
appropriate 'size' via -XX:MaxDirectMemorySize={size}
[ecs-ec-ingress.ecs-ec-ingress] [
com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
r1954] at java.nio.Bits.reserveMemory(Bits.java:747)
[ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.semsources.sources.ibmsimjdbc.
IBMSIMJDBCEventConnector1954] at java.nio.DirectByteBuffer.{init}
(DirectByteBuffer.java:123)
[ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.
semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnector1954] 
at java.nio.ByteBuffer.allocateDirect(ByteBuffer.java:311)
[ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.semsources.sources.ib
msimjdbc.IBMSIMJDBCEventConnector1954] at com.q1labs.frameworks.
cache.ResizableBufferPool.{init}(ResizableBufferPool.java:50)
[ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.semsources.sources.ibm
simjdbc.IBMSIMJDBCEventConnector1954] at com.q1labs.frameworks.c
ache.ResizableBufferPool.{init}(ResizableBufferPool.java:26)
27 February 2021
LOG SOURCE MANAGEMENT APP IJ28131 LSM APP TEST FOR ORACLE LOG SOURCE IGNORES THE TIMEOUT AND KEEPS RUNNING OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
It has been identified that in some cases the Oracle log source protocol test ignores the test protocol timeout value and keeps running until the Log Source test query completes.
22 September 2020
QRADAR INCIDENT FORENSICS IJ30018 CASE CANNOT BE UPLOADED IN QRADAR INCIDENT FORENSICS WHEN THE FTPMONITOR CANNOT CONNECT TO THE DATABASE OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
Cases cannot be uploaded into QRadar Incident Forensics when an ftp user has not been properly updated as the Forensics ftpmonitor fails the database connection. Messages similar to the following might be visible in QRadar logging when this issue occurs:
127.0.0.1 [Timer-0] com.ibm.qradar.forensics.watcher.watchers.UserChecker: 
[ERROR] Failed to get users
127.0.0.1 com.ibm.qradar.forensics.watcher.utils.Database$DatabaseException: 
Failed to retrieve console host.
127.0.0.1 at com.ibm.qradar.forensics.watcher.utils.Database.getFTPUsernameList(Database.java:198)
127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.getFTPUsernameList(UserChecker.java:92)
127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.processFTPUsers(UserChecker.java:107)
127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.run(UserChecker.java:58)
127.0.0.1 at java.util.TimerThread.mainLoop(Timer.java:566)
127.0.0.1 at java.util.TimerThread.run(Timer.java:516)
127.0.0.1 Caused by: 
org.postgresql.util.PSQLException: FATAL: password authentication failed for user "username"
127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:514)
127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:141)
127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
127.0.0.1 at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
127.0.0.1 at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
127.0.0.1 at org.postgresql.Driver.makeConnection(Driver.java:454)
127.0.0.1 at org.postgresql.Driver.connect(Driver.java:256)
127.0.0.1 at java.sql.DriverManager.getConnection(DriverManager.java:675)
127.0.0.1 at java.sql.DriverManager.getConnection(DriverManager.java:281)
127.0.0.1 at com.ibm.qradar.forensics.watcher.utils.Database.connect(Database.java:59)
127.0.0.1 at com.ibm.qradar.forensics.watcher.utils.Database.getFTPUsernameList(Database.java:183)
127.0.0.1 ... 5 more
5 January 2021
ASSETS IV97179 ATTEMPTING TO PERFORM A CLEAN VULNERABILITIES CAN FAIL DUE TO A TIMEOUT IN THE BACKEND OPEN Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
Assets tab -> Actions drop down -> Clean Vulnerabilities

Attempting a "Clean Vulnerabilities" from the User Interface, Assets tab, can fail due to a backend timeout occurring.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[assetprofiler.assetprofiler]
[AssetProfilePersister-BottomTier]
com.q1labs.assetprofile.persistence.AssetProfilePersistenceWorkerThread:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Root cause: An I/O error occured while sending to the backend.
[assetprofiler.assetprofiler]
[AssetProfilePersister-BottomTier]
com.q1labs.assetprofile.persistence.AssetProfilePersistenceWorkerThread: 
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]
Asset Profile Persister is rolling back its current transaction due
to the above exceptions.
23 June 2017
REFERENCE DATA IJ31110 ADDING "EVENT PROCESSOR" AS A RESPONSE TO A REFERENCE DATA RESPONSE DOES NOT WORK AS EXPECTED OPEN Workaround
Create an AQL property of HOSTNAME(processorid) and use that to obtain the required data:https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.3/com.ibm.qradar.doc/b_qradar_aql.pdf

Issue
When Event Processor is added to the response for a Reference Data response, a ClassNotFoundException occurs and the rule response does not work.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ep.ecs-ep] [CRE Processor [3]]
com.q1labs.semsources.cre.responses.ReferenceDataResponse:
[ERROR] [NOT:0000003000][QRADARIP/- -] [-/- -]Failed to get
values from event: property="eventProcessorId",
key1Val="127.0.0.1", key2Val=null, doSend=true, unRollFlow=false
[ecs-ep.ecs-ep] [CRE Processor [3]] java.lang.RuntimeException:
java.lang.ClassNotFoundException:
com.q1labs.ariel.ui.formatters.EventProcessorIdFormatter
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.core.shared.ariel.ArielUtils.getFormatter(ArielUtils.java:933)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.responses.AbstractReferenceDataRespons
e.getValuesFromEvent(AbstractReferenceDataResponse.java:253)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.responses.AbstractReferenceDataRespons
e.extractValuesFromEventAndSend(AbstractReferenceDataResponse.java:223)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.responses.AbstractReferenceDataRespons
e.performResponse(AbstractReferenceDataResponse.java:360)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CustomRule.performResponses(CustomRule.java:1049)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:578)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:496)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.LocalRuleExecutor.processEventInPropertyMode(LocalRuleExecutor.java:229)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRuleExecutor.java:158)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:544)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:484)
[ecs-ep.ecs-ep] [CRE Processor [3]] Caused by:
java.lang.ClassNotFoundException:
com.q1labs.ariel.ui.formatters.EventProcessorIdFormatter
[ecs-ep.ecs-ep] [CRE Processor [3]] at
java.lang.Class.forNameImpl(Native Method)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
java.lang.Class.forName(Class.java:337)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.core.shared.ariel.ArielUtils.getFormatter(ArielUtils.java:927)
[ecs-ep.ecs-ep] [CRE Processor [3]] ... 12 more
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE
Processor [3]] at
com.q1labs.semsources.cre.responses.AbstractReferenceDataRespons
e.performResponse(AbstractReferenceDataResponse.java:360)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CustomRule.performResponses(CustomRule
.java:1049)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:578)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:496)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.LocalRuleExecutor.processEventInPropertyMode(LocalRuleExecutor.java:229)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRuleExecutor.java:158)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:544)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:484)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] 
Caused by: java.lang.ClassNotFoundException:
com.q1labs.ariel.ui.formatters.EventProcessorIdFormatter
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] 
at java.lang.Class.forNameImpl(Native Method)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] 
at java.lang.Class.forName(Class.java:337)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] 
at com.q1labs.core.shared.ariel.ArielUtils.getFormatter(ArielUtils.java:927)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] 
5 March 2021
LOG SOURCE IJ34691 AUTO DISCOVERY LOG SOURCE NAMES ARE CASE SENSITIVE BUT THE LSM AND API LOG SOURCE NAME ARE NOT OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
Administrators might notice that Auto discovery can add two Log sources with the same name but one is upper case and the other is lower case. For example, server1 and SERVER1. When trying to do the same manually through the Log Source Management a Log Source name such as server1 can be added. When adding the Log Source name SERVER1, the second Log Source will fail with a message "The log source name must be unique"

When trying to add the Log Sources by using the API, the second Log Source will fail with the error message "The 'name' parameter must be unique." when you try to create another Log Source as "SERVER1"
29 August 2021
LICENSE IV93531 'LICENSE POOL ALLOCATION' WINDOW CAN TAKE A LONGER THAN EXPECTED TIME TO LOAD IN LARGE QRADAR DEPLOYMENTS OPEN Workaround
No workaround available.

Issue
It has been observed in large QRadar deployments that opening the 'License Pool Allocation' window can take a longer than expected time (multiple minutes). QRadar User Interface -> Admin tab -> System and License Management - > Licenses -> License Pool Allocation window.
9 January 2019
WINCOLLECT IJ33115 WINCOLLECT AGENTS CAN FAIL TO UPDATE OR GET CONFIGURATION UPDATES WHEN USING CUSTOM HTTPD CERTIFICATE OPEN Workaround
In a distributed QRadar deployment, and where possible, encrypt the required Managed Host used for the WinCollect agent. for more information, see https://www.ibm.com/docs/en/qsip/7.4?topic=hosts-configuring-managed-host.

Issue
WinCollect agents can fail to receive configuration updates or are unable to be updated when using custom httpd certificate and when the connection to console from Managed Host is not encrypted (when using a Managed Host for the agent).

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager:
[ERROR] [NOT:0000003000][(ConsoleIP)/- -] [-/- -]No subject
alternative names matching IP address (ConsoleVIP) found
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
java.security.cert.CertificateException: No subject alternative
names matching IP address (ConsoleVIP) found
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.ibm.jsse2.util.b.b(b.java:29)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.ibm.jsse2.util.b.a(b.java:12)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.ibm.jsse2.aD.a(aD.java:209)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.ibm.jsse2.aD.a(aD.java:63)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.ibm.jsse2.aD.a(aD.java:134)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.ibm.jsse2.aD.checkServerTrusted(aD.java:144)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager
.checkServerTrusted(Q1X509TrustManager.java:317)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.ibm.jsse2.E.a(E.java:145)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.ibm.jsse2.E.a(E.java:479)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.ibm.jsse2.D.s(D.java:286)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.ibm.jsse2.D.a(D.java:251)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.ibm.jsse2.av.a(av.java:788)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.ibm.jsse2.av.i(av.java:45)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.ibm.jsse2.av.a(av.java:637)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.ibm.jsse2.av.startHandshake(av.java:1020)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:1)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:72)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1582)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1510)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:81)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.q1labs.sem.semsources.wincollectconfigserver.util.WinCol
lectConsole.Call(WinCollectConsole.java:281)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.q1labs.sem.semsources.wincollectconfigserver.requestproc
essors.ConnectionEstablishmentVersion2Processor.onReceiveConnec
tionEstablishmentRequest(ConnectionEstablishmentVersion2Processor.java:204)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
at com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfigHandler.run
(WinCollectConfigHandler.java:122)
16 June 2021
API IJ33667 DOMAIN MANAGEMENT API FUNCTIONS DO NOT ALLOW FOR DISCONNECTED LOG COLLECTOR ASSOCIATION TO A DOMAIN OPEN Workaround
Add the required domain association for the Disconnected Log Collector from admin > System Configuration section, Domain Management.

Issue
The domain management API functions do not allow for associating a Disconnected Log Collector to a domain.
18 July 2021
ASSETS IJ29159 SOME INSTALLED WINDOWS PATCHES (KB) ARE NOT DISPLAYED FOR ASSETS IN QRADAR OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
In some instances, patches that have been applied to Windows systems are not updated with the latest KBs installed on scanned systems in Assets -> Asset -> Display -> Windows Patches.

This has been identified as occurring when an installed KB for an affected Windows computer system asset does not get added to a QRadar database table (extrefvalue).
17 November 2021
UPGRADE IJ32784 QRADAR DOES NOT AUTOMATICALLY CLEAN UP FAILED REPLICATION FILES IN /STORE/REPLICATION/FAILED OPEN Workaround
Delete files in /store/replication/failed from the affected QRadar appliance and attempt the patch again: From an SSH session, run the following command:
rm -f /store/replication/failed/failed*


Issue
The QRadar patching process can fail when /store has insufficient space due to files located in /store/replication/failed that are not cleaned up automatically by QRadar.
6 January 2021
JDBC PROTOCOL IJ29367 SOPHOS LOG SOURCES USING JDBC CAN CAUSE AN ECS-EC-INGRESS SERVICE OUT OF MEMORY CAUSING AN EVENT COLLECTION OUTAGE OPEN Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
Sophos Log Sources using the JDBC protocol can sometimes cause the ecs-ec-ingress service to go out of memory. The ecs-ec-ingress service is the QRadar event collection service (QRadar 7.3.1 and newer), therefore an out of memory in this service causes an interruption to event collection until the service recovers successfully.

This out of memory issue can occur when there are a large number of rows to retrieve and the "EventTypeName" column has any of these values: "Device control", "Viruses/spyware", "Adware or PUA" or "Firewall".
18 November 2020
FLOWS IV98672 MULTIPLE FLOW TYPES SENT FROM THE SAME IP CAN BE INCORRECTLY IDENTIFIED/LABELLED BY QRADAR OPEN Workaround
No workaround available.

Issue
It has been observed that when two different flow types are sent from same IP on two different ports, QRadar creates an alias for the first flow type from that IP and the second flow type is reported as being the same as the first one.

Example:
Packeteer sent to Console and Jflow sent to QFlow managed host appliance from the same IP but on different ports.

Flow Alias is created for Packeteer and the Jflows also get reported under that one.
13 September 2017
UDP MULTILINE SYSLOG PROTOCOL IJ26093 LOG SOURCES USING UDP MULTILINE SYSLOG CAN STOP RECEIVING EVENTS AFTER AN ECS-EC-INGRESS SERVICE RESTART OCCURS OPEN Workaround
An additional restart of the ecs-ec-ingress service can correct this issue. Please see this URL for details:https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/t_qradar_adm_restart_ec_ingress.html.
Note Event collection is briefly interrupted while the service restarts.

Issue
In some instances when the ecs-ec-ingress service (needed for event collection) restart occurs (eg. can occur after an autoupdate is applied), the UDP multiline syslog provider does not shutdown fast enough. When the provider attempts to start up, the old version of the provider is still locked to port 517, so the new instance cannot open the port. When this situation occurs, the provider cannot start and therefore cannot receive events as expected.
13 July 2020
MSRPC PROTOCOL IJ34656 LOG SOURCES USING WINDOWS EVENT RPC PROTOCOL CAN INTERMITTENTLY STOP WORKING AS EXPECTED OPEN Workaround
Toggling the affected Log Source to disabled, and then enable it again can temporarily correct this issue.

Issue
Log Sources that use the Windows Event RPC Protocol can intermittently stop collecting events when an exception occurs on the receipt of Windows Server 2019 events.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609]
java.lang.ArrayIndexOutOfBoundsException

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at
jcifs.util.Encdec.dec_uint32le(Encdec.java:90)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at
ndr.NdrBuffer.dec_ndr_long(NdrBuffer.java:135)
[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at ndr.Net
workDataRepresentation.readUnsignedLong(NetworkDataRepresentati
on.java:64)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
abs.semsources.sources.windowseventrpc.ndr.util.NetworkDataRepr
esentationAdapter.readUnsignedLong(NetworkDataRepresentationAda
pter.java:34)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
abs.semsources.sources.windowseventrpc.ndr.method.eventlog.msev
en6.EvtRpcGetNextEventMetadata.readResult(EvtRpcGetNextEventMet
adata.java:80)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
abs.semsources.sources.windowseventrpc.ndr.BaseNdrObject.read(B
aseNdrObject.java:28)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at
ndr.NdrObject.decode(NdrObject.java:36)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at rpc.Con
nectionOrientedEndpoint.call(ConnectionOrientedEndpoint.java:13
7)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at
rpc.Stub.call(Stub.java:113)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
abs.semsources.sources.windowseventrpc.eventsource.mseven6.Publ
isherMetadataCache.getEventMetadata(PublisherMetadataCache.java
:125)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
abs.semsources.sources.windowseventrpc.eventsource.mseven6.Publ
isherMetadataCache.cachePublisherInfo(PublisherMetadataCache.ja
va:97)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
abs.semsources.sources.windowseventrpc.eventsource.mseven6.Publ
isherMetadataCache.getPublisherMetadata(PublisherMetadataCache.
java:62)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
abs.semsources.sources.windowseventrpc.eventsource.mseven6.Even
tMessageAPIRenderer.renderMessage(EventMessageAPIRenderer.java:
46)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
abs.semsources.sources.windowseventrpc.eventsource.mseven6.Even
tMessageRenderer.renderMessage(EventMessageRenderer.java:40)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
abs.semsources.sources.windowseventrpc.eventsource.mseven6.Even
tLogIterator.processBuffer(EventLogIterator.java:78)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
abs.semsources.sources.windowseventrpc.eventsource.mseven6.Even
tLogIterator.getAll(EventLogIterator.java:42)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
abs.semsources.sources.windowseventrpc.eventsource.mseven6.Wind
owsEventLogImpl.read(WindowsEventLogImpl.java:323)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
abs.semsources.sources.windowseventrpc.eventsource.RPCEventSour
ce.getEvents(RPCEventSource.java:219)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
abs.semsources.sources.windowseventrpc.eventsource.RPCEventSour
ceMonitor.getEvents(RPCEventSourceMonitor.java:124)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
abs.semsources.sources.windowseventrpc.WindowsEventRPCProvider.
execute(WindowsEventRPCProvider.java:194)

[ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
abs.semsources.sources.base.SourceProvider.run(SourceProvider.j
ava:195)
29 August 2021
UPGRADE IJ33887 PATCHING FROM QRADAR 7.3 TO 7.4 WITH CISCO FIRE POWER THREAT DEFENSE DSM CAN BREAK EVENT PARSING OPEN Workaround
install the 7.4 CiscoFirepowerThreatDefense DSM or run an autoupdate

Issue
Administrators who patch from 7.3 to 7.4 and have a configured Cisco Fire power Threat Defense DSM that was receiving events. When these are received post patch they can break Event Parsing causing all events to go to stored.

Look for similar messages in /var/log/qradar.log/
Jun 14 16:09:41 ::ffff:IP [ecs-ec.ecs-ec] [Event Parser[3]]
com.q1labs.frameworks.session.SessionContext: [INFO]
[NOT:0000006000][IP/- -] [-/- -]Starting NON_BLOCKING
dispatcher: 40c0afcb-4250-44c3-8613-94ca6d522889
Jun 14 16:09:42 ::ffff:X.X.X.X [ecs-ec.ecs-ec] [Event Parser[3]]
com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
[NOT:0000003000][IP/- -] [-/- -]Exception was uncaught in thread: Event Parser[3]
Jun 14 16:09:42 ::ffff:X.X.X.X [ecs-ec.ecs-ec] [Event Parser[3]]
java.lang.NoSuchFieldError: com/q1labs/sem/dsm/cisco/firewall/CiscoFirepowerThreatDefense.properties
04 August 2021
LOG SOURCE MANAGEMENT APP IJ26534 'AN UNEXPECTED API ERROR HAS OCCURED. PLEASE REFER TO THE QRADAR ERROR LOGS' WHEN USING LOG SOURCE MANAGEMENT APP OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
In instances where an unexpected non-numeric value is present in a database entry, the Log Source Managment app can fail to load with an error similar to: 'An unexpected API error has occured. Please refer to the QRadar error logs for additional information'. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]
com.q1labs.restapi.servlet.apidelegate.APIDelegate: [INFO]
[NOT:0000006000][x.x.x.x/- -] [-/- -]Following message
suppressed 1 times in 300000 milliseconds
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]
com.q1labs.restapi.servlet.apidelegate.APIDelegate: [ERROR]
[NOT:0000003000][x.x.x.x/- -] [-/- -]Request Exception
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]
com.q1labs.restapi_annotations.content.exceptions.APIMappedException: 
Unable to retrieve log source statistics.
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
com.q1labs.restapi.exceptionmapper.ExceptionMapper.mapException(ExceptionMapper.java:141)
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
com.q1labs.restapi_annotations.content.exceptions.APIMappedExcep
tion.<init>(APIMappedException.java:131)
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
com.q1labs.restapi.servlet.utilities.APIRequestHandler.processEn
dpointException(APIRequestHandler.java:1417)
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR
equest(APIRequestHandler.java:415)
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
com.q1labs.restapi.servlet.utilities.APIRequestHandler.handleReq
uest(APIRequestHandler.java:244)
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
com.q1labs.restapi.servlet.apidelegate.APIDelegate.handleRequest
(APIDelegate.java:341)
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
com.q1labs.restapi.servlet.apidelegate.APIDelegate.service(APIDe
legate.java:259)
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:231)
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
com.q1labs.uiframeworks.servlet.AddUserHeaderFilter.doFilter(Add
UserHeaderFilter.java:86)
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
com.q1labs.uiframeworks.servlet.ThreadNameFilter.doFilter(Thread
NameFilter.java:53)
...
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics] Caused by:
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]
org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR:
invalid input syntax for integer: "SYSTEM-DLP-2" {prepstmnt
-1244260909     SELECT fgroup.id as value, count(*) as count
   FROM fgroup INNER JOIN fgroup_link ON (fgroup.id =
fgroup_link.fgroup_id) INNER JOIN logsourcereader_temp temp ON
(temp.id = CAST(fgroup_link.item_id AS INTEGER))        AND
fgroup.type_id = 1   GROUP BY fgroup.id} 
[tomcat.tomcat] [user@x.x.x.x (6680)
/console/restapi/api/config/event_sources/log_source_management/
log_source_statistics]    at
org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(Logg
ingConnectionDecorator.java:218)
25 August 2020
REPORTS IJ27158 'THE ATTACHMENT SIZE IS TOO LARGE' MESSAGE IS WRITTEN TO QRADAR LOGGING REGARDLESS OF A MAIL FAILURE REASON OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
The message "Unable to send email to: [email_address], the attachment size is too large. You can update the Max Email Attachment Size (KB) in the System Settings" is written to the QRadar error logs regardless of the mail failure reason. Messages similar to the following might be visible in /var/log/qradar.log when this issue has occurred:
[report_runner] [main] com.q1labs.reporting.ReportRunner:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Initializing
Template:
"test-email@test-email.com#$#2871c317-796f-4b43-834a-3ced048baae
6"
[report_runner] [main] com.q1labs.reporting.ReportRunner:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Report start:
"2871c317-796f-4b43-834a-3ced048baae6" Title: "Qradar Daily
Device Report"
....
[report_runner] [main] com.q1labs.reporting.ReportServices:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable to send
report "2871c317-796f-4b43-834a-3ced048baae6" to
test-email@test-email.com
[report_runner] [main]
com.q1labs.frameworks.exceptions.FrameworksException: Unable to
send email to: [test-email@test-email.com], the attachment size
is too large. You can update the Max Email Attachment Size (KB)
in the System Settings
[report_runner] [main] Caused by:
com.sun.mail.smtp.SMTPSendFailedException: 552 5.3.4 Error:
message file too big
23 August 2020
MANAGED HOST IJ29029 THE REMAP OPTION (COMPONENT ID) OPTION WHEN ADDING A HOST CAN FAIL TO COMPLETE ALL REQUIRED TASKS OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
When adding a host to a QRadar Deployment, if the remap option is selected and that option is missing a component in removed_deployment_components that the Mangeed Host needs to have remapped, the remap generates a Null Pointer Exception and all subsequent actions of the remap process fail to complete. When this situation happens, it leaves a partially remapped Managed Host or potentially a Managed Host that is not remapped at all depending on the order of how the components were being remapped.

No messages are displayed in the QRadar User Interface indicating a problem has occured in these instances.

Messages similar to the following might be visible is /var/log/qradar.log when this issue occurs:
/console/JSON-RPC/QRadar.valdiationRemap
QRadar.valdiationRemap]
com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR]
[NOT:0000003000][x.x.x.x/- -] [-/- -]An exception occurred
while executing the remote method 'valdiationRemap'
/console/JSON-RPC/QRadar.valdiationRemap
QRadar.valdiationRemap] java.lang.NullPointerException
/console/JSON-RPC/QRadar.valdiationRemap
QRadar.valdiationRemap]    at
com.ibm.si.configservices.api.impl.DeploymentAPIHostHelper.testRemapAppliance(DeploymentAPIHostHelper.java:598)
/console/JSON-RPC/QRadar.valdiationRemap
QRadar.valdiationRemap]    at
com.q1labs.qradar.ui.qradarservices.UIDeploymentManagement.valdiationRemap(UIDeploymentManagement.java:227)
/console/JSON-RPC/QRadar.valdiationRemap
QRadar.valdiationRemap]    at
sun.reflect.GeneratedMethodAccessor1055.invoke(Unknown Source)
/console/JSON-RPC/QRadar.valdiationRemap
QRadar.valdiationRemap]    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
/console/JSON-RPC/QRadar.valdiationRemap
QRadar.valdiationRemap]    at
java.lang.reflect.Method.invoke(Method.java:508)
/console/JSON-RPC/QRadar.valdiationRemap
QRadar.valdiationRemap]    at
com.q1labs.uiframeworks.application.ReflectiveExportedMethod.callWithContext(ReflectiveExportedMethod.java:170)
/console/JSON-RPC/QRadar.valdiationRemap
QRadar.valdiationRemap]    at
com.q1labs.uiframeworks.application.ReflectiveExportedMethod.call(ReflectiveExportedMethod.java:128)
/console/JSON-RPC/QRadar.valdiationRemap
QRadar.valdiationRemap]    at
com.q1labs.uiframeworks.application.ExportedMethod.call(ExportedMethod.java:146)
/console/JSON-RPC/QRadar.valdiationRemap
QRadar.valdiationRemap]    at
com.q1labs.core.ui.servlet.RemoteJavaScript.doGet(RemoteJavaScript.java:378)
/console/JSON-RPC/QRadar.valdiationRemap
QRadar.valdiationRemap]    at
com.q1labs.core.ui.servlet.RemoteJavaScript.doPost(RemoteJavaScript.java:619)
/console/JSON-RPC/QRadar.valdiationRemap
QRadar.valdiationRemap]    at
javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
/console/JSON-RPC/QRadar.valdiationRemap
QRadar.valdiationRemap]    at
com.q1labs.uiframeworks.servlet.HttpServlet.service(HttpServlet.java:22)
/console/JSON-RPC/QRadar.valdiationRemap
QRadar.valdiationRemap]    at
javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
/console/JSON-RPC/QRadar.remapHost QRadar.remapHost]
com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR]
[NOT:0000003000][x.x.x.x/- -] [-/- -]An exception occurred
while executing the remote method 'remapHost'
/console/JSON-RPC/QRadar.remapHost QRadar.remapHost]
java.lang.NullPointerException
/console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
com.ibm.si.configservices.api.impl.DeploymentAPIHostHelper.remap
Appliance(DeploymentAPIHostHelper.java:753)
/console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
com.q1labs.qradar.ui.qradarservices.UIDeploymentManagement.remap
Host(UIDeploymentManagement.java:236)
/console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
/console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
/console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
/console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
java.lang.reflect.Method.invoke(Method.java:508)
/console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
com.q1labs.uiframeworks.application.ReflectiveExportedMethod.cal
lWithContext(ReflectiveExportedMethod.java:170)
/console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
com.q1labs.uiframeworks.application.ReflectiveExportedMethod.cal
l(ReflectiveExportedMethod.java:128)
/console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
com.q1labs.uiframeworks.application.ExportedMethod.call(ExportedMethod.java:146)
/console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
com.q1labs.core.ui.servlet.RemoteJavaScript.doGet(RemoteJavaScript.java:378)
/console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
com.q1labs.core.ui.servlet.RemoteJavaScript.doPost(RemoteJavaScript.java:619)
/console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
/console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
com.q1labs.uiframeworks.servlet.HttpServlet.service(HttpServlet.java:22)
/console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
02 November 2020
SYSTEM NOTIFICATIONS IJ29983 CLICKING THE HELP ICON FOR EVENT 'CRE: PROCESSOR THREAD(S) TERMINATED ABRUPTLY' (QID 38750144) RESULTS IN 'PAGE NOT FOUND' OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
When there is a System Notification generated for "CRE: Processor Thread(s) Terminated Abruptly", clicking the Help icon results in a "page not found". This is for event QID: 38750144.
18 December 2020
API IJ28323 DATA CAN BE RETURNED SLOWER THAN EXPECTED WHEN QUERYING FROM THE QRADAR API API/CONFIG/EXTENSION_MANAGEMENT/EXTENSIONS OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
Querying data using the QRadar API api/config/extension_management/extensions can take longer than expected.

This can also affect QRadar Apps that use the API to return this data (example: QRadar Assistant).
25 September 2020
QRADAR INCIDENT FORENSICS IJ30020 QRADAR INCIDENT FORENSICS UPLOAD CAN FAIL WHEN THERE ARE SPECIAL CHARACTERS CONTAINED IN THE DATABASE PASSWORD OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
Error similar to "There was an error running the forensics recovery." is observed while attempting to run a Forensics recovery on the Console when there is a database password containing special characters.
[tomcat.tomcat] [HttpServletRequest-87-Idle]
com.ibm.qradar.wfObjects.wfDBConnect: [ERROR] Database error:
SQLException: FATAL: password authentication failed for user
"qradar"
SQLState: 28P01
VendorError: 0
--
Checking the postgresql-qrd service in the Console it still
shows this connection failures.
x.x.x.x.ent postgres[173526]: [3-3] Connection matched
pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255
md5"
 x.x.x.x.ent postgres[173909]: [3-1] FATAL: password
authentication failed for user "qradar"
 x.x.x.x.ent postgres[173909]: [3-2] DETAIL: Password does not
match for user "qradar".
 x.x.x.x.ent postgres[173909]: [3-3] Connection matched
pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255
md5"
 x.x.x.x.ent postgres[173914]: [3-1] FATAL: password
authentication failed for user "qradar"
 x.x.x.x.ent postgres[173914]: [3-2] DETAIL: Password does not
match for user "qradar".
 x.x.x.x.ent postgres[173914]: [3-3] Connection matched
pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255
md5"
 x.x.x.x.ent postgres[173929]: [3-1] FATAL: password
authentication failed for user "qradar"
 x.x.x.x.ent postgres[173929]: [3-2] DETAIL: Password does not
match for user "qradar".
 x.x.x.x.ent postgres[173929]: [3-3] Connection matched
pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255
md5"
05 January 2021
AKAMAI KONA IJ26656 LOG SOURCES USING THE AKAMAI KONA PROTOCOL CAN STOP PULLING EVENTS OPEN Workaround
Toggling the Log Source experiencing the issue can correct this issue when it occurs: Perform a Disable and then Enable of the affected Log Source.

Issue
Log Sources configured to use the Akamai Kona RestAPI Protocol can stop pulling events when an "UnknownHostException" is received by the protocol (eg. DNS issue experienced during protocol query).

Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurs:
ecs-ec-ingress.ecs-ec-ingress] [Akamai Kona REST API Protocol
Provider Thread: class
com.q1labs.semsources.sources.akamaikonarestapi.AkamaiKonaRESTAP
IProvider3427] java.net.UnknownHostException:
akab-uyyfbgxgw7ainbm3-wssxie3ldbia4l42.cloudsecurity.akamaiapis.
net:
akab-uyyfbgxgw7ainbm3-wssxie3ldbia4l42.cloudsecurity.akamaiapis.
net: unknown error
30 July 2020
tbd IJ32192 ERROR WRITTEN TO QRADAR LOGGING: "THERE WAS AN ERROR READING AUTHENTICATION.PROPERTIES. SETTINGS WILL NOT BE RELOADED" OPEN Workaround
Copy "/opt/qradar/conf/securityModel/authentication.properties" from the Console to the Managed Hosts in the QRadar deployment: See the following link for information on how to use the QRadar all_servers.sh command: https://www.ibm.com/support/pages/qradar-using-allserverssh-command.

Issue
An error message containing "There was an error reading authentication.properties. Settings will not be reloaded" can be observed in QRadar logging when a login message has been previously configured and then QRadar is patched.

Messages similar to the following can also be visible in /var/log/qradar.log when this issue occurs:
com.ibm.si.security
model.authentication.settings.InvalidAuthenticationSettingsFileC
onfigurationException: Invalid value for Logon message found.
securitymodel.authentication.logon.require_accept was set to
true but securitymodel.authentication.logon.message empty.
30 April 2021
ASSSETS IJ28539 UPDATING AN ASSET USING THE QRADR API WHEN THE ASSET HAS NO IP ADDRESS DEFINED FAILS WITH AN 'ILLEGAL ARGUMENT EXCEPTION' OPEN Workaround
Perform required asset update using the QRadar User Interface.

Issue
Deleting an asset's IP address results in the inability to update the asset through the API and generates an IllegalArgumentException.

This is due to the verification process that determines whether the IP is in the security profile.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]
com.q1labs.assetprofile.api.v3_1.AssetsAPI: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Could not verify if the
current user has permission to access domainid: [0], ipaddress: []
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]
java.lang.IllegalArgumentException: Could not get domainId or
ipAddress for asset [1460] !
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]    at
com.q1labs.assetprofile.api.v3_1.impl.AssetsAPIImpl.canUserUpdat
eAsset(AssetsAPIImpl.java:278)
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]    at
com.q1labs.assetprofile.api.v3_1.impl.AssetsAPIImpl.updateAsset(AssetsAPIImpl.java:69)
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]    at
com.q1labs.assetprofile.api.v3_1.AssetsAPI.updateAsset(AssetsAPI.java:140)
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]    at
sun.reflect.GeneratedMethodAccessor5608.invoke(Unknown Source)
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]    at
java.lang.reflect.Method.invoke(Method.java:508)
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]    at
com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet
hod(APIRequestHandler.java:1038)
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]
atcom.q1labs.restapi.servlet.utilities.APIRequestHandler.redirec
tRequest(APIRequestHandler.java:406)
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]    at
com.q1labs.restapi.servlet.utilities.APIRequestHandler.handleReq
uest(APIRequestHandler.java:244)
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]    at
com.q1labs.restapi.servlet.apidelegate.APIDelegate.handleRequest(APIDelegate.java:341)
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]    at
com.q1labs.restapi.servlet.apidelegate.APIDelegate.service(APIDelegate.java:259)
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]    at
javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:231)
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]    at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [admin@127.0.0.1 (5792)
/console/restapi/api/asset_model/assets/1460]    at
com.q1labs.uiframeworks.servlet.AddUserHeaderFilter:
12 October 2020
LOG SOURCE MANAGEMENT APP IJ32804 A NON-ADMIN USER ROLE USER CANNOT REASSIGN OR MOVE A LOG SOURCE TO A DIFFERENT GROUP USING LOG SOURCE MANAGEMENT APP OPEN Workaround
Perform the required change using: LSM app > Menu > Previous Log Source Interface > Edit

Issue
When a non-admin user attempts to change the Log Source Group using the Log Source Management app (version 6.1 and 7.0), the changes are not saved. For example:

  1. Login with a non-admin user.
  2. Open LSM app.
  3. Select any Log Source > edit > Groups > select group > Save.

    Results
    After clicking Save, the Log Source Group displays the original group name, the change does not take affect.
28 May 2021
REPORTS IJ29558 THE VALUE OF 'MOST RECENT RESULTS' IN AN OFFENSE REPORT DISPLAYS AS A NEGATIVE WHEN USING A DIFFERENT USER ACCOUNT OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
The value of 'Most Recent Results' in an offense report is negative when viewing as a different user account.
For example:
  1. Have a user account that is not admin but has permissions to log activity, offenses and reports.
  2. Log on as admin user account, create a search ensuring it returns offense data
  3. Create a report based on the saved search, and view Scheduled Search results.
  4. Log on as the user account (same as step 1), view the Scheduled Search results, "Most Recent Results" is a negative value in Offense Source Summary section.
04 December 2020
DSM EDITOR IJ29955 MISSING DATE FORMAT IN THE LINUX OS DSM EDITOR CAUSES THE SIMULATION PARSING TO FAIL OPEN Workaround
Uncheck (deselect) the box for "Override system behavior" for "Log Source Time". DSM Editor information: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_dsm_ed_overview.html.

Issue
Missing date format in the Linux OS DSM Editor causes the simulation parsing to fail.

The DSM Editor does not parse/show the events in Log Activity Preview if there is no Date format for the time type event property and a NullPointerException is thrown.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate]
com.q1labs.restapi_annotations.content.exceptions.endpointExceptions.
ServerProcessingException: Unable to complete parsing simulation
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
com.ibm.si.data_ingestion.api.impl.application.ApplicationAPIImpl.simulateParse
(ApplicationAPIImpl.java:1070)
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
com.ibm.si.data_ingestion.api.v7_0.application.ApplicationAPI.simulateParse
(ApplicationAPI.java:410)
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at 
sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethod)
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at 
java.lang.reflect.Method.invoke(Method.java:508)
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet
hod(APIRequestHandler.java:1038)
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectRequest(APIRequestHandler.java:406)
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] ... 61 more
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] Caused by:
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] java.lang.NullPointerException
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
java.text.SimpleDateFormat.<init>(SimpleDateFormat.java:609)
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
java.text.SimpleDateFormat.<init>(SimpleDateFormat.java:591)
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
com.ibm.si.data_ingestion.dsm_simulator.parsers.DatePropertyParser.initialize
Expression(DatePropertyParser.java:46)
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
com.ibm.si.data_ingestion.dsm_simulator.parsers.PropertyParser.<
init>(PropertyParser.java:34)
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
com.ibm.si.data_ingestion.dsm_simulator.parsers.PropertyParser.<
init>(PropertyParser.java:75)
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
com.ibm.si.data_ingestion.dsm_simulator.parsers.DatePropertyPars
er.<init>(DatePropertyParser.java:28)
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
com.ibm.si.data_ingestion.dsm_simulator.parsers.PropertyParserFactory.getPropertyParser
(PropertyParserFactory.java:39)
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
com.ibm.si.data_ingestion.dsm_simulator.ParserSimulator.setPropertyParsers(ParserSimulator.java:120)
[tomcat.tomcat]
[user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
com.ibm.si.data_ingestion.api.impl.application.ApplicationAPIImpl.
simulateParse(ApplicationAPIImpl.java:1060)
[tomcat.tomcat] [xxx@xxxxx
/console/restapi/api/application/data_ingestion/simulate] ...68 more
18 December 2020
QRADAR NETWORK INSIGHTS IJ33716 IJ33716: QNI PERFORMANCE DEGRADATION CAN OCCUR WHEN RUNNING IN ADVANCED MODE WITH AND A LARGE AMOUNT OF TLS TRAFFIC OPEN Workaround
On the console and each QNI host:
  1. Edit the /opt/qradar/conf/templates/configservices/forensics_config.vm file.
  2. In the tikaFilter section for excludeExt, add a line for
    <ext name=".crt"/>
  3. Perform a Deploy Full Configuration (Admin > Advanced drop down) so that the new configuration template is picked up and used for all QNI hosts.

    Mote: When this workaround is performed, the content type field is no longer populated for X509 certificates and this workaround can fail to persist during QRadar patching. Contact Support for assistance if required.

Issue
QRadar Network Insights (QNI) performance degradation can occur when running in advanced mode and a large amount of TLS traffic in the network environment.

This is due to the decapper processing every X509 certificate as a file and thereby all processed through Tika unnecessarily.
18 July 2021
X-FORCE IJ08964 RIGHT CLICK FOR "X-FORCE EXCHANGE LOOKUP" IS NOT DISPLAYED ON URL ITEM FROM AN AQL QUERY SEARCH IN LOG ACTIVITY OPEN Workaround
No workaround available.

Issue
It has been identified that plugin option for "X-Force Exchange Lookup" is not available in the case of an AQL Query result in Log Activity when a performing a right click on the URL item of the event.

The "X-Force Exchange Lookup" right click option is available in the case of a normal search result.
16 October 2018
DISCONNECTED LOG COLLECTOR (DLC) IJ29148 DISCONNECTED LOG COLLECTOR (DLC) CAN FAIL TO RECEIVE EVENTS AFTER AN INTERRUPTION IN NETWORK CONNECTIVITY OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
When there is an interruption in the network connectivity between a Disconnected Log Collector (DLC) and QRadar, some events can be missing due to way in which the disconnect and reconnect is handled in regards to handshake and socket monitoring.
16 November 2020
NETWORK IJ26509 QCHANGE_NETSETUP FAILS WHEN AN APPLIANCE TIMEZONE IS SET WHERE NO CITY/REGION IS SELECTED OPEN Workaround
QRadar System and License Management: Set the timezone to include region and city (eg. "Europe/Dublin") for the affected appliance and run qchange_netsetup again.

Issue
Using the qchange_netsetup command from the QRadar command line (eg. To change an appliance hostname) can fail during the completion process when a timezone with no City/Region is selected for that appliance within System and License Management.

Messages similar to the following might be displayed when this issue is occuring during the qchange_netsetup:
May 27 17:27:35 qradar_netsetup.py[31813]: qradar_netsetup
finalBlock [ERROR] KeyError: 'Eire'
May 27 17:27:35 qradar_netsetup.py[31813]: ibm_logging error
[ERROR] Failed. Exit code: 1. Case 1.
24 July 2020
LOG ACTIVITY IJ34165 QRADAR APP LOGGING CAN CAUSE UNKNOWN SIM GENERIC EVENTS TO BE DISPLAYED IN THE USER INTERFACE OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

Issue
QRadar App logging can incorrectly direct events into the QRadar event pipeline. When this occurs, SIM Generic events can be generated and displayed in the User Interface.

Example of messages that can be seen generated from the User Behavior Analytics app when this occurs:
<14>1 2021-05-09T23:47:22+0000 7af7bf83d639e752 UserAnalytics
1803 - - [NOT:0000006000] Detected QRadar version: 742
<14>1 2021-05-09T23:47:00+0000 7af7bf83d639e752 UserAnalytics
1803 - - [NOT:0000006000] Post app configs to ML response: Token
successfully updated
<14>1 2021-05-09T23:46:59+0000 7af7bf83d639e752 UserAnalytics
1803 - - [NOT:0000006000] Calling qradar api on
/console/plugins/1851/app_proxy/get_usecase_count returned
status code 200
<14>1 2021-05-09T23:46:58+0000 7af7bf83d639e752 UserAnalytics
1803 - - [NOT:0000006000] ML Pipeline app id=1851,
status=RUNNING
<14>1 2021-05-09T23:46:58+0000 7af7bf83d639e752 UserAnalytics
1803 - - [NOT:0000006000] Checking appliance hardware (RAM) is >
2097152
<14>1 2021-05-09T23:46:56+0000 7af7bf83d639e752 UserAnalytics
1803 - - [NOT:0000006000] Checking if ML pipeline app present
and getting appID.
<14>1 2021-05-09T23:46:56+0000 7af7bf83d639e752 UserAnalytics
1803 - - [NOT:0000006000] SEC token main UBA app present.
<14>1 2021-05-09T23:46:56+0000 7af7bf83d639e752 UserAnalytics
1803 - - [NOT:0000006000] An SEC Token has been configured
05 August 2021
SERVICE IJ34835 QRADAR ECS-EC-INGRESS SERVICE CAN STOP PROCESSING EVENTS DUE TO A NULL EVENT OPEN Workaround
Restart the QRadar event collection service:
Admin tab > Advanced > Restart Event Collection Services.

Issue
The QRadar ecs-ec-ingress service can stop processing events when a null event is received.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ec-ingress.ecs-ec-ingress] [Thread-45]
com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
[NOT:0000003000][10.153.24.147/- -] [-/- -]Exception was
uncaught in thread: Thread-45
[ecs-ec-ingress.ecs-ec-ingress] [Thread-45]
java.lang.NullPointerException
[ecs-ec-ingress.ecs-ec-ingress] [Thread-45] at com.ibm.si.ecing
ress.filters.QueuedEventThrottleFilter$ThrottleProcessor.run(Qu
euedEventThrottleFilter.java:349)
10 September 2021
SECURITY BULLETIN CVE-2021-29880 IBM QRADAR SIEM IS VULNERABLE TO POSSIBLE INFORMATION DISCLOSURE IN A MULTI-DOMAIN DEPLOYMENT CLOSED Resolved in
QRadar 7.4.3 Fix Pack 2 (7.4.3.20210810221124)

Affected versions
IBM QRadar 7.4.3 GA to 7.4.3 Fix Pack 1 (SFS files only)

IMPORTANT FLASH NOTICE
The QRadar Support team issued a flash notice for this issue for users on QRadar 7.4.3 and QRadar 7.4.3 Fix Pack 1 with domains enabled. For more information, see: https://www.ibm.com/support/pages/node/6480739.

Issue
IBM QRadar SIEM when using domains or multi-tenancy could be vulnerable to information disclosure between tenants by routing SIEM data to the incorrect domain. CVSS Base score: 5.3.
12 August 2021
SECURITY BULLETIN CVE-2021-20337 IBM QRADAR SIEM USES WEAKER THAN EXPECTED CRYPTOGRAPHIC ALGORITHMS CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Affected versions
  • IBM QRadar SIEM 7.4.0 to 7.4.3 GA
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8
Issue
CVE-2021-20337: IBM QRadar uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. CVSS Base score: 5.9
23 July 2021
SECURITY BULLETIN CVE-2019-13990
CVE-2020-8908
CVE-2020-9488
CVE-2020-13956
CVE-2020-25649
IBM DISCONNECTED LOG COLLECTOR IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
Disconnected Log Collect (DLC) V1.6

Affected versions
IBM Disconnected Log Collector V1.0 to V1.5 Issue
  • CVE-2019-13990: Terracotta could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the initDocumentParser function in xml/XMLSchedulingDataProcessor.java. By persuading a victim to open specially-crafted XML content, a remote attacker could exploit this vulnerability to read arbitrary files. CVSS Base score: 5.5
  • CVE-2020-8908: Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions. CVSS Base score: 5.4
  • CVE-2020-9488: Apache Log4j is vulnerable to a man-in-the-middle attack, caused by improper certificate validation with host mismatch in the SMTP appender. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system. CVSS Base score: 3.7
  • CVE-2020-13956: Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution. CVSS Base score: 5.3
  • CVE-2020-25649: FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly. A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity. CVSS Base score: 7.5
10 August 2021
SECURITY BULLETIN CVE-2021-29757 USER BEHAVIOR ANALYTICS APPLICATION ADD ON TO IBM QRADAR SIEM PERFORMS IMPROPER CSRF CHECKING FOR SOME COMPONENTS CLOSED Resolved in
User Behavior Analytics V4.1.2

Affected versions
All User Behavior Analytics versions

Issue
CVE-2021-29757: IBM QRadar User Behavior Analytics is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. CVSS Base score: 4.3
30 July 2021
SECURITY BULLETIN CVE-2021-25215
CVE-2020-25648
CVE-2020-25692
CVE-2020-8625
CVE-2021-27363
CVE-2021-27364
CVE-2021-27365
IBM QRADAR NETWORK PACKET CAPTURE IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
IBM QRadar Network Packet Capture 7.3.3 Patch 7 (Build 17)
IBM QRadar Network Packet Capture 7.4.3 Fix Pack 1 (Build 1302)

Affected versions
  • IBM QRadar Network Packet Capture 7.3.0 - 7.3.3 Patch 6
  • IBM QRadar Network Packet Capture 7.4.0 - 7.4.3 GA
Issue
  • CVE-2021-25215: ISC BIND is vulnerable to a denial of service, caused by an assertion failure while answering queries for DNAME records. By sending a query for DNAME records, an attacker could exploit this vulnerability to trigger a failed assertion check and terminate the named process. CVSS Base score: 7.5
  • CVE-2020-25648: Mozilla Network Security Services (NSS), as used in Mozilla Firefox is vulnerable to a denial of service, caused by improper handling of CCS (ChangeCipherSpec) messages in TLS. By sending specially-crafted CCS messages, a remote attacker could exploit this vulnerability to cause the system to crash. CVSS Base score: 7.5
  • CVE-2020-25692: OpenLDAP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted TCP packet, a remote attacker could exploit this vulnerability to cause slapd to crash. CVSS Base score: 7.5
  • CVE-2020-8625: ISC BIND is vulnerable to a buffer overflow, caused by improper bounds checking by the SPNEGO implementation. By setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the named process to crash. CVSS Base score: 8.1
  • CVE-2021-27363: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a kernel pointer leak when show_transport_handle function in drivers/scsi/scsi_transport_iscsi.c is called. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain the address of the iscsi_transport structure information, and use this information to launch further attacks against the affected system. CVSS Base score: 5.5
  • CVE-2021-27364: Linux Kernel could allow a local authenticated attacker to execute arbitrary commands on the system, caused by a flaw in the iscsi_if_recv_msg function in drivers/scsi/scsi_transport_iscsi.c. By sending specially-crafted Netlink messages, an attacker could exploit this vulnerability to connect to the iscsi NETLINK socket and send arbitrary commands to the kernel. CVSS Base score: 7.8
  • CVE-2021-27365: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by an issue when certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. By sending a specially-crafted Netlink message, an attacker could exploit this vulnerability to obtain memory information, and use this information to launch further attacks against the affected system. CVSS Base score: 5.5
30 July 2021
SECURITY BULLETIN CVE-2020-13949
CVE-2020-25649
CVE-2021-25329
CVE-2021-25122
CVE-2020-17527
IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Affected versions
  • IBM QRadar SIEM 7.4.0 to 7.4.3 GA
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8
Issue
  • CVE-2020-13949: Apache Thrift is vulnerable to a denial of service, caused by improper input validation. By sending specially-crafted messages, a remote attacker could exploit this vulnerability to cause a large memory allocation. CVSS Base score: 7.5
  • CVE-2020-25649: FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly. A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity. CVSS Base score: 7.5
  • CVE-2021-25329: Apache Tomcat could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw with a configuration edge case. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.8
  • CVE-2021-25122: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by a flaw when responding to new h2c connection requests. By sending a specially-crafted request, an attacker could exploit this vulnerability to see the request body information from one request to another, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3
  • CVE-2020-17527: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an issue when the HTTP request header value can be reused from the previous stream received on an HTTP/2 connection. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3
27 July 2020
SECURITY BULLETIN CVE-2021-20399 IBM QRADAR SIEM IS VULNERABLE TO AN XML EXTERNAL ENTITY INJECTION (XXE) ATTACK CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Affected versions
  • IBM QRadar SIEM 7.4.0 to 7.4.3 GA
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8
Issue
CVE-2021-20399: IBM QRadar is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. CVSS Base score: 7.1
26 July 2021
SECURITY BULLETIN CVE-2021-20225
CVE-2020-25632
CVE-2021-20233
CVE-2020-25647
CVE-2021-3418
CVE-2020-27749
CVE-2020-14372
CVE-2020-27779
GRUB2 AS USED BY IBM QRADAR SIEM IS VULNERABLE TO ARBITRARY CODE EXECUTION CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Affected versions
  • IBM QRadar SIEM 7.4.0 to 7.4.3 GA
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8
Issue
  • CVE-2021-20225: GNU GRUB2 could allow a local authenticated attacker to execute arbitrary code on the system, caused by a heap out-of-bounds write flaw in the short form option parser. By sending specially-crafted commands, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
  • CVE-2020-25632: GNU GRUB2 could allow a local authenticated attacker to execute arbitrary code on the system, caused by a use-after-free flaw in the rmmod implementation. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code and bypass Secure Boot protections. CVSS Base score: 7.5
  • CVE-2021-20233: GNU GRUB2 could allow a local authenticated attacker to execute arbitrary code on the system, caused by a heap out-of-bounds write flaw due to miscalculation of space required for quoting. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
  • CVE-2020-25647: GNU GRUB2 could allow a physical authenticated attacker to execute arbitrary code on the system, caused by an out-of-bound write flaw in the grub_usb_device_initialize function. By using a specially-crafted USB device, an attacker could exploit this vulnerability to execute arbitrary code and bypass Secure Boot protections. CVSS Base score: 6.9
  • CVE-2021-3418: GNU GRUB2 could allow a local authenticated attacker to bypass security restrictions, caused by improper validation of kernel signature when booted directly without shim. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass secure boot to boot any kernel. CVSS Base score: 7.5
  • CVE-2020-27749: GNU GRUB2 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the rub_parser_split_cmdline function. By sending a specially-crafted request, a local authenticated attacker could overflow a buffer and execute arbitrary code and bypass Secure Boot protections. CVSS Base score: 7.5
  • CVE-2020-14372: GNU GRUB2 could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper input validation by the acpi command. By using specially-crafted ACPI tables, an attacker could exploit this vulnerability to load unsigned kernel modules and execute arbitrary kexec unsigned on the system. CVSS Base score: 7.5
  • CVE-2020-27779: GNU GRUB2 could allow a local authenticated attacker to bypass security restrictions, caused by the failure to honor Secure Boot locking in the cutmem command. By sending a specially-crafted request, an attacker could exploit this vulnerability to remove address ranges from memory and bypass Secure Boot protections. CVSS Base score: 7.5
26 July 2020
SECURITY BULLETIN CVE-2020-8908
CVE-2020-11987
CVE-2020-13956
CVE-2020-13954
CVE-2015-9251
CVE-2019-11358
CVE-2020-11022
CVE-2020-11023
CVE-2021-28657
IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Affected versions
  • IBM QRadar SIEM 7.4.0 to 7.4.3 GA
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8
Issue
  • CVE-2020-8908: Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions. CVSS Base score: 5.4
  • CVE-2020-11987: Apache XML Graphics Batik is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to conduct SSRF attack to cause the underlying server to make arbitrary GET requests. CVSS Base score: 5.3
  • CVE-2020-13956: Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution. CVSS Base score: 5.3
  • CVE-2020-13954: Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using the styleSheetPath in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
  • CVE-2015-9251: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
  • CVE-2019-11358: jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
  • CVE-2020-11022: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
  • CVE-2020-11023: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
  • CVE-2021-28657: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
23 July 2020
SECURITY BULLETIN CVE-2021-27807
CVE-2021-27906
APACHE PDFBOX AS USED BY IBM QRADAR INCIDENT FORENSICS IS VULNERABLE TO DENIAL OF SERVICE CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Affected versions
  • IBM QRadar SIEM 7.4.0 to 7.4.3 GA
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8
Issue
  • CVE-2021-27807: Apache PDFBox is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially-crafted .PDF file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.5
  • CVE-2021-27906: Apache PDFBox is vulnerable to a denial of service, caused by an OutOfMemory-Exception flaw. By persuading a victim to open a specially-crafted .PDF file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.5
23 July 2021
SECURITY BULLETIN CVE-2020-4980 IBM QRADAR SIEM USES LESS SECURE METHODS FOR SECURING DATA AT REST AND IN TRANSIT BETWEEN HOSTS CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar SIEM 7.4.0 to 7.4.3 GA
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 7
Issue
CVE-2020-4980: IBM QRadar SIEM uses less secure methods for protecting data in transit between hosts when encrypt host connections is not enabled as well as data at rest. CVSS Base score: 5.3
15 July 2021
SECURITY BULLETIN CVE-2020-36282 IBM QRADAR SIEM USES LESS SECURE METHODS FOR SECURING DATA AT REST AND IN TRANSIT BETWEEN HOSTS CLOSED Resolved in
Resolved in the 11 July 2021 QRadar weekly auto update. Administrtors who manually update RPM files might be required to install the following files from IBM Fix Central: PROTOCOL-RabbitMQ-7.3-20210505121416.noarch.rpm
PROTOCOL-RabbitMQ-7.4-20210505121348.noarch.rpm

Affected versions
  • All RabbitMQ Protocol versions before 7.3.0-QRADAR-PROTOCOL-RabbitMQ-7.3-20210505121416.noarch.rpm
  • All RabbitMQ Protocol versions before 7.4.0-QRADAR-PROTOCOL-RabbitMQ-7.4-20210505121348.noarch.rpm
Issue
CVE-2020-36282: JMS Client for RabbitMQ could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending a specially-crafted StreamMessage data, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8
18 July 2021
SECURITY BULLETIN CVE-2021-20396 IBM SECURITY QRADAR ANALYST WORKFLOW APP FOR IBM QRADAR SIEM IS VULNERABLE TO CACHEABLE SSL PAGES CLOSED Resolved in
IBM Security QRadar Analyst Workflow V1.18.1

Affected versions
IBM Security QRadar Analyst Workflow App V1.0 to V1.18.0

Issue
CVE-2021-20396: IBM QRadar allows web pages to be stored locally which can be read by another user on the system. CVSS Base score: 4
10 June 2021
SECURITY BULLETIN CVE-2021-20380 IBM QRADAR ADVISOR WITH WATSON APP FOR IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE CLOSED Resolved in
IBM QRadar Advisor with Watson App V2.6.1

Affected versions
IBM QRadar Advisor with Watson App V1.1 to V2.5

Issue
CVE-2021-20380: IBM QRadar could allow a remote user to obtain sensitive information from HTTP requests that could aid in further attacks against the system. CVSS Base score: 5.3
02 June 2021
SECURITY BULLETIN CVE-2021-20429 USER BEHAVIOR ANALYTICS APPLICATION ADD ON TO IBM QRADAR SIEM IS VULNERABLE TO OVERLY PERMISSIVE CORS POLICY CLOSED Resolved in
QRadar User Behavior Analytics V4.1.1 or later

Affected versions
QRadar User Behavior Analytics V1.0.0 to V4.1.0

Issue
CVE-2021-20429: IBM QRadar User Behavior Analytics could disclose sensitive information due an overly permissive cross-domain policy. CVSS Base score: 3.7
13 May 2021
SECURITY BULLETIN CVE-2021-20392 USER BEHAVIOR ANALYTICS APPLICATION ADD ON TO IBM QRADAR SIEM IS VULNERABLE TO CROSS-SITE SCRIPTING CLOSED Resolved in
QRadar User Behavior Analytics V4.1.0 or later

Affected versions
QRadar User Behavior Analytics V1.0.0 to V4.0.1

Issue
CVE-2021-20392: IBM QRadar User Behavior Analytics is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 6.1
13 May 2021
SECURITY BULLETIN CVE-2021-20393 USER BEHAVIOR ANALYTICS APPLICATION ADD ON TO IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE CLOSED Resolved in
QRadar User Behavior Analytics V4.1.1 or later

Affected versions
QRadar User Behavior Analytics V1.0.0 to V4.1.0

Issue
CVE-2021-20393: IBM QRadar User Behavior Analytics could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. CVSS Base score: 5.3
13 May 2021
SECURITY BULLETIN CVE-2021-20391 USER BEHAVIOR ANALYTICS APPLICATION ADD ON TO IBM QRADAR SIEM IS VULNERABLE TO CACHEABLE SSL PAGES CLOSED Resolved in
QRadar User Behavior Analytics V4.1.1 or later

Affected versions
QRadar User Behavior Analytics V1.0.0 to V4.1.0

Issue
CVE-2021-20391: IBM QRadar User Behavior Analytics allows web pages to be stored locally which can be read by another user on the system. CVSS Base score: 4
13 May 2021
HIGH AVAILABILITY (HA) IJ32545 HIGH AVAILABILITY (HA) JOIN PROCESS FAILS WHEN SECONDARY APPLIANCE IS MISSING /SSH DIRECTORY CLOSED Workaround
  1. Create the missing .ssh folder on the HA Secondary:
    mkdir /root/.ssh
  2. Perform the HA join process steps again.
This issue is closed as permanent restriction. At this time, there is no current plan for this item but we will revisit if any further customer issues are raised.

Issue
In instances where a High Availability (HA) Secondary host does not have a .ssh directory, the HA pair creation process fails with messaging stating issues with the SSH keys, and to check the provided password.

Messages similar to the following might be visible in found in /var/log/setup-XXX/qradar_hasetup.log when this issue occurs:
/opt/qradar/ha/bin/ha_setup.sh: line 3257:
/root/.ssh/authorized_keys: No such file or directory
12 August 2021
UPGRADE IJ33138 QRADAR UPGRADE PRETEST CAN FAIL ON THE RAMCHECK DUE TO KB VALUE BEING RETURNED CLOSED Workaround
Contact Support for a possible workaround that might address this issue in some instances. This issue is closed as permanent restriction. At this time, there is no current plan for this item but we will revisit if any further customer issues are raised.

Issue
The QRadar upgrade pretest can fail on the ramcheck when dmidecode -t 17 size returns in KB as the patch pretest is expecting a MB or GB value.

This behavior has been seen when run on Hyper-V environments. Messages similar to the following might be visible when this issue occurs:
Traceback (most recent call last):
 File "/media/updates/pretests/ramcheck.py", line 181, in

   system_ram = getSystemMemory()
 File "/media/updates/pretests/ramcheck.py", line 24, in
getSystemMemory
   raise Exception('Unrecognizable size unit:
{0}'.format(units))
Exception: Unrecognizable size unit: KB
[ERROR](-i-testmode) Patch pretest 'Minimum RAM Check' failed.
(ramcheck.py)
12 August 2021
LOG SOURCE MANAGEMENT APP IJ29050 QRADAR NON-ADMIN USER CANNOT VIEW SOME LOG SOURCE GROUPS USING THE LOG SOURCE MANAGEMENT APP CLOSED Resolved in
Log Source Management app v7.0.2 when installed on QRadar 7.3.3 FixPack 9, 7.4.2 FixPack 3, or 7.4.3 FixPack 1.

Workaround
Create a top level Log Source group for use with Security Profile assignment.

Issue
A QRadar non-admin user cannot view Log Source groups when the Security Profile is set to a nested Log Source group using the Log Source Mangement App. For example,
  1. Have some Log Source Groups with Log Sources as the following:
     Group A --> top level
       Group AB
         Group ABC
  2. Have Security Profiles and users who has permission to see one of those log source groups.
      userALL with a Security Profile set to all log source group.
      userA with a Security Profile assigned to group "A"
      userAB with a Security Profile assigned to group "A.AB"
      userABC with a Security Profile assigned to group "A.AB.ABC"
  3. Deploy, log in as new users, navigate to Log Source Management App.
      userA and userALL can view groups correctly.
      userAB and userABC cannot see any groups when clicking "+Add Group".
12 August 2021
RULES IJ18492 /VAR/LOG PARTITION CAN FILL WITH EXCEPTION THROWN WHEN USING 'CHAINED EXPLOIT FOLLOWED BY SUSPICIOUS EVENTS' RULE TEST CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Workaround
No workaround available.

Issue
It has been identified that an exception is thrown during the test of the Custom Rule Engine rule "Chained Exploit Followed by Suspicious Events". As events are tested against rules, the following exception is thrown for every test and can quickly fill up the /var/log partition.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ep.ecs-ep] [CRE Processor [4]]
com.q1labs.semsources.cre.CustomRule: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Exception in rule 100106
- Chained Exploit Followed by Suspicious Events:
Entry.next=null, data[removeIndex]={ipaddress}=package
com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
ddb4a previous={ipaddress}=package
com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
ddb4a key={ipaddress}value=package
com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@af1
35446 size=25000 maxSize=25000 Please check that your keys are
immutable, and that you have used synchronization properly. If
so, then please report this to commons-dev@jakarta.apache.org as a bug.
[ecs-ep.ecs-ep] [CRE Processor [4]]
java.lang.IllegalStateException: Entry.next=null,
data[removeIndex]={ipaddress}=package
com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
ddb4a previous={ipaddress}=package
com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
ddb4a key={ipaddress} value=package
com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@af1
35446 size=25000 maxSize=25000 Please check that your keys are
immutable, and that you have used synchronization properly. If
so, then please report this to commons-dev@jakarta.apache.org
as a bug.
[ecs-ep.ecs-ep] [CRE Processor [4]] at
org.apache.commons.collections.map.LRUMap.reuseMapping(LRUMap.java:301)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
com.q1labs.frameworks.cache.LFUMap.reuseMapping(LFUMap.java:263)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
org.apache.commons.collections.map.LRUMap.addMapping(LRUMap.java:267)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
org.apache.commons.collections.map.AbstractHashedMap.put(AbstractHashedMap.java:284)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
com.q1labs.frameworks.cache.LFUMap.put(LFUMap.java:226)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
com.q1labs.semsources.cre.tests.DoubleSequenceFunction_Test.test(DoubleSequenceFunction_Test.java:237)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
com.q1labs.semsources.cre.tests.CREStatefulEventTest.test(CREStatefulEventTest.java:81)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
com.q1labs.semsources.cre.gen.TestExecutor_1_0.test(TestExecutor_1_0.java)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:519)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:476)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
com.q1labs.semsources.cre.LocalRuleExecutor.processEventInPropertyMode(LocalRuleExecutor.java:229)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRuleExecutor.java:158)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:521)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:464)
12 August 2021
RULES IJ33794 MATCH COUNT RULES DO NOT GENERATE AN OFFENSE RENAMING EVENT AFTER IT IS CLOSED IF IT IS RE-TRIGGERED CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Workaround
No workaround available. Administrators can upgrade to a version where this issue is resolved if you experience offense renaming event generation issues.

Issue
Match count rules that have a response configured to send an Offense renaming event should trigger again if the Offense associated with that rule is closed and the rule is still triggering.
06 August 2021
AUTO UPDATE IJ33892 AUTO UPDATE FOR 20 JULY 2021 CAN ROUTE EVENTS TO STORAGE AFTER A DSM COMMON RPM UPDATE CLOSED Resolved in
This fix is available in the weekly auto update for 22 July 2021 (Build 1626984260) and in the following RPM on IBM Fix Central: DSM-DSMCommon-7.4-20210721162935.noarch.rpm. Administrators can run a QRadar auto update to resolve this issue described in the flash notice: Flash Notice for IJ33892.

Workaround
Administrators who experienced the issue described in IJ33892 received the updated DSM Common (codegen JAR) automatically from QRadar Auto Updates on 22 July 2021 as described in the Overview article for IJ33892.

Issue
The QRadar auto update released on 20 July 2021 introduced problem where the Traffic Analysis service that auto discovers and creates log sources is no longer working as expected due to a class loading issue. For customers with affected log sources configured on their QRadar appliances, the event pipeline can experience an uncaught exception, which causes events to be routed directly to storage.

QRadar SIEM 7.4.x on-premise and QRadar on Cloud versions with DSMCommon-7.4-20210624145517.noarch.rpm installed from the 20 July 2021 auto update can experience this issue.

The following DSMs can cause exceptions to be generated in the logs as described in the flash notice:
  • Array Networks SSL VPN Access Gateways
  • Cisco Aironet
  • CRYPTOCard CRYPTOShield
  • Extreme HiGuard
  • Extreme XSR Security Routers
  • Fair Warning
  • HP Network Automation
  • IBM DB2
  • IBM Informix Audit
  • Juniper vGW
  • Juniper Networks AVT
  • Juniper SRC
  • McAfee Application/Change Control
  • Microsoft ISA
  • Motorola SymbolAP
  • Redback ASE
  • Sentrigo Hedgehog
  • Silver Springs Networks Smart Meter
  • Sophos Enterprise Console
  • Sophos PureMessage
  • Tropos Control
24 July 2021
RULES IJ23172 RULENAME (CREEVENTLIST): AQL FUNCTION IN A RULE CAN GENERATE AN UNCAUGHT EXCEPTION CAUSING RULE AND OFFENSE FAILURES CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Workaround
Disable the rule or remove the RULENAME(creeventlist) aql function from the rule.

Issue
Having the RULENAME(creeventlist) aql function in a rule condition causes a custom rule read failure generating a uncaught exception error. When this issue occurs, rules fail fire and offenses fail to be created.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ep.ecs-ep] [Thread-75] com.q1labs.frameworks.core.ThreadExceptionHandler: 
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught in thread: Thread-75
[ecs-ep.ecs-ep] [Thread-75] java.lang.ExceptionInInitializerError
[ecs-ep.ecs-ep] [Thread-75] at java.lang.J9VMInternals.ensureError(J9VMInternals.java:146)
[ecs-ep.ecs-ep] [Thread-75] at java.lang.J9VMInternals.recordInitializationFailure(J9VMInternals.java:135)
[ecs-ep.ecs-ep] [Thread-75] at com.q1labs.ariel.searches.subquery.CursorPredicate.initialize(DistinctScalarTransformer.java:57)
[ecs-ep.ecs-ep] [Thread-75] at com.q1labs.frameworks.util.Utils.initialize(Utils.java:458)
[ecs-ep.ecs-ep] [Thread-75] at com.q1labs.ariel.IndexPredicate.initialize(IndexPredicate.java:234)
[ecs-ep.ecs-ep] [Thread-75] at com.q1labs.frameworks.util.Utils.initialize(Utils.java:458)
[ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.tests.AQL_Test.setParms(AQL_Test.java:73)
[ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.tests.CREEventTest.init(CREEventTest.java:121)
[ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.CustomRule.<init>(CustomRule.java:178)
[ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.CustomRuleReader.preProcessNewRules(CustomRuleReader.java:742)
[ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleReader.java:332)
[ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.CustomRuleReader.run(CustomRuleReader.java:217)
[ecs-ep.ecs-ep] [Thread-75] Caused by: 
[ecs-ep.ecs-ep] [Thread-75] java.lang.IllegalStateException: AccessManager instance is allowed only in the application ariel
12 July 2021
UPGRADE IJ25316 QRADAR PATCHING CAN FAIL DUE TO A LARGE NUMBER OF SESSION SCOPE FILES CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Workaround
Running the following command on QRadar appliances can determine if a very large number of session scope files exist (> 1000) prior to commencing a QRadar patch:
find /run/systemd/system/ -name "session-*.scope" | wc -l

Issue
QRadar patches can fail when a very large number of session scope files exist. On appliances with greater than 1000 session scope files, an appliance reboot is recommended to clear the session files prior to commencing the QRadar patching process.
12 July 2021
OFFENSES IJ27803 'APPLICATION ERROR' CAN OCCUR WHEN SEARCHING MULTIPLE IP ADDRESSES IN "BY SOURCE/DESTINATION IP" IN OFFENSES CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Workaround
Return to the search and ensure to not include spaces in comma separated lists when entering them into the UI: 1.1.1.1,2.2.2.2,127.0.0.1

Issue
Under Offenses > New Search > By Source/Destination IP you can get an "Application Error" when searching multiple IPs in Source/Destination IP when the listed IP addresses have either trailing or leading spaces. To replicate this issue:
  1. Go to Offenses > new search > By Source/Destination IP put a comma separated list (with a space), such as 1.1.1.1, 2.2.2.2, 127.0.0.1
  2. Perform the search.

    Result
    'Application Error' is displayed in the USer Interface.
12 July 2021
NETWORK IJ28218 DNS VALUES MISSING FROM RESOLVE.CONF AND MYVER ON LENOVO M5 AND M6 QRADAR APPLIANCE INSTALLATIONS REOPENED Workaround
This issue was reopened on 18 July 2021 as it was mistakenly closed. No workaround available. APARs identified with no workaround might require a software delivery to resolve. This reported issue will be considered fora future release.

Issue
During QRadar installations on Lenovo M5 and M6 appliances, DNS values are not set in the /opt/qradar/bin/myver and /etc/resolve.conf.

This causes name resolution issues that are required for proper QRadar functionality.
18 July 2021
NETWORK IJ28643 LARGE AMOUNT OF REVERSE DNS LOOKUPS CAN BE GENERATED FROM QRADAR DUE TO MISSING CONFIGURATION WHEN NO IPV6 NETWORK CONFIG CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Workaround
  1. Add the following line to /etc/hosts and /etc/hosts.default:
    ::1 localhost ip6-localhost ip6-loopback
  2. Save the changes.

Issue
A large of amount of reverse DNS lookups can sometimes be observed and traced to originating from QRadar. This behavior can occur when the QRadar appliance install is performed (or when a qchange_netsetup is performed) and the appliance is not configured with IPv6 settings. In these instances, the configuraton setting "::1" is removed for localhost under /etc/hosts.default.
24 July 2021
QRADAR VULNERABILITY MANAGER IJ29156 "QVM PROCESSOR ALREADY EXISTS ON DEPLOYMENT..." WHEN ADDING A QVM PROCESSOR APPLIANCE. CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Workaround
Disable the QVM processor (de-select Enable Proceesor) and deploy the changes. This will remove the processor and all QVM scanners from the deployment. Add the QVM processor appliance and all scanners that were removed, and deploy the changes. For more information on moving a QVM processor while performing steps to remove it first, see Moving your vulnerability processor to a managed host or console.

Note
This workaround assumes there is a valid QVM license applied. The workaround does not apply if you do not.

Issue
When attempting to add a QVM processor appliance, a message similar to "QVM Processor already exists on deployment. If you wish to continue, remove the existing processor first.

[hostcontext.hostcontext][9d70a275-690d-4c5d-9b22-1044832065ab/SequentialEventDispatcher]
com.q1labs.configservices.capabilities.AddHost: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]QVM Processor already
exists on deployment. If you wish to continue, remove the
existing processor first. The IP of the host is: x.x.x.x.
[tomcat.tomcat] [Thread-164313] com.q1labs.configservices.capabilities.CapabilitiesHandler:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Removing host x.x.x.x from the deployment model, 
if present, due to add_host failure.
[tomcat.tomcat] [Thread-164313]
com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]unable to add
managed host: QVM Processor already exists on deployment. If
you wish to continue, remove the existing processor first.
[tomcat.tomcat] [Thread-164313]
com.q1labs.restapi_annotations.content.exceptions.endpointExcept
ions.ServerProcessingException: QVM Processor already exists on
deployment. If you wish to continue, remove the existing
processor first.
[tomcat.tomcat] [Thread-164313] at
com.ibm.si.configservices.api.impl.DeploymentAPIImpl.addManagedH
ost(DeploymentAPIImpl.java:924)
[tomcat.tomcat] [Thread-164313] at
com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI$AddH
ostThread.run(DeploymentAPI.java:1003)
[tomcat.tomcat] [Thread-164313]
com.q1labs.configservices.common.ConfigServicesException: QVM
Processor already exists on deployment. If you wish to
continue, remove the existing processor first.
[tomcat.tomcat] [Thread-164313] at
com.ibm.si.configservices.api.impl.DeploymentAPIImpl.addManagedH
ost(DeploymentAPIImpl.java:893)
12 July 2021
NETWORK IJ29164 RENAMING A NETWORK CAN BREAK RELATED RULES, SEARCHES, AND REPORTS CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Workaround
Manually change the network name where it is not updated automatically by QRadar (Rules, Searches, Reports).

Issue
After renaming a network, the network name change is not reflected in all the areas of QRadar where that network name is used.

The network renaming change is reflected in the Offenses tab but not within rules, searches, and reports.

For example:
  1. Have a rule/search/report that uses a network.
  2. Rename the network name.
  3. Deploy changes.

    Results
    Rules, search, or reports continue to refer to the old name. If an Offense is generated from that rule, it reflects the network name change.

    Note
    The name change is also reflected in the search filters.
12 July 2021
ADVANCED SEARCH (AQL) IJ29293 USING "INOFFENSE()" WITHIN AN ADVANCED SEARCH (AQL) CAN BE SLOWER TO COMPLETE THAN EXPECTED CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)

Workaround
No workaround available, you must upgrade to a QRadar version where this issue is resolved.

Issue
Using the option "inOffense(n)" in an Advanced Search (AQL) query where "n" has a large number of events, causes the query to be slower than expected to complete.

This can also affect any QRadar Apps that use the same backend functionality to produce data/search results.
12 July 2021
DISK SPACE IJ30017 DISKSPACE SENTINEL MONITORS DOCKER PARTITIONS AND CAN GENERATE DISK SENTRY NOTIFICATION MESSAGES CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Workaround
If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
The QRadar Disk Space sentinel monitors docker partitions and can therefore generate an error similar to the following: "Disk Sentry has detected that one or more storage partitions are not accessible."

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext] [Thread-4076] com.q1labs.hostcontext.ds.DiskSpaceSentinel: 
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error testing availability of partition
/store/docker-data/engine/VMware-42-26-/containers/{containerid}/mounts/shm, assuming NOT available
[hostcontext.hostcontext] [Thread-4076] java.io.IOException: No such file or directory
[hostcontext.hostcontext] [Thread-4076] at java.io.UnixFileSystem.createFileExclusively(Native Method)
[hostcontext.hostcontext] [Thread-4076] at java.io.File.createTempFile(File.java:2035)
[hostcontext.hostcontext] [Thread-4076] at com.q1labs.hostcontext.ds.PartitionTester$PartitionTesterThread.run(PartitionTester.java:180)
12 July 2021
UPGRADE IJ30039 QRADAR PATCHING TO 7.4.1 FP2 CAN FAIL AT HOSTNAME VALIDATION CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Workaround
No workaround available, you must upgrade to a QRadar version where this issue is resolved.

Issue
The QRadar patching process to 7.4.1 FP 2 can fail due to hostname naming validation. If, while building a High Availability (HA) setup, the primary is named hostname-primary.domainname, when HA is added, the hostnames are:
  • hostname-primary-primary.domain
  • hostname-primary-secondary.domain
When attempting to patch to 7.4.1 FP2, it fails as the hostname validation is incorrect.
12 July 2021
PERFORMANCE IJ30512 EVENT COLLECTOR SECONDARIES AND EVENT COLLECTOR SOFTWARE APPLIANCES CAN EXPERIENCE DEGRADED PERFORMANCE CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Workaround
If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround if degraded performance is experienced on Event Collector Secondary (High Availability) appliances or Event Collector software appliances.

Issue
QRadar can experience degraded performance when running on Event Collector Secondary appliances or Event Collector software appliances compared to the Primary or standalone Event Collector appliances of the same hardware specifications due to a setting that is not properly applied from the apply_appliance_tuning.pl script.
12 July 2021
QRADAR NETWORK INSIGHTS IJ30678 MP4PARSER WITHIN QRADAR NETWORK INSIGHTS CAN CAUSE THE /STORE/FORENSICS/TMP DIRECTORY TO FILL AND STOP SERVICES CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Workaround
No workaround available, you must upgrade to a QRadar version where this issue is resolved.

Issue
When using QRadar Network Insights, the MP4parser can cause /store/forensics/tmp fill to up and cause services to stop as a result.
12 July 2021
RULES IJ30912 RULES CAN SOMETIMES FAIL TO RENAME OFFENSES AS EXPECTED, USING INSTEAD THE LOW LEVEL CATEGORY OF THE CONTRIBUTING EVENT CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Workaround
No workaround available, you must upgrade to a QRadar version where this issue is resolved.

Issue
In some instances where an Offense is closed, those rules that generate a subsequent Offense can fail to rename the rule as expected and the Offense is created again with a different name that usually corresponds to the Low Level Category (LLC) of the contributing event.

For example:
  1. Have a custom rule:
    - and when an event matches any of the following BB:DeviceDefinition: IDS / IPS
    - and when the event category for the event is one of the following Exploit.Misc Exploit
    - and NOT when the event QID is one of the following (5771846) Shell_Command_Injection
    - and NOT when the destination port is one of the following 445
    - and when at least 3 events are seen with the same Source IP
    - and different Event Name in 30 minutes

    Rule Action:
    Ensure the detected event is part of an offense

    Rule Response:
    Ensure the dispatched event is part of an offense

    Offense Naming:
    This information should contribute to the name of the associated offense(s)
  2. Have events that match the rule, checking that the Offense was generated and a Custon Rule Engine (CRE) event, and was renamed correctly as configured above.
  3. Close the Offense within 30 minutes.
  4. Have events that match the rule again.

    Expected Result: Another Offense is generated with CRE event and named correctly.
    Actual Result: No CRE event was dispatched, and as a result the new Offense is named by LLC
12 July 2021
FLOWS IJ33287 ICMPV6 FLOW TRAFFIC DATA FROM QNI FAILS TO BE DISPLAYED AFTER PATCHING TO QRADAR 7.4.3 GA CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)

Workaround
No workaround available, you must upgrade to a QRadar version where this issue is resolved.

Issue
ICMPv6 flow data from QRadar Network Insights fails to be displayed in QRadar searches after patching to QRadar 7.4.3 GA. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ariel_proxy.ariel_proxy_server]
[aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2] com.q1labs.ariel.searches.tasks.ArielQueryTaskBase: 
[ERROR][NOT:0000003000][127.0.0.1/- -] [-/- -]Exception processing file:/store/ariel/flows/records/2021/3/5/13/flows~18_0~d
3e271fa8ea44f9~bfeaa0b4316aba3c~0,skipped... executing
query:Id:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2, DB:
12 July 2021
MANAGED HOSTS IJ33703 ENCRYPTED TUNNEL BETWEEN MANAGED HOSTS CAN FAIL TO START AFTER PATCHING TO QRADAR 7.4.3 FP1 OR NEWER OPEN Note
This APAR has been identified as a known issue in QRadar 7.4.3 Fix Pack 1.

Workaround
Run the following command from an SSH session to the QRadar Console after the host(s) is added to the deployment:
/opt/qradar/bin/deploy_known_hosts.sh


Issue
An encrypted tunnel between two Managed Hosts that have been installed at an earlier build and then patched independently to QRadar version 743 FP1 or newer can fail to start. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
hostname-primary.fqnd ssh[31216]: debug1: expecting
SSH2_MSG_KEX_ECDH_REPLY
hostname-primary.fqdn ssh[31216]: debug1: Server host key:
ecdsa-sha2-nistp256
SHA256:9bmfZQ2qbj5zYrT3Fo5K04gKOevEic4S36baS1x4i6o
hostname-primary.fqdn ssh[31216]: No ECDSA host key is known for
(ipaddress) and you have requested strict checking.
hostname-primary.fqdn ssh[31216]: Host key verification failed.
hostname-primary.fqdn systemd[1]:
managed-tunnel@1734707364450525150.service: main process exited,
code=exited, status=255/n/a
hostname-primary.fqdn systemd[1]: Unit
managed-tunnel@1734707364450525150.service entered failed state.
hostname-primary.fqdn systemd[1]:
managed-tunnel@1734707364450525150.service failed.
10 July 2021
CONTENT MANAGEMENT TOOL (CMT) IJ32874 CONTENT MANAGEMENT TOOL IMPORT CAN CHANGE SOME PROPERTIES CAUSING SAVED SEARCHES TO FAIL OPEN Workaround
Manually update the search, put the property through a type conversion function. In this example, replace sum("BytesSent") with sum(DOUBLE("BytesSent"))

Before
SELECT sum("BytesSent") / 1073741824 As "Bytes Sent(GB)" FROM events

After
SELECT sum(DOUBLE("BytesSent")) / 1073741824 As "Bytes Sent(GB)" FROM events


Issue
When the Content Management Tool (CMT) imports a property with a "bad" name it adds a "facade" property with that name instead and points the AQL expression to a property with a "good" name.

Example AQL:
SELECT DOUBLE(sum("BytesSent")) / 1073741824 As "Bytes Sent(GB)" FROM events


Property "BytesSent" used to have a numeric property type. When CMT imports it, it is merged into a property with a good name "Bytes Sent" (property type is also numeric), but a replacement facade property "BytesSent" is added with the type string.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] com.q1labs.ariel.ql.parser.Parser: [ERROR] [NOT:0000003000][127.0.0.1.73/- -] [-/- -]Expression "BytesSent" is not a Number
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] com.q1labs.ariel.ql.parser.AQLParserException: Expression "BytesSent" is not a Number
tinationip,  DOUBLE(sum("BytesSent")) / 1^
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.createAggregateFunctionInfo(ParserBase.java:896)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processScalarFunction(ParserBase.java:198)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:357)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processScalarFunction(ParserBase.java:206)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:357)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:323)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processArithmeticExpression(ParserBase.java:226)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:372)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:323)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processColumnContext(ParserBase.java:432)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processQueryContext(ParserBase.java:494)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.createQueryParams(ParserBase.java:1435)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java:1662)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java:173)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java:68)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClient.java:367)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java:308)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:136)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at java.lang.Thread.run(Thread.java:822)
27 May 2021
UPGRADE IJ33207 "SESSION MUST BE IN THE BOUNDS OF A TRANSACTION TO ACCESS JPA/JDBC RESOURCES" MESSAGES IN QRADAR LOGGING OPEN Workaround
No workaround available.

APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

Issue
A benign message similar to the following might be visible in /var/log/qradar.log after patching to QRadar 7.4.3:
[ecs-ec.ecs-ec] [ECS Runtime Thread] com.q1labs.frameworks.session.SessionContext: 
[ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -]Session must be in the bounds of a transaction 
to access jpa/jdbc resources. Session Id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
[ecs-ec.ecs-ec] [ECS Runtime Thread] java.lang.IllegalStateException
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.frameworks.session.JPASessionDelegate.
checkTX(JPASessionDelegate.java:307)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.frameworks.session.JPASessionDelegate.
checkTX(JPASessionDelegate.java:294)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.frameworks.session.JPASessionDelegate.
find(JPASessionDelegate.java:436)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.frameworks.naming.NamingCacheDecorator.
createPersistentObject(NamingCacheDecorator.java:95)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.frameworks.session.SessionContext.
createPersistentObject(SessionContext.java:1504)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.core.dao.qidmap.DeviceExtension.get
(DeviceExtension.java:42)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.creation.LogSourceExtensionProperty
Exclusion.addToFilter(LogSourceExtensionPropertyExclusion.java:181)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.creation.LogSourceExtensionProperty
Exclusion.loadLogSourceExtensionProperties(LogSourceExtensionPropertyExclusion.java:105)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.creation.LogSourceExtensionProperty
Exclusion.init(LogSourceExtensionPropertyExclusion.java:75)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.creation.LogSourceExtensionProperty
Exclusion.<init>(LogSourceExtensionPropertyExclusion.java:50)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.PropertyDiscoveryEngine.<init>(PropertyDiscoveryEngine.java:72)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.PropertyDiscoveryFilter.setVars(PropertyDiscoveryFilter.java:48)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:296)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:232)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStack.createContainedFilters(FilterStack.java:71)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.create(FilterStackManager.java:219)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.getFilterStack(FilterStackManager.java:149)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterBase.createDestination(FilterBase.java:179)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.normalize.DSMFilter.setVars(DSMFilter.java:271)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:296)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:232)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStack.createContainedFilters(FilterStack.java:71)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.create(FilterStackManager.java:219)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.doWork(FilterStackManager.java:90)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject$DoWork.doIt(SystemObject.java:886)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doForAllMembers(SystemObject.java:864)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doWork(SystemObject.java:905)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.doWork(RuntimeController.java:227)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.run(RuntimeController.java:527)
[ecs-ec.ecs-ec] [ECS Runtime Thread] at java.lang.Thread.run(Thread.java:822)
18 June 2021
QRADAR RISK MANAGER IV98938 CLICKING THE RISKS TAB CAN GENERATE AN 'APPLICATION ERROR' IN SOME INSTANCES OF CONSOLE/QRM MANAGED HOST ENCRYPTION CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
Configure appropriate firewall to allow communication between the Console and Risk Manager appliance on ports 443 and 8082 when encryption is enabled between these appliances.

Issue
It has been identified that an 'Application Error' message is generated when the Risks tab is clicked in instances where encryption is used between the Console and Risk Manager appliance and a firewall between them blocks ports 443 and 8082.

For example:
Application Error An error has occurred. Refresh your browser (press F5) 
and attempt the action again. If the problem persists, please contact 
customer support for assistance.


Messages in /var/log/qradar.log when port 443 is blocked:
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
com.q1labs.srmconsole.util.WSUtil$WebClientProxy: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Error invoking method
isTopologyReloading on the appliance; full error details in
appliance log
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
while processing the request:
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
com.sun.xml.ws.client.ClientTransportException: HTTP transport
error: java.net.SocketTimeoutException: connect timed out
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at com.sun.xml.ws.transport.http.client.HttpClientTransport.
  getOutput(HttpClientTransport.java:132)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process
  (HttpTransportPipe.java:153)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at com.sun.xml.ws.transport.http.client.HttpTransportPipe.
  processRequest(HttpTransportPipe.java:94)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest
  (DeferredTransportPipe.java:89)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at com.sun.xml.ws.client.Stub.process(Stub.java:222)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler
  .java:109)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at com.sun.proxy.$Proxy114.isTopologyReloading(Unknown Source)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
  AccessorImpl.java:56)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at java.lang.reflect.Method.invoke(Method.java:620)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at com.q1labs.srmconsole.util.WSUtil$WebClientProxy.invoke(WSUtil.java:68)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at com.sun.proxy.$Proxy114.isTopologyReloading(Unknown Source)
[tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
  at com.q1labs.srmconsole.services.UINetworkTopologyServices.
  isTopologyReloading(UINetworkTopologyServices.java:165)


And when port 8082 is blocked:
[tomcat] [admin@127.0.0.1 (4480)
/console/do/120/networkTopology] com.q1labs.simulator.device.DeviceServices: 
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]
Failed to query ziptie server for device list status check:
[tomcat] [admin@127.0.0.1 (4480)
/console/do/120/networkTopology] com.sun.xml.ws.client.ClientTransportException: 
HTTP transport error: java.net.ConnectException: Connection timed out
(Connection timed out)
[tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
  at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput
  (HttpClientTransport.java:132)
[tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
  at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process
  (HttpTransportPipe.java:153)
[tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
  at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest
  (HttpTransportPipe.java:94)
[tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
  at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest
  (DeferredTransportPipe.java:89)
[tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
  at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
[tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
  at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
[tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
  at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
[tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
  at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
[tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
  at com.sun.xml.ws.client.Stub.process(Stub.java:222)
[tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
  at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
[tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
  at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke
  (SyncMethodHandler.java:109)
[tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
  at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke
  (SyncMethodHandler.java:89)
[tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
  at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
[tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
  at com.sun.proxy.$Proxy110.getDevicesWithErrors(Unknown Source)
24 May 2021
DEPLOY CHANGES IJ00933 DEPLOY CHANGES RESULTS IN ERROR "THERE IS ANOTHER DEPLOYMENT CURRENTLY IN PROGRESS PLEASE TRY AGAIN LATER" CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

Issue
When deploying changes some customers have seen an error "There is another deployment currently in progress, please try again later" or a search error "There was a problem connecting to the query server. Please try again later. "

Administrators who experience deploy issues can review /var/log/qradar.error for a message similar to the following:
[tomcat] [main] com.q1labs.core.shared.embeddedstaging.EmbeddedStagingManager:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable to initialise Embedded Staging Manager:
com.q1labs.frameworks.exceptions.FrameworksNamingException:
Failed to initialize component: EmbeddedStagingManager
[tomcat] [main] com.q1labs.core.shared.permissions.PermissionsManager: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to get an instance of the Embedded Staging Manager
[tomcat] [configservices@127.0.0.1 (9181) /console/services/configservices]
com.q1labs.configservices.core.ConfigurationServices: 
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error synchronizing deployed components
[tomcat] [configservices@127.0.0.1 (9181) /console/services/configservices]
com.q1labs.configservices.common.ConfigServicesException:  Error synchronizing deployed components
[tomcat] [configservices@127.0.0.1 (9181) /console/services/configservices] at
com.q1labs.configservices.config.globalset.platform.DeployedComp
onentSynchronizer.buildConfiguration(DeployedComponentSynchronizer.java:82)
24 May 2021
NETWORK CONFIGURATION IJ05709 FIREWALL CONFIGURATION CHANGES MADE IN THE QRADAR UI FOR CONSOLE RESTRICTING ACCESS TO PORT 443 CAN CAUSE ISSUES CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
  1. Log in to the Console as an administrator.
  2. Click the Admin tab > System and License Management > Systems.
  3. Select the QRadar Console.
  4. From the Actions drop-down, select View and Manage System.
  5. Select the Firewall tab.
  6. Add CIDR 169.254.0.0/16 to the firewall for any port.

Issue
It has been identified that adding IP/CIDR restrictions in the Console firewall settings for port 443 can cause multiple issues:
  • QRadar Apps can sometimes to fail to install.
  • QRadar Apps can sometimes fail to update/apply configuration settings.
  • In some instances the QRadar upgrade process can fail due to required internal QRadar communications blocked by the 443 port blocking firewall setting.
24 May 2021
NETWORK CONFIGURATION IJ22716 QCHANGE_NETSETUP FAILS WITH 'ERROR: DUPLICATE KEY VALUE VIOLATES UNIQUE CONSTRAINT 'MANAGEDHOST_IP_KEY' CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

Issue
The qchange_netsetup script fails when attempting to change a QRadar console's IP address to an IP that exists as a deleted Managed Host in the database.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:

[hostcontext.hostcontext] [main] Caused by:
[hostcontext.hostcontext] [main] <openjpa-2.4.3-r422266:1833086
fatal store error>
org.apache.openjpa.persistence.EntityExistsException: ERROR:
duplicate key value violates unique constraint "managedhost_ip_key" 
Detail: Key (ip)=(127.0.0.1) already exists. 
{prepstmnt -1085858985 UPDATE ManagedHost SET ip = ? WHERE id = ?}

FailedObject:
com.q1labs.core.dao.platform.registry.ManagedHost-53
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.jdbc.sql.DBDictionary.narrow(DBDictionary.java:4988)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.jdbc.sql.DBDictionary.newStoreException(DBDictionary.java:4963)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:133)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:75)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.jdbc.kernel.PreparedStatementManagerImpl.flushAndUpdate
(PreparedStatementManagerImpl.java:144)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.jdbc.kernel.BatchingPreparedStatementManagerI
mpl.flushAndUpdate(BatchingPreparedStatementManagerImpl.java:79)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.jdbc.kernel.PreparedStatementManagerImpl.flushInternal
(PreparedStatementManagerImpl.java:100)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.jdbc.kernel.PreparedStatementManagerImpl.flush
(PreparedStatementManagerImpl.java:88)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.jdbc.kernel.ConstraintUpdateManager.flush
(ConstraintUpdateManager.java:550)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.jdbc.kernel.ConstraintUpdateManager.flush
(ConstraintUpdateManager.java:107)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.jdbc.kernel.BatchingConstraintUpdateManager.flush
(BatchingConstraintUpdateManager.java:59)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.jdbc.kernel.AbstractUpdateManager.flush
(AbstractUpdateManager.java:104)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.jdbc.kernel.AbstractUpdateManager.flush
(AbstractUpdateManager.java:77)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.jdbc.kernel.JDBCStoreManager.flush(JDBCStoreManager.java:731)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.kernel.DelegatingStoreManager.flush(
DelegatingStoreManager.java:131)
[hostcontext.hostcontext] [main]    ... 13 more
[hostcontext.hostcontext] [main] Caused by:
[hostcontext.hostcontext] [main]
org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR:
duplicate key value violates unique constraint
"managedhost_ip_key"
  Detail: Key (ip)=(127.0.0.1) already exists. {prepstmnt
-1085858985 UPDATE ManagedHost SET ip = ? WHERE id = ?}

[hostcontext.hostcontext] [main]    at
org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(LoggingConnection
Decorator.java:218)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(LoggingConnection
Decorator.java:194)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.access$1000
(LoggingConnectionDecorator.java:58)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingConnection
$LoggingPreparedStatement.executeUpdate(LoggingConnectionDecorator.java:1133)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeUpdate
(DelegatingPreparedStatement.java:275)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeUpdate
(DelegatingPreparedStatement.java:275)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedStatement.
executeUpdate(JDBCStoreManager.java:1791)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.jdbc.kernel.PreparedStatementManagerImpl.executeUpdate
(PreparedStatementManagerImpl.java:268)
[hostcontext.hostcontext] [main]    at
org.apache.openjpa.jdbc.kernel.PreparedStatementManagerImpl.flushAndUpdate
(PreparedStatementManagerImpl.java:119)
[hostcontext.hostcontext] [main]    ... 23 more
[hostcontext.hostcontext] [pool-1-thread-4]
com.ibm.si.application.platform.exception.ApplicationPlatformServiceException: 
Unable to start application with id [qapp-1051] on host 
[8e634203e32e3588ed7c.localdeployment] with port [9000], responseCode [0],
 responseBody [null]
[hostcontext.hostcontext] [pool-1-thread-4]    at
com.ibm.si.application.conman.v1.ConManPlatformService.processEx
ception(ConManPlatformService.java:389)
[hostcontext.hostcontext] [pool-1-thread-4]    at
com.ibm.si.application.conman.v1.ConManPlatformService.startApp(
ConManPlatformService.java:554)
[hostcontext.hostcontext] [pool-1-thread-4]    at
com.ibm.si.hostcontext.app.tasks.conman.PlatformStartAppTask.run
Task(PlatformStartAppTask.java:54)
[hostcontext.hostcontext] [pool-1-thread-4]    at
com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
[hostcontext.hostcontext] [pool-1-thread-4]    at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
[hostcontext.hostcontext] [pool-1-thread-4]    at
java.util.concurrent.FutureTask.run(FutureTask.java:277)
[hostcontext.hostcontext] [pool-1-thread-4]    at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
[hostcontext.hostcontext] [pool-1-thread-4]    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
[hostcontext.hostcontext] [pool-1-thread-4]    at
java.lang.Thread.run(Thread.java:812)
[hostcontext.hostcontext] [pool-1-thread-4] Caused by:
[hostcontext.hostcontext] [pool-1-thread-4]
com.ibm.si.api.workload.v1.ApiException:
java.net.UnknownHostException:
8e634203e32e3588ed7c.localdeployment
[hostcontext.hostcontext] [pool-1-thread-4]    at
com.ibm.si.api.workload.v1.ApiClient.execute(ApiClient.java:844)
[hostcontext.hostcontext] [pool-1-thread-4]    at
com.ibm.si.api.workload.v1.api.WorkloadsApi.showWorkloadByIdWith
HttpInfo(WorkloadsApi.java:500)
[hostcontext.hostcontext] [pool-1-thread-4]    at
com.ibm.si.api.workload.v1.api.WorkloadsApi.showWorkloadById(Wor
kloadsApi.java:486)
[hostcontext.hostcontext] [pool-1-thread-4]    at
com.ibm.si.application.conman.v1.ConManPlatformService.getAppsWo
rkload(ConManPlatformService.java:348)
[hostcontext.hostcontext] [pool-1-thread-4]    at
com.ibm.si.application.conman.v1.ConManPlatformService.buildWork
load(ConManPlatformService.java:404)
hostcontext.hostcontext] [pool-1-thread-4]    at
com.ibm.si.application.conman.v1.ConManPlatformService.buildWork
load(ConManPlatformService.java:399)
[hostcontext.hostcontext] [pool-1-thread-4]    at
com.ibm.si.application.conman.v1.ConManPlatformService.startApp(
ConManPlatformService.java:527)
[hostcontext.hostcontext] [pool-1-thread-4]    ... 7 more
[tomcat.tomcat] [gui_app_startup_thread]
com.q1labs.uiframeworks.util.ApplicationStartupThread: [ERROR]
[NOT:0000003000][127.0.0.1253.7.60/- -] [-/- -]Error occurred
processing [QRadar Assistant] 1051
[tomcat.tomcat] [gui_app_startup_thread]
com.q1labs.restapi_annotations.content.exceptions.endpointExcept
ions.ServerProcessingException: An error occurred setting app
status to [RUNNING]. Task state found to be [EXCEPTION].
[tomcat.tomcat] [gui_app_startup_thread]    at
com.q1labs.uiframeworks.application.api.service.status.handlers.
RunningStatusHandler.handleStatus(RunningStatusHandler.java:99)
[tomcat.tomcat] [gui_app_startup_thread]    at
com.q1labs.uiframeworks.application.api.service.DefaultApplicati
onAPIService.updateAppStatus(DefaultApplicationAPIService.java:505)
[tomcat.tomcat] [gui_app_startup_thread]    at
com.q1labs.uiframeworks.application.api.service.DefaultApplicati
onAPIService.updateAppStatus(DefaultApplicationAPIService.java:462)
[tomcat.tomcat] [gui_app_startup_thread]    at
com.q1labs.uiframeworks.util.ApplicationStartupThread.processRun
ningApplication(ApplicationStartupThread.java:148)
[tomcat.tomcat] [gui_app_startup_thread]    at
com.q1labs.uiframeworks.util.ApplicationStartupThread.processApp
lications(ApplicationStartupThread.java:127)
[tomcat.tomcat] [gui_app_startup_thread]    at
com.q1labs.uiframeworks.util.ApplicationStartupThread.run(Applic
ationStartupThread.java:89)
24 May 2021
SYSTEM TIME IJ24182 THE TZDATA DST RULES FOR AMERICA/SANTIAGO ARE OUT OF DATE AND HAVE THE INCORRECT DATE FOR SWITCHOVER TO DST CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
No workaround available. Administrators who experience issues with appliance timezone changes must upgrade to resolve this issue and get the latest tzdata RPM.

Issue
The tzdata DST (Daylight Savings Time) rules for America/Santiago are out of date. They do not accurately reflect the correct change over date for DST timz zones.
24 May 2021
QRADAR NETWORK INSIGHTS IJ24628 REMOVING A FLOW PROCESSOR FROM A QRADAR DEPLOYMENT AFTER A QRADAR NETWORK INSIGHTS (QDI) OR FORENSICS HOST HAS BEEN REMOVED CAN FAIL CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

Issue
Removing a Flow Processor can fail if the deployment.xml file has remnants of a previously installed QNI or Forensics managed host.

The QRadar Deploy function can continously fail after the failed Flow Processor removal.
24 May 2021
BACKUP AND RESTORE IJ25318 PERFORMING A 'DEPLOYMENT CONFIGURATION' RESTORE REQUIRES RESTORING THE 'RULES' OPTION CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
Select the user interface option to restore Rules when you complete a 'Deployment Configuration" config restore.

Issue
Performing a config restore for "Deployment Configuration" does not include custom rules dependencies of reference data, therefore restoring "Rules" is also required.

Messages similar to the following might be visible in /var/log/qradar.log when the Rules option is not selected during a "Deployment Configuration" restore:
User@127.0.0.1[hostcontext.hostcontext]
[BackupServices_restore] java.lang.Exception: unable to execute
sql statement: ALTER TABLE public.reference_data_rules ADD
CONSTRAINT reference_data_rules_rule_id_fkey FOREIGN KEY
(rule_id) REFERENCES public.custom_rule(id) ON DELETE CASCADE;
User@127.0.0.1[hostcontext.hostcontext]
[BackupServices_restore] at
com.q1labs.hostcontext.capabilities.PostgresAction.executeSql(Po
stgresAction.java:668)
User@127.0.0.1[hostcontext.hostcontext]
[BackupServices_restore] at
com.q1labs.hostcontext.capabilities.PostgresAction.applyConstrai
nts(PostgresAction.java:287)
User@127.0.0.1[hostcontext.hostcontext]
[BackupServices_restore] at
com.q1labs.hostcontext.backup.BackupRecoveryEngine.doDbRestore(B
ackupRecoveryEngine.java:2974)
User@127.0.0.1[hostcontext.hostcontext]
[BackupServices_restore] ... 5 more
24 May 2021
BACKUP AND RESTORE IJ25505 QRADAR BACKUP CAN HANG AND TIMEOUT WHEN A CONFIGURED NFS IS UNREACHABLE CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
Verify the network communication/connection to the configured NFS from QRadar.

Issue
A QRadar Backup can fail due to timeout when a configured NFS share is unreachable by QRadar.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext] [Backup]
com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO]
[NOT:0000006000][127.0.0.1/- -] [-/- -]Current backup was interrupted
[hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO]
[NOT:0000006000][127.0.0.1/- -] [-/- -]Current task: cleaning up
[hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.core.BackupUtils: [INFO]
[NOT:0000006000][127.0.0.1/- -] [-/- -]Following message suppressed 1 times in 300000 milliseconds
[hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.core.BackupUtils: 
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Cannot execute 'ps -e -o pid -o ppid -o cmd'
[hostcontext.hostcontext] [Backup] java.lang.InterruptedException
[hostcontext.hostcontext] [Backup] at java.lang.Object.wait(Object.java:218)
[hostcontext.hostcontext] [Backup] at java.lang.UNIXProcess.waitFor(UNIXProcess.java:458)
[hostcontext.hostcontext] [Backup] at java.lang.Object.wait(Native Method)
[hostcontext.hostcontext] [Backup] at com.q1labs.hostcontext.backup.core.BackupUtils.
getPsProcesses(BackupUtils.java:2566)
[hostcontext.hostcontext] [Backup] at com.q1labs.hostcontext.backup.BackupRecoveryEngine
.cleanup(BackupRecoveryEngine.java:2544)
[hostcontext.hostcontext] [Backup] at com.q1labs.hostcontext.backup.BackupRecoveryEngine
$BackupThread.run(BackupRecoveryEngine.java:4949)
[hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO]
[NOT:0000006000][127.0.0.1/- -] [-/- -]Cancel process '/bin/bash /opt/qradar/bin/run_command.sh
/opt/qradar/bin/determine_partition.sh <backup folder under NFS
mount> /storetmp/backup/determine_partition' if exists
24 May 2021
DISK SPACE IJ25759 LOG ROTATE CAN FAIL AFTER A PATCH BEING APPLIED CAUSING PARTITIONS TO FILL TO 100% CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

Issue
A condition exists where during a QRadar patch being applied, cron is restarted and in some instances log rotate starts processing log files while the patch has requested and proceeds with a system shutdown.

When this issue occurs, an uncompressed file remains in the olddir causing logrotate to fail. Log rotate failing to run can cause QRadar partitions to fill to 100% unexpectedly.

Note: When QRadar partitions fill to past 95% usage, required QRadar services are shutdown. For more infortion on monitored partitions, seeQRadar: Troubleshooting disk space usage problems.
24 May 2021
MANAGED HOST IJ25799 "RE-ADDING A MANAGED HOST" OPTION CAN FAIL TO BE DISPLAYED WHEN ADDING A NEW HOST TO A DEPLOYMENT USING THE SAME IP/HOSTNAME CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

Issue
When adding a new Managed Host to a QRadar deployment with the same IP address and hostname, the "Readding a managed host" option can sometimes fail to appear. When this occurs, the old IP from the drop down is not available for selection during the add process.

This issue results in the add host creating new component IDs instead of using the original ones, causing historical searches to fail.
24 May 2021
NETWORK HIERARCHY IJ25874 NETWORK HIERARCHY GROUPS NAMED WITH NON-ENGLISH NAMES ARE NOT VISIBLE AS A QUICK FILTER OPTION OR FROM A NEW SEARCH PAGE CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
Where possible, use English named Network groups.

Issue
Network Groups and Networks with non-English names (eg. Chinese, or Korean characters) are not visible as available options in the network filter drop down in quick filter or from new search page. For example:
  • Have a network group named with Chinese characters.
  • Add network to that group.
  • Have another network group named with Chinese characters.
  • Add network to the second group.
  • Deploy Changes.
  • Go to Log Activity tab and open quick filter, then select Destination Network.

    Results
    The group names with Chinese characters is not an availble option to select in the user interface.
24 May 2021
LOG SOURCE IJ25884 LOG SOURCE TYPE DROPDOWN CAN FAIL TO POPULATE AND GENERATE A TOMCAT OUT OF MEMORY WHEN OVER 1 MILLION LOG SOURCES EXIST CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

Issue
Opening the Log Source Type dropdown (filter) can fail to populate properly and lead to a Tomcat service Out of Memory in QRadar environments with more than 1 million log sources.

Note: The QRadar User Interface is unavailable during a Tomcat Out Of Memory occurance until the affected services recover.
24 May 2021
LOG SOURCE IJ25885 EVENT FOR SIM AUDIT QID 28250069 DOES NOT PROVIDE INFORMATION ON CHANGES THAT WERE MADE CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

Issue
In the sim audit log event (QID 28250069), there is no information in the event about what modifications have been made.

The event payload contains only the name of the user and an api call, not the modifications made. Previous versions of QRadar (eg 7.3.0, 7.3.1) provided additional event payload information.
24 May 2021
QRADAR RISK MANAGER IJ26074 AUTOMATED RISK MANAGER QUERY CAN RUN LONGER THAN EXPECTED CAUSING AN APPLICATION ERROR ON THE RISKS TAB CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

Issue
A query which runs periodically on the Risk Manager server to gather vulnerability statistics for the subnets on the Topology screen can sometimes take longer than ten minutes to complete.

When this situation occurs, the tomcat-rm service is automatically restarted and an Application Error is generated on the Risks tab during the restart of the tomcat-rm service.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat-rm.tomcat-rm] [Statistics Collector Job]
org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR:
canceling statement due to user request {prepstmnt 1607360343
SELECT c.longname AS impact FROM qrm_asset qa INNER JOIN
classificationitem ci ON qa.vulnid = ci.vulnid INNER JOIN
classification c ON ci.classificationid=c.classificationid
WHERE qa.vulnid IS NOT NULL AND (qa.domainid IN (0)) AND (
(qa.ipaddress << 'x.x.x./x') )} [code=0, state=57014]
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(Logg
ingConnectionDecorator.java:218)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(Logg
ingConnectionDecorator.java:202)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.access$70
0(LoggingConnectionDecorator.java:58)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingCo
nnection$LoggingPreparedStatement.executeQuery(LoggingConnectionDecorator.java:1117)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ
uery(DelegatingPreparedStatement.java:268)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
org.apache.openjpa.jdbc.sql.PostgresDictionary$PostgresPreparedS
tatement.executeQuery(PostgresDictionary.java:1011)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ
uery(DelegatingPreparedStatement.java:268)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedSt
atement.executeQuery(JDBCStoreManager.java:1800)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ
uery(DelegatingPreparedStatement.java:268)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ
uery(DelegatingPreparedStatement.java:258)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
com.q1labs.simulator.util.LocalQRadarAPI.collectFromResult(LocalQRadarAPI.java:3256)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
com.q1labs.simulator.util.LocalQRadarAPI.getImpactsinSubnet(LocalQRadarAPI.java:4987)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
com.q1labs.simulator.ask.APIQRadarInterface.getImpactsinSubnet(A
PIQRadarInterface.java:113)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
com.q1labs.simulator.util.subnetcolor.StatisticsCollectorTask.co
llectStatisticsForSubnet(StatisticsCollectorTask.java:166)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
com.q1labs.simulator.util.subnetcolor.StatisticsCollectorTask.co
llectStatisticsForAll(StatisticsCollectorTask.java:148)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
com.q1labs.simulator.util.subnetcolor.StatisticsCollectorTask.co
llectStatistics(StatisticsCollectorTask.java:58)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
com.q1labs.simulator.jobs.StatisticsCollectorJob.process(StatisticsCollectorJob.java:42)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
com.q1labs.simulator.jobframework.jobexecutioncontroller.schedul
er.PeriodicJobScheduler$1.run(PeriodicJobScheduler.java:122)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
java.util.concurrent.FutureTask.runAndReset(FutureTask.java:319)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFuture
Task.access$301(ScheduledThreadPoolExecutor.java:191)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFuture
Task.run(ScheduledThreadPoolExecutor.java:305)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
[tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
java.lang.Thread.run(Thread.java:818)
24 May 2021
LOG ACTIVITY IJ26098 'AN IO ERROR OCCURRED ON SERVER(S)...' CAN OCCUR DURING SEARCHES AFTER A HOST HAS HAD ITS IP ADDRESS CHANGED CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
Using a command line tool such as vi, find and comment out or remove the entries for the old IP address in /etc/hosts on the QRadar Console. Attempt the search again.

Issue
Removing a non encrypted host from a QRadar deployment that has ariel running, changing it's IP address (using qchange_netsetup) and then re-adding the host to the QRadar deployment can result in ariel searches (eg. in the Log Activity tab) to that managed host reporting errors similar to: 'An IO error occurred on server(s) XXXXXX:ZZZZ. Please try again." (where XXXXX is the hostname of managed host that had its IP address changed and ZZZZ is the ariel port).

Example steps that can identify this behavior occurs:
  1. QRadar environment where the Console and managed host (eg Event Processor EP) are not encrypted.
  2. Verify that searches are working (eg Log Activity tab).
  3. Perform the proper documented steps to remove the EP from the deployment.
  4. Perform the proper documented steps to use qchange_netsetup to change the IP address of the managed host (without changing the hostname).
  5. Perform the proper documented steps to re-add the host into the deployment.
  6. After the deploy is complete, attempt a basic search on that Event Prpcessor (EP) in the Log Activity tab (eg. last 5 minutes)

    Results
    A message similar to the following might be genereated in the Log Activity search screen: "An IO error occurred on server(s) XXXXXX:ZZZZ. Please try again." Where XXXXX is hostname of box that had its IP address changed and ZZZZ is the ariel port.
24 May 2021
ASSETS IJ26163 ASSET SEARCH CAN FAIL WHEN FILTERING BASED ON CONTENTS OF A REFERENCE SET WHERE MORE THAN ONE DOMAIN EXISTS CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

Issue
An Asset Search can fail when filtering based on the contents of a reference set when more than one domain is added to the reference set.

For example:
  1. Navigate to Admin > Reference Set Management, select a Reference Set, and click Edit.
  2. In Content tab, click Add and enter your data, and select domain1. Then click Add.
  3. Perform Step 2 again, but select a different domain.
  4. Go to Asset tab, click Search > New Search.
  5. In the bottom Search Parameter(s), Select "IP Address", "In reference set", then select the Reference set used in step 1, then click the Search button.

    Results
    The search fails and generate an error.

Administrators who experience this issue can confirm an ReportingSQLException similar to the following error in /var/log/qradar.error:
[tomcat.tomcat] [admin@127.0.0.1 (8838)
/console/do/assetprofile/SearchForm] com.q1labs.assets.ui.assetservices.UIAssetList: 
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error running filter based asset 
list query for performance.org.apache.openjpa.lib.jdbc.ReportingSQLException:
ERROR: more than one row returned by a subquery used as an
expression {stmnt 669393640 select DISTINCT(asset.asset.id)
from asset.asset  where (1=1) AND asset.asset.id NOT IN (SELECT
assetid FROM asset.pendingassetupdate WHERE action=3) AND
asset.asset.id in (SELECT DISTINCT(asset.interface.assetid)
FROM asset.interface LEFT OUTER JOIN asset.ipaddress ON
asset.interface.id=asset.ipaddress.interfaceid WHERE (1=1)  AND
 ( asset.ipaddress.ipaddress NOT IN (
                                SELECT
convert_from(data,'UTF8')::inet AS ipv4address FROM
public.reference_data_element
                                WHERE
public.reference_data_element.rdk_id = (SELECT id FROM
public.reference_data_key
                                WHERE
public.reference_data_key.rd_id = (SELECT id FROM
public.reference_data WHERE name LIKE $ItrXqTU$Steve2$ItrXqTU$))
                ) ) )} 
[tomcat.tomcat] [admin@127.0.0.1 (8838)
/console/do/assetprofile/SearchForm]
com.q1labs.assets.ui.assetservices.UIAssetList: [WARN]
[NOT:0000004000][127.0.0.1/- -] [-/- -]Asset UI Performance optimization
failing.:org.apache.openjpa.lib.jdbc.ReportingSQLException:
ERROR: more than one row returned by a subquery used as an
expression {stmnt 669393640 select DISTINCT(asset.asset.id)
from asset.asset  where (1=1) AND asset.asset.id NOT IN (SELECT
assetid FROM asset.pendingassetupdate WHERE action=3) AND
asset.asset.id in (SELECT DISTINCT(asset.interface.assetid)
FROM asset.interface LEFT OUTER JOIN asset.ipaddress ON
asset.interface.id=asset.ipaddress.interfaceid WHERE (1=1)  AND
 ( asset.ipaddress.ipaddress NOT IN (
                                SELECT
convert_from(data,'UTF8')::inet AS ipv4address FROM
public.reference_data_element
                                WHERE
public.reference_data_element.rdk_id = (SELECT id FROM
public.reference_data_key
                                WHERE
public.reference_data_key.rd_id = (SELECT id FROM
public.reference_data WHERE name LIKE $ItrXqTU$Steve2$ItrXqTU$))
                ) ) )} 
[tomcat.tomcat] [admin@127.0.0.1 (8838)
/console/do/assetprofile/SearchForm]
com.q1labs.core.sql.queryframework.QueryFramework: [WARN]
[NOT:0000004000][127.0.0.1/- -] [-/- -]SELECT * FROM (
        SELECT
            0               AS "assetid"
        FROM asset.pendingassetupdate
        WHERE (1=1)
        AND asset.pendingassetupdate.assetid IS NULL AND
asset.pendingassetupdate.action != 3
         AND asset.pendingassetupdate.updatedby =
$pGISzQS$Steve$pGISzQS$
    ) ASSET_PENDING_LIST_VIEW
    UNION ALL
    SELECT * FROM
    (
        SELECT
            DISTINCT(asset.asset.id)                  AS
"assetid"
        FROM asset.asset
        INNER JOIN asset.interface ON asset.interface.assetid =
asset.asset.id INNER JOIN asset.ipaddress ON
asset.ipaddress.interfaceid = asset.interface.id
        WHERE (1=1)
        AND asset.asset.id NOT IN (SELECT assetid FROM
asset.pendingassetupdate WHERE action=3)
         AND  ( asset.ipaddress.ipaddress NOT IN (
                                SELECT
convert_from(data,'UTF8')::inet AS ipv4address FROM
public.reference_data_element
                                WHERE
public.reference_data_element.rdk_id = (SELECT id FROM
public.reference_data_key
                                WHERE
public.reference_data_key.rd_id = (SELECT id FROM
public.reference_data WHERE name LIKE $eIQrWGn$Steve2$eIQrWGn$))
                ) )
        --Additional ordering/limits for any base SQL query type
    ) ASSET_LIST_VIEW
         OFFSET 0;
[tomcat.tomcat] [admin@127.0.0.1 (8838)
/console/do/assetprofile/SearchForm]
com.q1labs.core.sql.queryframework.QueryFramework: [ERROR]
Chained SQL Exception [1/2]: ERROR: current transaction is
aborted, commands ignored until end of transaction block {stmnt
-1679308538 SELECT * FROM (
        SELECT
            0               AS "assetid"
        FROM asset.pendingassetupdate
        WHERE (1=1)
        AND asset.pendingassetupdate.assetid IS NULL AND
asset.pendingassetupdate.action != 3
         AND asset.pendingassetupdate.updatedby =
$pGISzQS$Steve$pGISzQS$
    ) ASSET_PENDING_LIST_VIEW
    UNION ALL
    SELECT * FROM
    (
        SELECT
            DISTINCT(asset.asset.id)                  AS
"assetid"
        FROM asset.asset
        INNER JOIN asset.interface ON asset.interface.assetid =
asset.asset.id INNER JOIN asset.ipaddress ON
asset.ipaddress.interfaceid = asset.interface.id
        WHERE (1=1)
        AND asset.asset.id NOT IN (SELECT assetid FROM
asset.pendingassetupdate WHERE action=3)
         AND  ( asset.ipaddress.ipaddress NOT IN (
                                SELECT
convert_from(data,'UTF8')::inet AS ipv4address FROM
public.reference_data_element
                                WHERE
public.reference_data_element.rdk_id = (SELECT id FROM
public.reference_data_key
                                WHERE
public.reference_data_key.rd_id = (SELECT id FROM
public.reference_data WHERE name LIKE $eIQrWGn$Steve2$eIQrWGn$))
                ) )
        --Additional ordering/limits for any base SQL query type
    ) ASSET_LIST_VIEW
         OFFSET 0;} 
[tomcat.tomcat] [admin@127.0.0.1 (8838)
/console/do/assetprofile/SearchForm]
com.q1labs.core.sql.queryframework.QueryFramework: [ERROR]
Chained SQL Exception [2/2]: ERROR: current transaction is
aborted, commands ignored until end of transaction block
[tomcat.tomcat] [admin@127.0.0.1 (8838)
/console/do/assetprofile/SearchForm]
com.q1labs.core.sql.queryframework.QueryFramework: 
[WARN] [NOT:0000004000][127.0.0.1/- -] [-/--] 
QueryFramework.executeQuery(): Could not execute the above SQL statement.
[tomcat.tomcat] [admin@127.0.0.1 (8838) /console/do/assetprofile/SearchForm]
org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR:
current transaction is aborted, commands ignored until end of
transaction block {stmnt -1679308538 SELECT * FROM (
        SELECT
            0               AS "assetid"
        FROM asset.pendingassetupdate
        WHERE (1=1)
        AND asset.pendingassetupdate.assetid IS NULL AND
asset.pendingassetupdate.action != 3
         AND asset.pendingassetupdate.updatedby =
$pGISzQS$Steve$pGISzQS$
    ) ASSET_PENDING_LIST_VIEW
    UNION ALL
    SELECT * FROM
    (
        SELECT
            DISTINCT(asset.asset.id)                  AS
"assetid"
        FROM asset.asset
        INNER JOIN asset.interface ON asset.interface.assetid =
asset.asset.id INNER JOIN asset.ipaddress ON
asset.ipaddress.interfaceid = asset.interface.id
        WHERE (1=1)
        AND asset.asset.id NOT IN (SELECT assetid FROM
asset.pendingassetupdate WHERE action=3)
         AND  ( asset.ipaddress.ipaddress NOT IN (
                                SELECT
convert_from(data,'UTF8')::inet AS ipv4address FROM
public.reference_data_element
                                WHERE
public.reference_data_element.rdk_id = (SELECT id FROM
public.reference_data_key
                                WHERE
public.reference_data_key.rd_id = (SELECT id FROM
public.reference_data WHERE name LIKE $eIQrWGn$Steve2$eIQrWGn$))
                ) )
        --Additional ordering/limits for any base SQL query type
    ) ASSET_LIST_VIEW
         OFFSET 0;} 
[tomcat.tomcat] [admin@127.0.0.1 (8838)
/console/do/assetprofile/SearchForm]    at
org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(Logg
ingConnectionDecorator.java:218)
24 May 2021
QRADAR NETWORK INSIGHTS IJ26167 THE QRADAR NETWORK INSIGHTS (QNI) SMTP INSPECTOR CAN FAIL TO SHOW ALL RECIPIENT EMAIL ADDRESSES FOR SMTP CONTENT FLOWS CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

Issue
In unencrypted SMTP flows, the Recipient User field is shown as some variation of "undisclosed" which is derived from the mail header instead of the the recipient email address. This type of field in the mail header is used for both valid masking and malicious activities.

The actual recipient (RCPT TO) in these instances can be viewed in the Standard Flow's Payload field provided it's position in the flow does not exceed that of the bytes in the payload that is extracted.
24 May 2021
QRADAR VULNERABILITY MANAGER IJ26525 VULNERABILITY SCAN DISPLAYS 100% COMPLETION BUT NEVER FINISHES WHEN TOOLS ARE EXCLUDED FROM THE SCAN POLICY CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

Issue
If either of the following tools are excluded in a QRadar Vulnerability Manager scan policy, the scan does not complete as expected:
  • netbios - patch scanning - check credentials (the checkaccess tool)
  • netbios - patch scanning & policy checks (the enum.pl tool)

    Results
    The Scan Results screen displays a value of 100% for the scan progress, but the percentage continues to increase.
  • Status: Running"
  • Progress: 100%"
  • Duration: <continues to increase>"
24 May 2021
QRADAR NETWORK INSIGHTS IJ26651 SMTP CONTENT FLOWS ORIGINATING FROM QNI HAVE FIELDS THAT ARE LIMITED TO 64 CHARACTERS IN THE NETWROK ACTIVITY TAB CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

Issue
SMTP Content Flows (originating from QNI) in the Network Activity tab can have certain fields that are limited to 64 characters. For example: Network Activity - SMTP Content Flows
  • Email fields and subject fields (these were the observed fields) are truncated to 64 characters
  • Email addresses in the format "First Last (Title of individual)" were often truncated somewhere in the actual email address
  • Recipient Users can be broken on a space. For example, one entry would read "Smith, another entry would read John (Title of person)" <John.Smith@exampledomain.com>
24 May 2021
DSM EDITOR IJ26665 CEF EVENTID DOES NOT MAP TO A QID WHEN IT IS THE LAST KEY/VALUE IN THE PAYLOAD WHEN CONFIGURED USING DSM EDITOR/LSX CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
Use a Regular Expression (regex), instead of using a CEF key in the DSM Editor to parse a CEF name=value pair that is the last entry of the event payload.

Issue
If a CEF key is used to override the EventID for a log source using the DSM Editor/LSX, and it is the last key/value in the payload, it does not work as expected as it is not matched to a mapped QID in QRadar as a newline character "\n" is added to the parsed item.

To recreate this issue:
Add a CEF key as an override for a payload when the key/value pair is the last item in a payload.

Results
The Event ID is not able to match a QID as it will have a '\n' at the end.

Note: If another key/value is added to the end of the payload it works as expected as the desired value no longer has the newline '\n' in it.
24 May 2021
MANAGED HOST IJ26729 USING QCHANGE_NETSETUP IN NAT'D QRADAR ENVIRONMENTS CAN CAUSE EVENT COLLECTION TO FAIL AFTER A MANAGED HOST IS RE-ADDED CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

Issue
When re-adding a Managed Host to a deployment after performing a qchange_netsetup to add a public IP (NAT'd), some QRadar components can fail to be remapped or created correctly on the Managed Host. In these instances, affected QRadar component services have been identified as hostcontext, ecs-ec and ecs-ep. When this issue occurs, event collection can stop working for these affected Managed Hosts and not allow hosts to be connected together in a QRadar deployment successfully (eg. connecting an Event Collector to an Event Processor, or a DataNode to an Event Processor) due to the missing component services.

Messages similar to the following might be visible in /var/log/qradar.log on an affected Managed Host when this issue occurs:
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
com.q1labs.hostcontext.configuration.ConfigChangeObserver:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]
Failed to download and apply new configuration
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
com.q1labs.hostcontext.exception.HostContextConfigException:
Unable to properly download and apply new configuration
...
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
Caused by:
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
com.q1labs.hostcontext.exception.HostContextConfigException:
Failed to download and process global set
..
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
Caused by:
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
com.q1labs.hostcontext.exception.HostContextConfigException:
Failed to build local configuration set
...
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
Caused by:
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
com.q1labs.hostcontext.exception.HostContextConfigException:
Failed to build local configuration set
...
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
Caused by:
...
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
Caused by:
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
com.q1labs.configservices.common.ConfigServicesException:
unable to transform components
...
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
Caused by:
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
com.q1labs.configservices.common.ConfigServicesException:
Failed to create EC_Ingress.xml for component
eventcollectoringress103.
...
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
Caused by:
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
java.lang.RuntimeException: Error merging velocity template and
context
...
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
org.apache.velocity.exception.MethodInvocationException:
Invocation of method 'getEventThreshold' in  class
com.q1labs.configservices.config.l
ocalset.sem.ECIngressConfigBuilder threw exception
java.lang.NumberFormatException: null at EC_Ingress.vm[line
498, column 79]
...
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
Caused by:
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
java.lang.NumberFormatException: null
...
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
com.q1labs.hostcontext.configuration.ConfigChangeObserver:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]
Setting deployment status to Error
24 May 2021
QRADAR VULNERABILITY MANAGER IJ27020 DUPLICATE ASSETS CAN BE CREATED BY AN 'EARLY WARNING' VULNERABILITY WHEN DOMAINS ARE CONFIGURED IN QRADAR CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
On the Assets tab, manually delete of the duplicate asset with the "Default Domain" if this issue occurs.

Issue
In QRadar environments where Domains are configured, an "Early Warning" vulnerability detected by a QRadar Vulnerability Manager scan can result in the creation of a duplicate Asset in the "Default Domain".
24 May 2021
GEOGRAPHIC DATA IJ27129 GEO::DISTANCE IN AQL QUERIES DOES NOT CALCULATE DISTANCE CORRECTLY WHEN AN INTERNAL IP IS USED FOR THE SECOND ARGUEMENT CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

Issue
Using GEO::DISTANCE in AQL queries does not calculate distance correctly if a internal IP address is used for the second argument in the query.

For example, when using SELECT GEO::DISTANCE(sourceip, destinationip) in AQL gueries:
  • Distance calculated properly when both IPs are External. GEO::DISTANCE(External Source IP Address, External Destination IP Address)
  • Distance calculated properly when IPs are internal to external. GEO::DISTANCE(Internal Source IP Address, External Destination IP Address)
  • Incorrectly calculates distances from external to internal. GEO::DISTANCE(External Source IP Address, Internal Destination IP Address)
  • Incorrectly calculates distances from internal to internal addresses when the distance is greater then 0. GEO::DISTANCE(Internal Source IP Address, Internal Destination IP Address)

    For example:
  • The following AQL query displays N/A as the distance output.
    SELECT GEO::DISTANCE('external-IP', 'internal-IP') AS KM FROM events LIMIT 1
  • The following AQL query displays an incorrect distance output.
    SELECT GEO::DISTANCE('internal-IP', 'internal-IP') AS KM FROM events LIMIT 1
24 May 2021
ASSETS IJ31040 UPDATES TO ASSET IP ADDRESSES CAN SOMETIMES CAUSE THE ASSET PROFILER SERVICE TO STOP PROCESSING ASSETS CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

Issue
Updates to Asset IP addresses that occur while the asset profiler is using the QRadar spillover cache can cause the asset profiler service to stop processing assets correctly.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
java.lang.ClassCastException: java.lang.String incompatible with java.lang.Integer
 at com.q1labs.assetprofile.persistence.AssetChangeEvent$ChangeValue
 .put(AssetChangeEvent.java:99)
 at com.q1labs.assetprofile.persistence.AssetChangeEvent.writeAffected
 Fields(AssetChangeEvent.java:324)
 at com.q1labs.assetprofile.persistence.AssetChangeEvent.put
 (AssetChangeEvent.java:306)
 at com.q1labs.assetprofile.persistence.AssetChangeEventSet$
 AssetChangeEventSubset.put(AssetChangeEventSet.java:99)
 at com.q1labs.assetprofile.persistence.AssetChangeEventSet.writeSubsets
 (AssetChangeEventSet.java:480)
 at com.q1labs.assetprofile.persistence.AssetChangeEventSet.put
 (AssetChangeEventSet.java:539)
 at com.q1labs.assetprofile.persistence.AssetChangeEventSet.put
 (AssetChangeEventSet.java:34)
 at com.q1labs.frameworks.queue.SpilloverQueue$RecordSerializerWithSize.put
 (SpilloverQueue.java:1142)
 at com.q1labs.frameworks.queue.SpilloverQueue$FileBasedQueue.
 serialized_offer(SpilloverQueue.java:1249)
 at com.q1labs.frameworks.queue.SpilloverQueue$FileBasedQueue.offer
 (SpilloverQueue.java:1240)
 at com.q1labs.frameworks.queue.SpilloverQueue.offer(SpilloverQueue.java:706)
 at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader
 .offerBlocking(AssetChangeListenerLoader.java:365)
 at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader
 .offerThreaded(AssetChangeListenerLoader.java:339)
 at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader
 .publishToListener(AssetChangeListenerLoader.java:307)
 at com.q1labs.assetprofile.changepublisher.AssetChangePublisher.
 publishAssetChange(AssetChangePublisher.java:176)
 at com.q1labs.assetprofile.persistence.AssetProfilePersistenceManager
 .dispatchFromTopTier(AssetProfilePersistenceManager.java:417)
 at com.q1labs.assetprofile.persistence.AssetProfilePersistenceManager
 .dispatchBufferedEvents(AssetProfilePersistenceManager.java:357)
 at com.q1labs.assetprofile.persistence.AssetProfilePersistenceWorker
 Thread.commitCurrentTransactionAndFlushOutput
 (AssetProfilePersistenceWorkerThread.java:1037)


And if the IP address update is sent to the spillover cache, the asset profiler stops processing any further asset updates and the following can be visible in /var/log/qradar.log:
java.lang.ClassCastException: java.lang.String incompatible with java.lang.Integer
 at com.q1labs.assetprofile.persistence.AssetChangeEvent$ChangeValue.put
 (AssetChangeEvent.java:99)
 at com.q1labs.assetprofile.persistence.AssetChangeEvent.writeAffected
 Fields(AssetChangeEvent.java:324)
 at com.q1labs.assetprofile.persistence.AssetChangeEvent.put
 (AssetChangeEvent.java:306)
 at com.q1labs.assetprofile.persistence.AssetChangeEventSet$AssetChange
 EventSubset.put(AssetChangeEventSet.java:99)
 at com.q1labs.assetprofile.persistence.AssetChangeEventSet.writeSubsets
 (AssetChangeEventSet.java:480)
 at com.q1labs.assetprofile.persistence.AssetChangeEventSet
 .put(AssetChangeEventSet.java:539)
 at com.q1labs.assetprofile.persistence.AssetChangeEventSet
 .put(AssetChangeEventSet.java:34)
 at com.q1labs.frameworks.queue.SpilloverQueue$RecordSerializerWithSize
 .put(SpilloverQueue.java:1142)
 at com.q1labs.frameworks.queue.SpilloverQueue$FileBasedQueue
 .serialized_offer(SpilloverQueue.java:1249)
 at com.q1labs.frameworks.queue.SpilloverQueue$FileBasedQueue
 .offer(SpilloverQueue.java:1240)
 at com.q1labs.frameworks.queue.SpilloverQueue.offer(SpilloverQueue.java:706)
 at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader
 .offerBlocking(AssetChangeListenerLoader.java:365)
 at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader
 .offerThreaded(AssetChangeListenerLoader.java:339)
 at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader
 .publishToListener(AssetChangeListenerLoader.java:307)
 at com.q1labs.assetprofile.changepublisher.AssetChangePublisher
 .publishAssetChange(AssetChangePublisher.java:176)
 at com.q1labs.assetprofile.persistence.AssetProfilePersistenceManager
 .dispatchFromTopTier(AssetProfilePersistenceManager.java:417)
 at com.q1labs.assetprofile.persistence.AssetProfilePersistenceManager
 .dispatchBufferedEvents(AssetProfilePersistenceManager.java:357)
 at com.q1labs.assetprofile.persistence.AssetProfilePersistenceWorker
 Thread.commitCurrentTransactionAndFlushOutput(AssetProfilePersistence
 WorkerThread.java:1037)
 at com.q1labs.assetprofile.persistence.AssetProfilePersistenceWorker
 Thread.run(AssetProfilePersistenceWorkerThread.java:429)
24 May 2021
DEPLOY CHANGES IJ29047 QRADAR MANAGED HOST(S) CAN FAIL TO DEPLOY AFTER COMPLETING THE PATCHING PROCESS AS THE QRADAR DATABASE HAS NOT DOWNLOADED CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
  1. Open an SSH session to the QRadar Console, and navigate to /store/configservices/globalconfig/nva.conf.
  2. Change the value of LOCAL_FALLBACK_DISABLED=true to LOCAL_FALLBACK_DISABLED=false.
  3. SSH to any affected Managed Host(s) and in /store/configservices/globalconfig/nva.conf and /store/configservices/staging/globalconfig/nva.conf change LOCAL_FALLBACK_DISABLED=true to LOCAL_FALLBACK_DISABLED=false.
  4. To run a local transformation on affected Managed Host(s), type:
    /opt/qradar/bin/local_transformation.sh -l -f

    Results
    Deploys should now work as expected.
Issue
In instances where LOCAL_FALLBACK_DISABLED=true setting is contained within the nva.conf file, a QRadar Managed Host(s) can fail to download the QRadar database from the Console successfully after being patched. When this occurs, QRadar Deploy functions fail to affected Managed Hosts. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: cannot execute UPDATE 
in a read-only transaction {stmnt -490361463 UPDATE public.user_settings SET
allow_system_authentication_fallback=false} 
   at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap
   (LoggingConnectionDecorator.java:218)
   at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap
   (LoggingConnectionDecorator.java:202)
   at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.access
   $700(LoggingConnectionDecorator.java:58)
   at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingConnection
   $LoggingStatement.executeUpdate(LoggingConnectionDecorator.java:913)
   at org.apache.openjpa.lib.jdbc.DelegatingStatement.executeUpdate
   (DelegatingStatement.java:118)
   at org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelStatement.
   executeUpdate(JDBCStoreManager.java:1689)
   at org.apache.openjpa.lib.jdbc.DelegatingStatement.executeUpdate
   (DelegatingStatement.java:118)
   at com.q1labs.core.shared.permissions.UserManager.updateAllowSystem
   AuthenticationFallback(UserManager.java:1737)
24 May 2021
APPLICATION FRAMEWORK IJ28648 QRADAR APPS CAN FAIL TO LOAD DUE TO THE QRADARCA-MONITOR SERVICE BEING IN A STUCK STATE CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.4.3 (7.4.3.20210517144015)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Workaround
No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

Issue
QRadar Apps can fail to load if the qradarca-monitor service is in a stuck state of activating. This issue can also cause the failure of new app installations, app deletions, and app upgrades.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
bash[55538]: goroutine 1 [chan receive, 44478 minutes]:
bash[55538]:
path/pi/si-qradarca/vendor/golang.org/x/crypto/ssh.(*mux).openCh
annel(0xc42018ccb0, 0x766c05, 0x7, 0x0, 0x0, 0x0, 0x20002,
0xc4201341e4, 0xc4201341e0)
bash[55538]:
/builds/pi/si-qradarca/.gogradle/project_gopath/src/path/pi/si-q
radarca/vendor/golang.org/x/crypto/ssh/mux.go:322 +0x1f2
bash[55538]:
path/pi/si-qradarca/vendor/golang.org/x/crypto/ssh.(*mux).OpenCh
annel(0xc42018ccb0, 0x766c05, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, ...)
bash[55538]:
/builds/pi/si-qradarca/.gogradle/project_gopath/src/path/pi/si-q
radarca/vendor/golang.org/x/crypto/ssh/mux.go:298 +0x64
bash[55538]:
path/pi/si-qradarca/vendor/golang.org/x/crypto/ssh.(*Client).New
Session(0xc42018f800, 0x3, 0xc4202888d0, 0x10)
bash[55538]:
/builds/pi/si-qradarca/.gogradle/project_gopath/src/path/pi/si-q
radarca/vendor/golang.org/x/crypto/ssh/client.go:130 +0x67
bash[55538]:
path/pi/si-qradarca/localca.connectToHost(0x76616e, 0x4,
0xc420165119, 0xd, 0x4ae499, 0x3, 0xc42030c000, 0x65)
bash[55538]:
/builds/pi/si-qradarca/.gogradle/project_gopath/src/path/pi/si-q
radarca/localca/util.go:320 +0x356
bash[55538]:
path/pi/si-qradarca/localca.CheckRemoteFileExists(0x76616e,
0x4, 0xc420163360, 0x20, 0xc420165119, 0xd, 0x0, 0x0, 0x0)
bash[55538]:
/builds/pi/si-qradarca/.gogradle/project_gopath/src/path/pi/si-q
radarca/localca/remote.go:63 +0x85
bash[55538]:
path/pi/si-qradarca/localca.checkCertificateOnRemote(0xc42016511
9, 0xd, 0xc42015bce0, 0x9, 0xc420163340, 0x12, 0xc42015bcf0,
0x9, 0x7660ca, 0x4, ...)
24 May 2021
SIM AUDIT IJ26652 'USER ACCOUNT MODIFIED" EVENT GENERATED INSTEAD OF "USER PASSWORD CHANGE" WHEN PASSWORD CHANGE OCCURS CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

Issue
A "User Account Modified" event (QID 28250069) is generated when a QRadar user password is changed from the QRadar User Interface instead of an expected "User Changed Password" event being generated.

The same "Account Modified" is logged by the audit logs:
test@127.0.0.1 (7179) /console/restapi/api/config/access/users/3 | [Configuration] [UserAccount] [AccountModified] test
24 May 2021
DSM EDITOR IJ25814 DSM EXPORT FUNCTION FAILS WHEN AUTHOR FIELD IS LEFT BLANK CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
Ensure the Author field is populated when performing a DSM Export function.

Issue
When perfroming an DSM "Export" function, the Author field is not required, but if the field is blank (it is prefilled with Admin) the Export function fails and generates and error similar to:
console/restapi/api/config/extension_management/extension_export_tasks]
com.ibm.si.data_ingestion.api.v12_0.cmt.ExtensionManagementAPI:
[ERROR][NOT:0000003000][127.0.0.1/- -] [-/- -]Export failed.
Manifest Configuration should be valid. Name, Author, min_version and version should be valid.


Note: After an upgrade to QRadar 7.4.3 GA or later, the DSM Editor displays, "The value is required" if you attempt to export a custom DSM without the author field populated.
24 May 2021
AUTHENTICATION IJ27713 UNABLE TO LOGIN TO QRADAR USING ENCRYPTED LDAP WITH MICROSOFT AD SERVICES OVER STANDARD LDAP PORTS CLOSED Workaround
Multiple workarounds available:
  • Use SSL instead of TLS or configure LDAP and the LDAP settings (base OU etc.) to prevent referrals.
    OR
  • Attempt to use one of the AD Global Catalog ports, such as LDAP TCP/3268 or LDAPS TCP/3269.

Issue
Users are unable to log in when using encrypted LDAP with Microsoft Active Directory Services over standard LDAP ports TCP/389 and TCP/636 as LDAP referrals break communications over TLS encryption.

When attempting to login, the LDAP authentication fails even while using the "Test Connection" button on the LDAP configuration page.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [admin@127.0.0.1(3540)
/console/JSON-RPC/QRadar.isLDAPConnectionAvailable
QRadar.isLDAPConnectionAvailable]
com.q1labs.core.shared.ldap.SimpleLdapClient: [ERROR]
[NOT:0000003000][ipaddress/- -] [-/- -]Exception occurred when
checking if ldap connection is available
[tomcat.tomcat] [admin@127.0.0.1(3540)
/console/JSON-RPC/QRadar.isLDAPConnectionAvailable
QRadar.isLDAPConnectionAvailable] javax.naming.NamingException:
[LDAP: error code 1 - 00000000: LdapErr: DSID-0C09127A,
comment: TLS or SSL already in effect, data 0, v3839
04 February 2021
QRADAR RISK MANAGER IJ00838 ARC_BUILDER GOES OUT OF MEMORY GOES WHEN THE ASSET CEILING NUMBER IS SET TO 5 MILLION ASSETS CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)

Workaround
If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

Issue
Arc_builder goes out of the memory in the managed host when the asset ceiling number is set to 5 million.

If you have a large number of assets, review /var/log/qradar.log
for Java heap space or load daemon messages related to ArcBuilder.init:
QRADAR-primary arc_builder[22051]: Caused by:
java.lang.Exception: java.lang.OutOfMemoryError: Java heap space
QRADAR-primary arc_builder[22051]:     at
com.q1labs.semsources.filters.arc.ArcBuilder.init(ArcBuilder.java:240)
QRADAR-primary arc_builder[22051]:     ... 5 more
QRADAR-primary arc_builder[22051]: Caused by:
java.lang.OutOfMemoryError: Java heap space
QRADAR-primary arc_builder[22051]:     at
gnu.trove.TLongHashSet.rehash(TLongHashSet.java:169)
QRADAR-primary arc_builder[22051]:     at
gnu.trove.THash.postInsertHook(THash.java:359)
QRADARprimary arc_builder[22051]:     at
gnu.trove.TLongHashSet.add(TLongHashSet.java:154)
 QRADAR-primary arc_builder[22051]:     at
com.q1labs.semsources.filters.arc.NetworkModelsServices.loadExis
tingPortData(NetworkModelsServices.java:405)
QRADAR-primary arc_builder[22051]:     at
com.q1labs.semsources.filters.arc.NetworkModelsServices.init(Net
workModelsServices.java:215)
QRADAR-primary arc_builder[22051]:     at
com.q1labs.semsources.filters.arc.ArcBuilder.init(ArcBuilder.java:164)
QRADAR-primary arc_builder[22051]:     at
com.q1labs.semsources.filters.arc.ArcBuilder.init(ArcBuilder.java:235)
 QRADAR-primary arc_builder[22051]:     ... 5 more
QRADAR-primary arc_builder[22051]: 09/04/2017 22:06:18 22052
arc_builder error: Cannot load daemon
12 August 2020
DATA SYNCHRONIZATION APP IJ32756 DESTINATION SITE AUTH TOKENS FAIL TO WORK PROPERLY AFTER A RESTORE IS PERFORMED USING THE QRADAR DATA SYNCHRONIZATION APP OPEN Workaround
After a cross-site restore completes from the QRadar Data Snychronization app:
  1. On the Admin tab, click Advanced > Deploy Full Configuration.
  2. Wait for the full deploy to complete.
  3. After the Deploy Full Configuration completes, type the following command and verify the status is "Active: active (running)":
    systemctl status tomcat
  4. After confirming tomcat is running, restart tomcat:
    systemctl restart tomcat

Issue
After completing a cross-site restore through the Data Sync App, the following error massages can display, which suggest that the QRadar APIs are no longer retrieving results:
[ERROR] [Fri May 07 2021 13:12:44 GMT-0300 (Eastern Daylight Time)] 'An error occured retrieving backups from QRadar API: No SEC header present in request. Please provide it via "SEC: token". You may also use BASIC authentication parameters if this host supports it. e.g. "Authorization: Basic base64Encoding"',
[ERROR] [Fri May 07 2021 13:12:44 GMT-0300 (Eastern Daylight Time)] toString: [Function: toString] }
24 May 2021
USER INTERFACE IJ23859 'APPLICATION ERROR' POP UP CAN OCCUR WHEN DISABLING A USER THAT HAS DEPENDENCIES (E.G. CEP, SAVED SEARCH) CLOSED Workaround
After initiating the user delete process, reassign all dependencies and then cancel the delete process.

Issue
An "Application Error" can be generated in the user interface after a user is disabled who owns dependencies (e.g. Custom Event Properties or Saved Searches). The following error can be displayed on the Log Activity tab or Network Activity tab when a value (custom property, reference set, saved search, etc) owned by a disabled users attempts to render.
The Log Activity tab can display Application Error when a disabled users owns a custom property or dependency the UI requires to display results.

Messages similar to the following might be generated in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails]
com.q1labs.core.shared.ariel.AqlCustomKeyCreator: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Exception creating AQL
key creator for property ID 58099b2f-d650-4b70-ac93-f5d770d24062
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails]
com.q1labs.ariel.ql.parser.AQLParserException: Catalog "events"
does not exist.
concat(REFERENCEMAP('^
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
com.q1labs.ariel.ql.parser.ParserBase.getCatalog(ParserBase.java:179)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
com.q1labs.ariel.ql.parser.Parser.parseExpression(Parser.java:300)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
com.q1labs.core.shared.ariel.AqlCustomKeyCreator.createKeyCreator(AqlCustomKeyCreator.java:145) 
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
com.q1labs.core.shared.ariel.AqlCustomKeyCreator.initialize(AqlCustomKeyCreator.java:122) 
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
com.q1labs.frameworks.util.Utils.initialize(Utils.java:459)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
com.q1labs.events.ui.bean.EventForm.copyFromDAO(EventForm.java:782)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
com.q1labs.ariel.ui.UIArielServices.getRecordBean(UIArielServices.java:5872)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
com.q1labs.ariel.ui.action.ArielDetails.viewDetails(ArielDetails.java:36)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
sun.reflect.GeneratedMethodAccessor1170.invoke(Unknown Source)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
java.lang.reflect.Method.invoke(Method.java:508) 
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.struts.actions.DispatchAction.execute(DispatchAction.java:216)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
com.q1labs.uiframeworks.actions.DispatchAction.execute(DispatchAction.java:64)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
com.q1labs.uiframeworks.action.RequestProcessor.processActionPerform(RequestProcessor.java:101)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:275)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
com.q1labs.uiframeworks.action.ActionServlet.process(ActionServlet.java:122)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
com.q1labs.uiframeworks.encoding.AddEncodingToRequestFilter.doFilter(AddEncodingToRequestFilter.java:56)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
com.q1labs.uiframeworks.servlet.DestroySessionFilter.doFilter(DestroySessionFilter.java:26)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
com.q1labs.uiframeworks.servlet.AddHSTSHeaderFilter.doFilter(AddHSTSHeaderFilter.java:22)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
com.q1labs.uiframeworks.valve.ErrorReportValve.invoke(ErrorReportValve.java:47)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
[tomcat.tomcat] [admin@127.0.0.1(6637)/console/do/ariel/arielDetails] at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:476)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) 
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
java.lang.Thread.run(Thread.java:812)
[tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails]
com.q1labs.uiframeworks.action.ExceptionHandler: [INFO] [NOT:0000006000]
[127.0.0.1/- -] [-/- -]Following message suppressed 1 times in 300000 milliseconds
09 March 2021
SALESFORCE REST API PROTOCOL IJ29347 QRADAR REQUIRES SECURITY TOKEN FOR SALESFORCE RESTAPI PROTOCOL CONNECTION OPEN Workaround
Running the following command from an SSH session to the QRadar Console allows for connectivity without the use of a security token for Salesforce REstAPI Protocol connections:
psql -U qradar -c "update sensorprotocolparameter set required = 'f' where id = 54030;"

Issue
Salesforce RestAPI Protocol configuration allows connections without using a Security Token, but within QRadar the Security Token is still required (see QRadar DSM Guide).

This can cause connectivity issues between QRadar and the Salesforce source due to the variance in setup that can occur when configuring the protocol/connection.

Messages similar to the following might be visible in /var/log/qradar.error when this issue is occurs:
Response from auth attempt was not 200, response: 400: Bad
Request
[ecs-ec-ingress.ecs-ec-ingress] [Thread-8126]
com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP
IInstance: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]
{"error":"invalid_grant","error_description":"authentication
failure"}
19 November 2020
ROUTING RULES / FORWARDED EVENTS IJ29718 EVENTS CAN BE DROPPED WHEN A DROPPED CONNECTION FAILED TO RECONNECT USING ONLINE FORWARDING WITH 'TCP' OR 'TCP OVER SSL' CLOSED Resolution
The development team is unable to reproduce this issue. If you contain to experience errors with forwarded events or routing rules Contact QRadar Support.

Workaround
No workaround available. APARs identified with no workaround require a software update to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
When using online forwarding with TCP or TCP over SSL, if a connection issue occurs, it can result in online forwarding not reconnecting to the configured Destination successfully. Events are not forwarded to the Destination until the forwarding rule is disabled and re-enabled to establish a proper connection.
02 February 2021
RULES IJ32591 RULES CAN BE INCORRECTLY GENERATED IN DEPLOYMENTS WHERE DUAL STACK IS CONFIGURED AND A QRADAR PATCH HAS BEEN APPLIED OPEN Workaround
Contact QRadar Support for a possible workaround that might address this issue.

Issue
Iptables and ip6tables rules can be incorrectly generated in QRadar deployments where dual stack is configured. Appliances with dual stack (IPv4 and IPv6) are configured so iptables and ip6tables are disabled and iptables_update.pl script is symlinked to /bin/true.

When patching to a QRadar version where the hostcontext rpm is updated, this configuration is reverted and iptables is unexpectedly re-enabled.
10 May 2021
QRADAR NETWORK INSIGHTS IJ32209 RULES CAN BE INCORRECTLY GENERATED IN DEPLOYMENTS WHERE DUAL STACK IS CONFIGURED AND A QRADAR PATCH HAS BEEN APPLIED OPEN Workaround
Contact QRadar Support for a possible workaround that might address this issue.

Issue
The Incident Results window populates from a forensics database table that is not purged even when cases are deleted through Case Management.

All entries on all pages must have a Solr request sent to determine the document count for the page which can sometimes cause the Incident Results window to take longer than expected to load.
29 April 2021
QRADAR NETWORK INSIGHTS IJ32062 QRADAR NETWORK INSIGHTS CANNOT ADD HOST TO THE DEPLOYMENT WHEN THE CONSOLE FAILS TO OPEN AN SFTP CHANNEL OPEN Workaround
  1. Using an SSH session to the QNI host, edit the following file located in /etc/ssh/sshd_config using a tool such as vi to un-comment the following line:
    Subsystem sftp /usr/libexec/openssh/sftp-server
  2. On the QNI host, restart hte sshd using the command:
    systemctl restart sshd
  3. Add the QNI host to the deployment again.

Issue
QRadar Network Insights (QNI) hosts can fail to be added to a QRadar deployment due to the console failing to open an SFTP channel.

These instances have been identified as being caused by changes made in sshd_config during previous QRadar upgrades of the QNI host.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext] [a393ce8b-13c3-4a89-a9af-45b902ce90f4/SequentialEventDispatcher]
com.q1labs.core.shared.cli.ssh.SshException: Failed to open an sftp channel
29 April 2021
LOG SOURCE MANAGEMENT APP IJ32519 ALERT BOX 'ERRORFETCHINGCERTIFICATEDATATITLE' POP UP WHEN USING LOG SOURCE MANAGEMENT APP (LSM) V7.0.0 CLOSED Resolved in
Log Source Management app v7.0.1

Workaround
Close the Alert if it appears. The error message is benign and Log Source Management app continues to function as expected after the error message is closed.

Issue
The Log Source Management app (LSM) v7.0.0 can display an alert box similar to the following:
ERRORFETCHINGCERTIFICATEDATATITLE is an API error that can be closed if displayed and does not impact LSM app functionality.
This message is generated when an API call returns null and is not handled properly by the Log Source Management app.
19 May 2021
UPGRADE IJ32160 PATCH PRE-TEST CAN FAIL WITH '[ERROR] THERE ARE X BACKUPS IN PROGRESS. PLEASE WAIT FOR THEM TO COMPLETE...' OPEN Workaround
Follow these steps from an SSH session to the QRadar Console to update all backups marked "DELETING" to be 'FAILED':
  1. Stop hostcontext and tomcat:
    systemctl stop hostcontext
    systemctl stop tomcat
  2. Run the following sql:
    psql -U qradar -c "update backup set status = 'FAILED' where status = 'DELETING';"
  3. Restart tomcat and hostcontext
    systemctl start tomcat
    systemctl start hostcontext
  4. Retry the patch pre-test process
Issue
The QRadar patch pre-test can fail with a message displayed similar to the following when the QRadar database has many backup records in status 'DELETING': [ERROR] There are X backups in progress. Please wait for them to complete or cancel via UI before restarting patch
16 April 2021
LOG ACTIVITY IJ32112 "Q1CERTIFICATEEXCEPTION: CHECKCERTIFICATEPINNING FAILED" ERROR MESSAGES IN LOG ACTIVITY AS SIM GENERIC EVENTS OPEN Workaround
Contact QRadar Support for a possible workaround that might address this issue.

Issue
"Q1CertificateException: checkCertificatePinning failed" error messages can sometimes be observed in Log Activity as Sim Generic events.

Individual lines of the stack trace can be sent into the QRadar pipeline and when this occurs they are being parsed as Unknown SIM Generic events or in some instances as Stored events under a newly created Log Source.

This error message is caused by the certificate being retrieved from the Log Source location that is not matching any of the stored certificates on the QRadar system.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
Caused by: com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed.
at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkCertificatesTrusted(Q1X509TrustManager.java:411)
at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.validate(CertificateValidator.java:110)
at com.ibm.jsse2.D.s(D.java:286)
at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.checkCertificatePinning(CertificateValidator.java:547)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
... 25 more
at com.ibm.jsse2.av.a(av.java:788)
at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkServerTrusted(Q1X509TrustManager.java:307)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1352)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1327)
at com.ibm.jsse2.av.a(av.java:637)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at com.ibm.jsse2.E.a(E.java:145)
at java.lang.Thread.run(Thread.java:822)
at com.ibm.jsse2.E.a(E.java:479)
at com.q1labs.core.shared.jsonrpc.RPC.executeMethodWithTimeout(RPC.java:215)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:319)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:191)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
at com.q1labs.hostcontext.configuration.ConfigChangeObserver$ConfigChangeObserverTask.run(ConfigChangeObserver.java:662)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:72)
at com.ibm.jsse2.E.a(E.java:585)
at com.ibm.jsse2.D.a(D.java:251)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
at com.q1labs.hostcontext.configuration.ConfigChangeObserver$CheckDeployRequestTimer.timeExpired(ConfigChangeObserver.java:401)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:1)
at com.q1labs.hostcontext.configuration.ConfigChangeObserver$CheckDeployRequestTimer.getActionRequest(ConfigChangeObserver.java:426)
at com.ibm.jsse2.av.startHandshake(av.java:1020)
at com.ibm.jsse2.D.a(D.java:121)
at com.ibm.jsse2.k.a(k.java:43)
at com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java:359)
at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:70)
at com.ibm.jsse2.av.a(av.java:722)
at com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java:544)
at com.ibm.jsse2.D.a(D.java:572)
at com.ibm.jsse2.av.i(av.java:45)
at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkCertificatesTrusted(Q1X509TrustManager.java:411)
at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.checkCertificatePinning(CertificateValidator.java:547)
at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.validate(CertificateValidator.java:110)
Caused by: com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed.
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:191)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
at com.ibm.jsse2.E.a(E.java:145)
... 25 more
14 April 2021
HIGH AVAILABILITY (HA) IJ32089 HIGH AVAILABILITY FAILOVER DOES NOT WORK AS EXPECTED WHEN ISCSI AND MUTIPATH IS CONFIGURED CLOSED Workaround
Closed as permanent restriction as this issue will not be fixed. Refer to the IBM Security QRadar Offboard Storage Guide for supported offboard storage configurations.

Issue
High Availability (HA) failovers do not work as expected when ISCSI is configured with multipath. The ha_setup.sh allows the multipath configuration to succeed, but HA failovers do not work as a bad symlink is created.
20 July 2021
QRADAR NETWORK INSIGHTS IJ32165 MISCELLANEOUS FLOWS CAN BE GENERATED BY QRADAR NETWORK INSIGHTS WITH PAYLOADS SIMILAR TO "IBM(158)=HTTP;IBM(159)=1.0" OPEN Workaround
  1. If no custom NetFlow v9 or IPFIX integration with third party sources, along with custom flow properties to extract fields out of the payload, then it is recommend to disable Payload mode altogether. This can be done via the System Settings dialog and selecting only "TLV" mode.
  2. If Payload mode is required, then edit the /opt/qradar/conf/IPFIXFields.conf to add the additional fields shown in the payload field that are to be hidden.
    Note: The 0 should be included in the payload column of that file so it is not included in the payload. For example, the protocol name field can be hidden with the following line:
    "2,158,PROTOCOL_NAME,0")

Issue
QRadar Network Insights can generate miscellaneous flows that include payloads that display similar to:
"Apr 5, 2021, 4:04:54PM","false","Web.Web.Misc","Best Effort","6","false","0:0:0:0:0:0:0:0",
"0","4","IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;
IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;
IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;
IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;","Web","18448","IBM(158)=HTTP;
IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;
IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;
IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;
IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;","Apr 5,2021, 4:02:50 PM","Best Effort","L2L",
"Web.HTTPWeb","61176","S,P,A","9999"
30 April 2021
CUSTOM PROPERTIES IJ32104 AN EXCEPTION GENERATED BY THE AUTOMATIC PROPERTY DISCOVERY ENGINE CAN CAUSE EVENTS TO BE DROPPED FOR LOG SOURCES OPEN Workaround
Contact QRadar Support for a possible workaround that might address this issue.

Issue
Property Autodetection can stop working if the threshold for bad properties is reached on a Managed Host as disablePropertyDiscoveryProfile can try to update the DB and fail as it is a read-only transaction. When this issue occurs, events can fail to be received into QRadar Log Sources.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ec.ecs-ec] [Property Discovery Engine Thread]
com.q1labs.frameworks.core.ThreadExceptionHandler: 
[ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -]
Exception was uncaught in thread: Property Discovery Engine Thread
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] com.q1labs.frameworks.
exceptions.FrameworksRuntimeException: Problem occurred committing transaction
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.q1labs.frameworks.
session.SessionContext.commitTransaction(SessionContext.java:1079)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.q1labs.frameworks.
session.SessionContext.commitTransaction(SessionContext.java:1005)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters. 
property.cache.PropertyDiscoveryThreshold.disableProperty
DiscoveryProfile(PropertyDiscoveryThreshold.java:159)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters.property.
cache.PropertyDiscoveryThreshold.incrementThreshold(PropertyDiscoveryThreshold.java:92)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters.
property.parser.PropertyParser.handleResults(PropertyParser.java:56)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters.
property.parser.PropertyParserJSON.processEvent(PropertyParserJSON.java:54)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters.
property.PropertyDiscoveryEngine$PropertyDiscoveryEngineThread.run
(PropertyDiscoveryEngine.java:222)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] 
Caused by:
<openjpa-2.4.3-r422266:1833086 fatal store error>
org.apache.openjpa.persistence.RollbackException: The transaction has been rolled back. 
See the nested exceptions for details on the errors that occurred. 
[ecs-ec.ecs-ec] [Property
Discovery Engine Thread] FailedObject: com.q1labs.core.dao.qidmap.PropertyDiscoveryProfile-51
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
persistence.EntityManagerImpl.commit(EntityManagerImpl.java:595)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.q1labs.frameworks.
session.SessionContext.commitTransaction(SessionContext.java:1039)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] ... 6 more
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] 
Caused by: <openjpa-2.4.3-r422266:1833086 fatal general error>
org.apache.openjpa.persistence.PersistenceException: The
transaction has been rolled back. See the nested exceptions for
details on the errors that occurred.
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] FailedObject: 
com.q1labs.core.dao.qidmap.PropertyDiscoveryProfile-51
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
kernel.BrokerImpl.newFlushException(BrokerImpl.java:2374)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
kernel.BrokerImpl.flush(BrokerImpl.java:2211)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
kernel.BrokerImpl.flushSafe(BrokerImpl.java:2103)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
kernel.BrokerImpl.beforeCompletion(BrokerImpl.java:2021)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
kernel.LocalManagedRuntime.commit(LocalManagedRuntime.java:81)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
kernel.BrokerImpl.commit(BrokerImpl.java:1526)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
kernel.DelegatingBroker.commit(DelegatingBroker.java:932)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
persistence.EntityManagerImpl.commit(EntityManagerImpl.java:571)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] ... 7 more
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] 
Caused by: 
<openjpa-2.4.3-r422266:1833086 fatal general error>
org.apache.openjpa.persistence.PersistenceException: ERROR: cannot execute UPDATE 
in a read-only transaction {prepstmnt -722393899 UPDATE property_discovery_profile 
SET active = ? WHERE id = ?} 
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] FailedObject: com.q1labs.core.
dao.qidmap.PropertyDiscoveryProfile-51
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
sql.DBDictionary.narrow(DBDictionary.java:5003)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
sql.DBDictionary.newStoreException(DBDictionary.java:4963)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
sql.SQLExceptions.getStore(SQLExceptions.java:133)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
sql.SQLExceptions.getStore(SQLExceptions.java:75)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.PreparedStatementManagerImpl.flushAndUpdate(PreparedStatementManagerImpl.java:144)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.BatchingPreparedStatementManagerImpl.flushAndUpdate(BatchingPreparedStatementManagerImpl.java:79)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.PreparedStatementManagerImpl.flushInternal(PreparedStatementManagerImpl.java:100)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.PreparedStatementManagerImpl.flush(PreparedStatementManagerImpl.java:88)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.ConstraintUpdateManager.flush(ConstraintUpdateManager.java:550)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.ConstraintUpdateManager.flush(ConstraintUpdateManager.java:107)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.BatchingConstraintUpdateManager.flush(BatchingConstraintUpdateManager.java:59)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.AbstractUpdateManager.flush(AbstractUpdateManager.java:104)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.AbstractUpdateManager.flush(AbstractUpdateManager.java:77)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.JDBCStoreManager.flush(JDBCStoreManager.java:731)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
kernel.DelegatingStoreManager.flush(DelegatingStoreManager.java:131)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] ... 14 more
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] Caused by:
org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: cannot execute UPDATE in a read-only 
transaction {prepstmnt -722393899 UPDATE property_discovery_profile SET active = ? WHERE id = ?} 

[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.java:218)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.java:194)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
LoggingConnectionDecorator.access$1000(LoggingConnectionDecorator.java:58)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
LoggingConnectionDecorator$LoggingConnection$LoggingPreparedStatement.executeUpdate
(LoggingConnectionDecorator.java:1133)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
DelegatingPreparedStatement.executeUpdate(DelegatingPreparedStatement.java:275)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
DelegatingPreparedStatement.executeUpdate(DelegatingPreparedStatement.java:275)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.JDBCStoreManager$CancelPreparedStatement.executeUpdate(JDBCStoreManager.java:1791)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.PreparedStatementManagerImpl.executeUpdate(PreparedStatementManagerImpl.java:268)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.PreparedStatementManagerImpl.flushAndUpdate(PreparedStatementManagerImpl.java:119)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] ... 24 more
29 April 2021
SEARCH IJ32428 UNABLE TO DELETE SAVED SEARCHES OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
When attempting to delete saved searches, the search can load as expected but then there is no option to delete it as the window with "confirm deletion" button does not appear.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [admin@127.0.0.1(4474) 
/console/do/ariel/arielSearch] java.lang.ArrayIndexOutOfBoundsException
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at com.q1labs.cve.utils.CustomColumnDefinition.fromString(CustomColumnDefinition.java:386)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchForm.java:1391)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchForm.java:1296)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at com.q1labs.ariel.ui.bean.ArielSearchForm.getOrderBy(ArielSearchForm.java:246)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.jsp.qradar.jsp.ArielSearch_jsp._jspService(ArielSearch_jsp.java:415)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at com.q1labs.uiframeworks.jsp.HttpJspBase.service(HttpJspBase.java:148)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:713)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch]
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:462)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:387)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:315)
01 May 2021
AUTHENTICATION IJ32108 THE USER INTERFACE ADMIN PASSWORD CAN FAIL TO BE SET CORRECTLY WHEN A REBOOT OCCURS DURING SYSTEM BUILD OPEN Workaround
Set the User Interface admin password using the command line interface (CLI) script using these instructions:
QRadar: Changing the admin account password from the UI or CLI

Issue
When a QRadar system is being built and a reboot occurs during the install configuration, the User Interface admin password can sometimes fail to be set correctly.
01 May 2021
LOG SOURCE MANAGEMENT APP IJ32240 LOG SOURCE MANAGEMENT APP DOES NOT ALLOW THE PORT FIELD TO BE LEFT BLANK WHEN USING SOME JDBC PROTCOL CONFIGURATIONS OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
In the DSM Guide documentation on configuring parameters for the JDBC protocol, it states that "if a database instance is used with the MSDE database type, you must leave the Port field blank". This is also displayed in the LSM app under a "show more" button.

However the LSM app does not allow you to leave the Port field blank and considers this field to be a "required field".
01 May 2021
DSM EDITOR IJ32103 WINDOWS SECURITY LOG EVENTS CAN FAIL TO BE PARSED COMPLETLY BY THE DSM EDITOR WHILE WORKING AS EXPECTED IN LOG ACTIVITY OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
Microsoft Windows Security Events Logs (with AWS Kinesis) can fail to be parsed correctly in the DSM Editor while being parsed correctly in the Log Activity tab of the QRadar User Interface.

For example: EventID in the DSM Editor not displaying as expected, but parses fine in the Log Activity tab.
Tip: To view a larger version of the image, right-click and open the image in a new tab.
01 May 2021
INDEX MANAGEMENT IJ32111 QUICK FILTER PROPERTY IN ADMIN > INDEX MANAGEMENT DISPLAYS AS "% OF SERACHES USING PROPERTY" AND HITS/MISSES STAY AT 0 OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
When looking at 'Quick Filter' property under Admin > Index Management, sometimes '% of Searches Using Property' is displayed along with hits/misses always as " 0 " even after many searches have been run during a selected timeframe.
01 May 2021
PROTOCOLS IJ27028 LOG SOURCES CONFIGURED TO USE THE GOOGLE G SUITE ACTIVITY REPORTS RESTAPI PROTOCOL CAN BE MISSING SOME EVENTS OPEN Workaround
No workaround available. APARs identified with no workaround might require a protocol update to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
Log Sources that are configured to use the Google G Suite Activity Reports REST API Protocol can be missing events. There have been multiple reasons identifed as being the cause for this issue.

  1. When multiple pages are returned in the response, the oldest time is set for the event marker, which instead should be the latest time.
  2. When delays occur at the vendor, the query based on real-time can experience missing events.
15 August 2020
LOG SOURCE MANAGEMENT APP IJ32222 REPETITIVE /VAR/LOG/AUDIT.LOG MESSAGES BEING WRITTEN AFTER A FAILED PROTOCOL TEST USING LOG SOURCE MANAGEMENT (LSM) APP OPEN Workaround
Performing an ecs-ec-ingress service restart corrects this issue until another failed protocol test is performed as above.
  1. Log in to QRadar as an Administrator.
  2. Click the Admin tab.
  3. On the Advanced menu, click Restart Event Collection Services.
    Note: Restarting the Event Collection Service interrupts event collection momentarily on all appliances while the service restarts.

    Results
    After the Event Collection Service (ecs-ec-ingress) restarts, the repetative log messages are not written in /var/log/audit.log.

Issue
Using the Log Source Management app to perform a protocol test can fail and sometimes causes repeating API messages similar to the following to be written every 5 seconds to /var/log/audit.log:
Apr 12 17:31:52 ::ffff:127.0.0.1 configservices@ipaddress (6604)
/console/restapi/api/system/task_management/tasks | [Action]
[RestAPI] [APISuccess] [configservices]
[1b76e3ae-d28f-4c1e-9b47-86940f613bea] [SECURE] |
ContextPath=/console | Headers=[Version: 6.0][host:
ipaddress][accept: text/html, image/gif, image/jpeg, *; q=.2,
*/*; q=.2][user-agent: Java/1.8.0_261] | Method=POST |
PathInfo=/system/task_management/tasks | Protocol=HTTP/1.1 | Que
ryString=message_local_info=%7B%7D&created=1618245112104&task_cl
ass=com.q1labs.semsources.sources.base.testing.ProtocolTestTask&
task_state=INITIALIZING&status_uuid=d6fe4a4d-6ed7-4deb-8533-66de
50bb2ede&created_by=admin&host_id=53&task_name_local_info=%7B%7D
&delete_task_id=0&progress=0&maximum=0&modified=1618245112105&ta
sk_type=ProtocolTestTask&app_id=ecs-ec-ingress&minimum=0&retenti
on=2_HOURS | RemoteAddr=ipaddress | RemotePort=47952
Apr 12 17:31:52 ::ffff:127.0.0.1 configservices@ipaddress (6604)
/console/restapi/api/system/task_management/tasks | [Action]
[TaskManagement] [TaskAdded] StatusId=158 HostId=53
ApplicationId=ecs-ec-ingress CreatedBy=admin
TaskType=ProtocolTestTask
Apr 12 17:31:52 ::ffff:127.0.0.1 configservices@ipaddress (6606)
/console/restapi/api/system/task_management/internal_tasks/158
| [Action] [RestAPI] [APISuccess] [configservices]
[94ab9727-29f1-48d8-92e3-5e505ca3938e] [SECURE] |
ContextPath=/console | Headers=[Version: 6.0][host:
ipaddress][accept: text/html, image/gif, image/jpeg, *; q=.2,
*/*; q=.2][user-agent: Java/1.8.0_261] | Method=POST |
PathInfo=/system/task_management/internal_tasks/158 |
Protocol=HTTP/1.1 | QueryString=message_local_info=%7B%7D&create
d=1618245112104&task_class=com.q1labs.semsources.sources.base.te
sting.ProtocolTestTask&status_uuid=d6fe4a4d-6ed7-4deb-8533-66de5
0bb2ede&created_by=admin&host_id=53&task_name_local_info=%7B%7D&
delete_task_id=0&progress=0&maximum=0&modified=1618245112622&is_
cancel_requested=false&task_type=ProtocolTestTask&app_id=ecs-ec-
ingress&minimum=0&retention=2_HOURS | RemoteAddr=ipaddress |
RemotePort=47956
29 April 2021
DATA NODE IJ32123 SEARCHES ON INDEXED FIELDS CAN BE SLOWER THAN EXPECTED AFTER ADDING A DATA NODE INTO THE QRADAR DEPLOYMENT CLOSED Resolved in
QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

Workaround
If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
Searches that are performed on indexed fields can be slower than expected to complete after a Data Node is added to a QRadar Deployment. This issue can be caused by a race condition during multi-source re-balancing that results in hourly folder(s) to be merged from different sources.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ariel.ariel_query_server] [ariel_client/127.0.0.1:45750]
com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Checking destination folder /store/ariel/events/records/2021/1/18/17 from source 104
[ariel.ariel_query_server] [ariel_client/127.0.0.1:45750] com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Data folder /store/ariel/events/records/2021/1/18/17 does not exist. Requested from source 104
[ariel.ariel_query_server][ariel_client /127.0.0.1:45750] com.ibm.si.ariel.dcs.databalancing.DestinationData: 
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -] 
Path:/store/ariel/events/records/ibmTemp~events104/store/ariel/events/records/store/ariel/events/records/2021/1/18/17 does not exist
[ariel.ariel_query_server] [ariel_client/127.0.0.1:45750] com.ibm.si.ariel.dcs.databalancing.DestinationData: [INFO] 
[NOT:0000006000][127.0.0.1/- -] [-/- -] Path:/store/ariel/events/records/ibmTemp~events8/store/ariel/events/records/store/ariel/events/records/2021/1/18/17 does not exist
[ariel.ariel_query_server] [ariel_client/127.0.0.1:45750]
com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Destination data accepted from source 104
[ariel.ariel_query_server][ariel_client /127.0.0.1:35228]
com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Checking destination folder /store/ariel/events/records/2021/1/18/17 from source 8
[ariel.ariel_query_server] [ariel_client/127.0.0.1:35228] com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Data folder /store/ariel/events/records/2021/1/18/17 does not exist. Requested from source 8
[ariel.ariel_query_server] [ariel_client /127.0.0.1:35228]
com.ibm.si.ariel.dcs.databalancing.DestinationData: 
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -] Path:/store/ariel/events/records/ibmTemp~events104/store/ariel/events/records/store/ariel/events/records/2021/1/18/17 does not exist
[ariel.ariel_query_server] [ariel_client /127.0.0.1:35228]
com.ibm.si.ariel.dcs.databalancing.DestinationData:  [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -] 
Path:/store/ariel/events/records/ibmTemp~events8/store/ariel/events/records/store/ariel/events/records/2021/1/18/17 does not exist
[ariel.ariel_query_server] [ariel_client/127.0.0.1:35228] com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Destination data accepted from source 8
29 April 2021
SECURITY BULLETIN CVE-2020-4993 IBM QRADAR SIEM IS VULNERABLE TO PATH TRAVERSAL CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
IBM QRadar SIEM when decompressing or verifying signature of zip files processes data in a way that may be vulnerable to path traversal attacks. CVSS Base score: 4.9
04 May 2021
SECURITY BULLETIN CVE-2015-5237
CVE-2019-17195
CVE-2012-6708
CVE-2015-9251
CVE-2020-11022
CVE-2020-11023
CVE-2011-4969
CVE-2017-18640
CVE-2020-15250
IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
  • CVE-2015-5237: Google Protocol Buffers could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in MessageLite::SerializeToString. A remote attacker could exploit this vulnerability to execute arbitrary code on the vulnerable system or cause a denial of service. CVSS Base score: 6.3
  • CVE-2019-17195: Connect2id Nimbus JOSE+JWT is vulnerable to a denial of service, caused by the throwing of various uncaught exceptions while parsing a JWT. An attacker could exploit this vulnerability to crash the application or obtain sensitive information. CVSS Base score: 6.5
  • CVE-2012-6708: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery(strInput) function. A remote attacker could exploit this vulnerability using the to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
  • CVE-2015-9251: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
  • CVE-2020-11022: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
  • CVE-2020-11023: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
  • CVE-2011-4969: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when handling the "location.hash" property. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 4.3
  • CVE-2017-18640: SnakeYAML is vulnerable to a denial of service, caused by an entity expansion in Alias feature during a load operation. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
  • CVE-2020-15250: JUnit4 could allow a local attacker to obtain sensitive information, caused by a flaw in test rule TemporaryFolder. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 4
04 May 2021
SECURITY BULLETIN CVE-2020-4929 IBM QRADAR SIEM IS VULNERABLE TO CROSS SITE SCRIPTING (XSS) CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
IBM QRadar SIEM is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 5.4
04 May 2021
SECURITY BULLETIN CVE-2020-4979 IBM QRADAR SIEM IS VULNERABLE TO INSECURE INTER-DEPLOYMENT COMMUNICATION CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
IBM QRadar SIEM is vulnerable to insecure inter-deployment communication. An attacker that is able to comprimise or spoof traffic between hosts may be able to execute arbitrary commands. CVSS Base score: 7.5
04 May 2021
SECURITY BULLETIN CVE-2020-4883 IBM QRADAR SIEM IS VULNERABLE TO CROSS DOMAIN INFORMATION DISCLOSURE CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
IBM QRadar SIEM could disclose sensitive information about other domains which could be used in further attacks against the system. CVSS Base score: 4.3
04 May 2021
SECURITY BULLETIN CVE-2020-13943 APACHE TOMCAT AS USED BY IBM QRADAR SIEM IS VULNERABLE TO INFORMATION DISCLOSURE CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by a flaw when HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to see the responses for unexpected resources, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3
04 May 2021
SECURITY BULLETIN CVE-2021-20397 IBM QRADAR SIEM IS VULNERABLE TO CROSS SITE SCRIPTING (XSS) CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
IBM QRadar is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 6.1
04 May 2021
SECURITY BULLETIN CVE-2021-20401
CVE-2020-4932
IBM QRADAR SIEM CONTAINS HARD-CODED CREDENTIALS CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
  • CVE-2020-4932: IBM QRadar contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. CVSS Base score: 6.2
  • CVE-2021-20401: IBM QRadar contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. CVSS Base score: 5.9
04 May 2021
SECURITY BULLETIN CVE-2020-5013 IBM QRADAR SIEM MAY BE VULNERABLE TO A XML EXTERNAL ENTITY INJECTION ATTACK (XXE) CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
IBM QRadar SIEM may vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. CVSS Base score: 7.1
04 May 2021
WINCOLLECT IJ29851 WINCOLLECT 7.3.0 P1 AGENTS FAIL TO UPDATE OR GET CONFIGURATION UPDATES IN NAT'D ENVIRONMENTS CLOSED Resolved in
WinCollect 7.3.1 (Build 16) (7.3.1.16)

Workaround
If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
WinCollect 7.3.0 P1 Agents can fail to receive configuration updates or are unable to be updated due to connection timeouts occuring in NAT'd environments.

Messages similar to the following might be visible when this issue occurs:
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24]
com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors.ConnectionEstablishmentVersion2Processor: 
[ERROR] [NOT:0000003000][<IP Address >/- -] [-/- -]Agent XXXXXXX2069(127.0.0.1) caught exception
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] java.net.ConnectException: Connection timed out (Connection timed out)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:236)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:218)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:374)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.Socket.connect(Socket.java:682)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.jsse2.av.connect(av.java:453)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.jsse2.au.connect(au.java:98)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.NetworkClient.doConnect(NetworkClient.java:192)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.http.HttpClient.openServer(HttpClient.java:494)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.http.HttpClient.openServer(HttpClient.java:589)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.c.<init>(c.java:56)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.c.a(c.java:222)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.d.getNewHttpClient(d.java:25)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.protocol.http.HttpURLConnection.plainConnect0 (HttpURLConnection.java:1206)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.protocol.http.HttpURLConnection.plainConnect (HttpURL Connection.java:1068)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:78)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0 (HttpURLConnection.java:1582)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.protocol.http.HttpURLConnection.getInputStream (HttpURLConnection.java:1510)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:40)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors. ConnectionEstablishmentVersion2Processor.onReceiveConnectionEstablishmentRequest (ConnectionEstablishmentVersion2Processor.java:235)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.q1labs.sem.semsources.wincollectconfigserver. WinCollectConfigHandler.run(WinCollectConfigHandler.java:121)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1160)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.lang.Thread.run(Thread.java:818)
14 December 2020
WINCOLLECT IJ27033 WINCOLLECT CAN ASSIGN INCORRECT IP ADDRESSES FOR WINDOWS COMPUTERS DUE TO DNS LOOKUP REFRESH CLOSED Resolved in
WinCollect 7.3.1 (Build 16) (7.3.1.16)

Workaround
No workaround available. Administrators must upgrade to a version where this issue is resolved.

Issue
WinCollect can assign incorrect IP addresses for Windows Computers due to issues with DNS Lookup refreshing. The 'OriginatingComputer=ipaddress' being written into the event by WinCollect can be incorrect.
18 August 2020
WINCOLLECT IJ26354 WINCOLLECT AGENT 'STATUS' CONTINUES TO DISPLAY 'RUNNING' AFTER NOT RECEIVING HEARTBEAT FOR AN EXTENDED PERIOD OF TIME CLOSED Resolved in
WinCollect 7.3.1 (Build 16) (7.3.1.16)

Workaround
No workaround available. Administrators must upgrade to a version where this issue is resolved.

Issue
The WinCollect agent "Status" displayed in the QRadar User Interface can continue to display "Running" and fail to update appropriately when QRadar has not received a heartbeat message for an extended period of time from the agent.
31 July 2020
WINCOLLECT IJ27800 WINCOLLECT INSTALLER CANNOT PROPERLY USE A CERTIFICATE THAT IS GREATER THAN 2000 CHARACTERS IN LENGTH CLOSED Resolved in
WinCollect 7.3.0 Fix Pack 1 (Build 41) (7.3.0.41)

Workaround
If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
When a certificate greater than 2000 characters in length is pasted into the certificate field of the destination configuration page of the WinCollect installer, the certificate is cut to 2000 characters and successfully installs, but TLS communication fails.
28 October 2020
WINCOLLECT IJ26949 WHEN WINCOLLECT 7.3.0 IS INSTALLED AND CONFIGURED FOR USE ON AN ENCRYPTED MANAGED HOST, AGENT/LOG SOURCE COMMUNICATION FAILS CLOSED Resolved in
WinCollect 7.3.0 Fix Pack 1 (Build 41) (7.3.0.41)

Workaround
If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
When WinCollect is configured for use on an encrypted Managed Host in a QRadar environment, the installation of WinCollect version 7.3.0 introduces communication problems between QRadar and the WinCollect Agents. Adding new WinCollect Agent/Log Sources into QRadar fails due to the failure in communication preventing Agent registration.

Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
com.q1labs.frameworks.crypto.trustmanager.extended.Q1X509FullTru
stManager: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
-]Server Not Trusted No subject alternative names matching IP address 127.0.0.1 found
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
com.q1labs.sem.semsources.wincollectconfigserver.requestprocesso
rs.ConnectionEstablishmentVersion2Processor: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Agent Agent-name(127.0.0.1) caught exception --
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException:
java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.k.a(k.java:37)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.a(av.java:422)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.D.a(D.java:70)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.D.a(D.java:164)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.E.a(E.java:249)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.E.a(E.java:731)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.D.r(D.java:486)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.D.a(D.java:244)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.a(av.java:608)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.i(av.java:282)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.a(av.java:1009)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.startHandshake(av.java:778)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:239)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:60)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0 
(HttpURLConnection.java:1582)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at sun.net.www.protocol.http.HttpURLConnection.getInputStream 
(HttpURLConnection.java:1510)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:40)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors. 
ConnectionEstablishmentVersion2Processor.onReceiveConnectionEstablishmentRequest(ConnectionEstablishmentVersion2Processor.jav a:234)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfigHandler 
.run(WinCollectConfigHandler.java:153)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1160)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at java.lang.Thread.run(Thread.java:818)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
Caused by: java.security.cert.CertificateException:
java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
at com.q1labs.frameworks.crypto.trustmanager.extended.Q1X509FullTrustManager. 
checkServerTrusted(Q1X509FullTrustManager.java:382)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.E.a(E.java:438)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
... 18 more
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.util.b.b(b.java:42)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.util.b.a(b.java:96)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.aD.a(aD.java:183)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.aD.a(aD.java:49)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
at com.ibm.jsse2.aD.a(aD.java:191)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.aD.checkServerTrusted(aD.java:34)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.q1labs.frameworks.crypto.trustmanager.extended. 
Q1X509FullTrustManager.  checkServerTrusted(Q1X509FullTrustManager.java:377)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
... 19 more
24 April 2021
WINCOLLECT IJ27857 WINDOWS 10 HOSTS UPDATED TO BUILD 2004 CAN RESET EVENTRECORDID VALUES TO 1 CAUSING WINCOLLECT ISSUES CLOSED Resolved in
WinCollect 7.3.0 Fix Pack 1 (Build 41) (7.3.0.41)

Workaround
If you are unable to upgrade to a version where this issue is resolved, administrators can apply the following workaround:
  1. Log in to the Windows host with the WinCollect agent.
  2. Stop the WinCollect service.
  3. Navigate to C:\ProgramData\WinCollect\Data\PersistenceManager.
  4. Delete all files in the PersistenceManager directory.
  5. Start the WinCollect service.

Issue
WinCollect agents installed on Microsoft Windows 10 hosts upgraded to build 2004 can experience an issue where the WinCollect agent stops sending events to QRadar. The issue was reported after administrators completed updates of Windows 10 from build 1909 to 2004.

WinCollect agents track event collection with the EventRecordID value in the Event Viewer for each event type in C:\ProgramData\WinCollect\Data\PersistenceManager. The PersistenceManager directory includes a file for each event log type with a cursor entry, which indicates the next event in the Event Viewer WinCollect needs to parse and send. When Windows updates to Windows 10 build 2004, the operating system resets the EventRecordID values to 1 in the Event Viewer for all event log types. A reset in the EventRecordID results in WinCollect agents not sending events until the EventRecordID in the Event Viewer matches the last polled Cursor value in the WinCollect agent.

This APAR is intended to alert administrators of this operating systems change in Windows 10 Feature Build 2004. All WinCollect agents at all versions are affected by the EventRecordID reset issue in Windows 10 build 2004. Administrators who plan to update the Windows 10 systems tofeature build 2004 ought to alert their teams to this EventRecordID reset issue.
28 October 2020
WINCOLLECT IJ32255 WINCOLLECT 7.3.0 P1 (7.3.0-41) AGENTS THAT ARE NOT INSTALLED ON DRIVE C:\ OF THE WINDOWS COMPUTER CAN STOP SENDING EVENTS OPEN Workaround
On the affected Microsoft Windows computer:
  1. Copy \IBM\WinCollect\config\AgentConfig.xml to \IBM\WinCollect.
  2. Install WinCollect 7.3.0 P1 (7.3.0-41).
  3. After the install has successfully completed, copy AgentConfig.xml from \IBM\WinCollect\ to \IBM\WinCollect\config
  4. Restart the WinCollect service.

Issue
On Microsoft Windows computers where the WinCollect agents are installed to a drive other than C:\, an upgrade to WinCollect 7.3.0 P1 (7.3.0-41) can cause the destination and log source information to be removed from the AgentConfig.xml file and the WinCollect agent stops sending events.

Microsoft Windows computers where the WinCollect agent was installed to the C:\ drive are not affected.
03 May 2021
ADAPTER / QRADAR RISK MANAGER IJ28428 "SHOW VLANS" CISCO IOS ADAPTER COMMAND DOES NOT RETURN RESULTS DUE TO THE EXPECTED COMMAND "SHOW VLAN" CLOSED Resolved in
QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130)

Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see: Installing adapters

Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
"show vlans" command for Cisco IOS Adapter fails to return output as the command on that appliance (C2900 series) is "show vlan". (No 's' on the end).

The adapter is expected to work for both command variations. Example of output with "show vlans" :
2020-05-06 20:55:50 [ZipTie::SSH] [SENDING]
2020-05-06 20:55:50 [ZipTie::SSH] show vlans
2020-05-06 20:55:50 [ZipTie::SSH]
----------------------------------------------------------------
2020-05-06 20:55:50 [ZipTie::SSH]
----------------------------------------------------------------
2020-05-06 20:55:50 [ZipTie::SSH] [WAITING 300 SECOND(S) FOR]
2020-05-06 20:55:50 [ZipTie::SSH] hostname[#>]\s*$|--More--\s*$
2020-05-06 20:55:50 [ZipTie::SSH]
----------------------------------------------------------------
2020-05-06 20:55:50 [ZipTie::SSH]
----------------------------------------------------------------
2020-05-06 20:55:50 [ZipTie::SSH] [RESPONSE]
2020-05-06 20:55:50 [ZipTie::SSH]show vlans
2020-05-06 20:55:50 [ZipTie::SSH] Command authorization failed.
2020-05-06 20:55:50 [ZipTie::SSH]
2020-05-06 20:55:50 [ZipTie::SSH] hostname#
18 May 2021
ADAPTER / QRADAR RISK MANAGER IJ28512 JUNIPER JUNOS DEVICE BACKUP FAILURE WHEN ACL REFERENCES A PREFIXLIST WHICH DOES NOT CONTAIN A LIST OF IP ADDRESSES CLOSED Resolved in
QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130)

Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see:Installing adapters

Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
Administrators might notice that a Juniper JunOS device might fail to backup when an access control list references a prefix list which does not contain a list of IP addresses or CIDRs.

Look for similar messages in /var/log/qradar.log:
[tomcat-rm.tomcat-rm] [Adapter Backup Job]
com.q1labs.simulator.jobs.DeviceAdapterBackupJob: [ERROR]
[NOT:0000003000][9.175.220.190/- -] [-/- -]java.lang.Exception:
Don't know how to nbits yet at /usr/share/ziptie-server/adapters
/ziptie.adapters.juniper.junos_2020.04.08143009/scripts/ZipTie/Adapters/Juniper/JUNOS/Parsers.pm line 1637.
 at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java:157)
 at org.ziptie.server.dispatcher.Operation.execute(Operation.java:100)
 at org.ziptie.server.dispatcher.OperationExecutor$JobThread.runJob(OperationExecutor.java:686)
 at org.ziptie.server.dispatcher.OperationExecutor$JobThread.run(OperationExecutor.java:563)
Caused by: javax.xml.ws.soap.SOAPFaultException: Don't know how to nbits yet at /usr/share/ziptie-server/adapters/
ziptie.adapters.juniper.junos_2020.04.08143009/scripts/ZipTie/Adapters/Juniper/JUNOS/Parsers.pm line 1637.
 at com.sun.xml.ws.fault.SOAPFault.getProtocolException(SOAP11Fault.java:188)
 at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:116)
 at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
 at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
 at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
 at com.sun.proxy.$Proxy95.backup(Unknown Source)
 at org.ziptie.server.job.backup.BackupTask.performTask(BackupTask.java:74)
 at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java:142)
18 May 2021
ADAPTER / QRADAR RISK MANAGER IJ28901 INCORRECT DISPLAY OF 'ANY' IN DESTINATION SERVICE COLUMN FOR ACCESS CONTROL LIST RULE AFTER CISCO IOS DEVICE BACKUP CLOSED Resolved in
QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130)

Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see:Installing adapters

Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
The Configuration Monitor -> Rules screen can incorrectly display a value of "any" in the Destination Service(s) column instead of the actual destination port for an extended access control list rule after Cisco IOS device backup is performed.
18 May 2021
ADAPTER / QRADAR RISK MANAGER IJ29954 PERFROMING A DISCOVERY FROM A CISCO FIREPOWER MANAGEMENT CENTER CAN FAIL CLOSED Resolved in
QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130)

Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see:Installing adapters

Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
Discovery from Cisco Firepower Management Center (FMC) fails when the user is not automatically placed in expert mode when logging to retrieve the list of network devices.

The adapter currently ensures that export mode is gained when backing a discovered device, but not when discovering devices from the FMC.
18 May 2021
ADAPTER / QRADAR RISK MANAGER IJ30906 CHECK POINT HTTPS DEVICE ADAPTER FAILS TO BACKUP DUE TO INCORRECT IP ADDRESS CLOSED Resolved in
QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130)

Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see:Installing adapters

Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
A Check Point HTTPS device adapter backup fails when the IP address of the device's interface is the same as the IP address of the Check Point security management server from which it was discovered and not the main IP address of the device.

When this issue occurs, the adapter backup log contains a message similar to the following:
Check this device was not discovered from the multi-domain server IP.
18 May 2021
ADAPTER / QRADAR RISK MANAGER IJ31098 A PAN-OS DEVICE BACKUP FAILS WHEN A STATIC ROUTE REFERENCES A NETWORK GROUP INSTEAD OF AN IP ADDRESS CLOSED Resolved in
QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130)

Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see:Installing adapters

Workaround
Ensure to configure the static route on the device to use an IP address instead of a network group.

Issue
A PAN-OS device backup will fail when a static route references a network group rather than an IP address.

When this isue occurs, the logs contain a message similar to the following:
ERROR: Backup failed for device (device name) at IP (IP address) with adapter type ZipTie::Adapters::PaloAlto::PANOS.
[Failed to process device routing]
18 May 2021
BOX RESTAPI PROTOCOL IJ28431 LOG SOURCES USING THE BOX RESTAPI PROTOCOL CAN STOP RECEIVING EVENTS WHEN THE EVENT QUEUE FILLS OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
Log Sources configured to use the Box RestAPI can stop receiving events when the event queue fills.

Messages similar to the follwoing might be visible in /var/log/qradar.log when this issue is occurs:
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
com.q1labs.semsources.sources.boxrestapi.api.BoxRESTAPIInstance:
[ERROR] [NOT:0000003000][EP IP] [-/- -]Unable to query for content. Terminating query thread for for Box API
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
java.util.IllegalFormatConversionException: d != java.lang.Double
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at java.util.Formatter$FormatSpecifier.failConversion(Formatter.java:4313)
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at java.util.Formatter$FormatSpecifier.printInteger(Formatter.java:2804)
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at java.util.Formatter$FormatSpecifier.print(Formatter.java:2758)
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at java.util.Formatter.format(Formatter.java:2531)
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at java.util.Formatter.format(Formatter.java:2466)
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at java.lang.String.format(String.java:4174)
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at com.q1labs.frameworks.logging.Logger.warn(Logger.java:805)
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at com.q1labs.semsources.sources.boxrestapi.BoxRESTAPIProvider.onRe
ceiveMessage(BoxRESTAPIProvider.java:235)
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at com.q1labs.semsources.sources.boxrestapi.api.BoxAPIQuery.queryCo
ntent(BoxAPIQuery.java:237)
12 October 2020
HIGH AVAILABILITY (HA) IJ30674 A HIGH AVAILABILITY (HA) FAILOVER CAN OCCUR DUE TO A FAILURE WITH THE MOUNT MONITOR CLOSED Resolved in
QRadar 7.4.3 (7.4.3.20210517144015)
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
In instances where the QRadar mount monitor fails, an unexpected High Availability (HA) failover can occur.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
hostname-primary HA System Monitor: [ERROR]
/store/docker-data/engine/VMware-42-26-70-33-66-fb-61-4c-f2-27-d
e-b4-88-91-98-b9/devicemapper/mn
t/88bbfc361142fe836845842fca3082f18c8962501a795252de51d81d224a8f
48-init is not mounted properly with read write permition
127.0.0.1 [ha_manager.ha_manager] [IPCWorkerThread]
com.q1labs.ha.manager.ipc.IPCWorkerThread: [INFO]
[NOT:0000006000][127.0.0.1/- -] [-/- -]IPC service "sensor" = "1.0"
hostname-primary HA System Monitor: Mount point check failed
127.0.0.1 [ha_manager.ha_manager] [HAManager]
com.q1labs.ha.manager.StateMachine: [WARN][NOT:0000004000][127.0.0.1/- -] [-/- -]
The "mount_status" sensor key is down, and is in position to cause failover. 
It is both enabled for failover, and has  satisfied any time restrictions. 
Requesting switch to OFFLINE/MOUNT_MONITOR state (SMD001061/59903)
127.0.0.1 [ha_manager.ha_manager] [HAManager]com.q1labs.ha.manager.HAManager: [INFO]
[NOT:0000006000][127.0.0.1/- -] [-/- -]Starting OFFLINE/MOUNT_MONITOR state
26 February 2021
QRADAR VULNERABILITY MANAGER IJ31842 RUNNING API QUERIES AGAINST QVM SCANNERS CAN TIMEOUT AND FAIL WITH A RESPONSE CODE 500 CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Workaround
Performing a hostcontext restart on the QRadar console can temporarily (for approximately 30 minutes) correct this issue.

Note: Restarting hostcontext causes an interruption to some QRadar functionality. For more information, see: Hostcontext service and the impact of a service restart.

Issue
Attempting to run API queries against QRadar Vulnerability Manager (QVM) scanners can become unresponsive, timeout and fail with a response code of 500.

For example:
curl -S -X GET -u -H 'Version: 12.1' -H 'Accept:
application/json' 'https:///api/scanner/profiles'
{
"http_response": {
"code": 500,
"message": "Unexpected internal server error"
},
"code": 12,
"description": "",
"details": {},
"message": "Endpoint invocation returned an unexpected error"
05 June 2020
SERVICES IJ32110 THE QRADAR PIPELINE CAN STOP RECEIVING ALL EVENTS DUE TO A STRINGOUTOUFBOUNDSEXCEPTION OCCURRING OPEN Workaround
Perform a restart of the ecs-ingress service:
  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab > Advanced > Restart Event Collection Services.

    Results
    Restarting ecs-ec-ingress interrupts event collection in QRadar. If another similar payload that causes this issue is processed by QRadar, the issue can occur again.

Issue
In some instances, the QRadar pipeline can stop receiving all events when a stringoutofbounds exception occurs.

Changes made in fix releases for APAR IJ28752 corrected the issue if the payload is cut off before the end of the full forwarded message ("Message forwarded from"), but the fix releases do not fix the issue if it gets cut off immediately after that part.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]
java.lang.StringIndexOutOfBoundsException: String index out of range: 43
[ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at 
java.lang.String.substring(String.java:2682)
[ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at 
com.q1labs.sem.types.SyslogSourcePayload.parseLine(SyslogSourcePayload.java:196)
[ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at 
com.q1labs.sem.types.SyslogSourcePayload.getSourceName(SyslogSourcePayload.java:159)
[ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at 
com.q1labs.sem.types.SourcePayloadBase.put(SourcePayloadBase.java:331)
[ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at 
com.q1labs.sem.types.SyslogSourcePayload.put(SyslogSourcePayload.java:412)
22 April 2021
SALESFORCE REST API PROTOCOL IJ32090 LOG SOURCES CONFIGURED TO USE THE SALESFORCE PROTOCOL CAN GO INTO ERROR STATE DUE TO PROTOCOL PARSING ISSUE OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
Log Sources configured to use the Salesforce Protocol can go into Error status with error message "Event size is different from the schema size" due to a parsing issue with received events containing complex format that contains JSON object as part of the "URL" field.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
com.q1labs.semsources.sources.salesforcerestapi.eventformatter.
EventFormatterException: Event size is different from the schema size, schema '....' payload '...'
at com.q1labs.semsources.sourc
es.salesforcerestapi.SalesforceRESTAPIProvider.processEventLogFi
le(SalesforceRESTAPIProvider.java:550)
at com.q1labs.semsources.
sources.salesforcerestapi.eventformatter.EventLogFileFormatter.f
ormatEventLogFile(EventLogFileFormatter.java:181)
at com.q1labs.
semsources.sources.salesforcerestapi.SalesforceRESTAPIProvider.p
rocessEventLogFileAPIResults(SalesforceRESTAPIProvider.java:509)
at com.q1labs.semsources.sources.salesforcerestapi.SalesforceRE
STAPIProvider.getEvents(SalesforceRESTAPIProvider.java:407)
at com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAPI
Provider.execute(SalesforceRESTAPIProvider.java:357)
at com.q1labs.semsources.sources.base.SourceProvider.run(SourceProvider.java:195)
22 April 2021
DATA GATEWAY APPLIANCE IJ32138 RESPONSIVENESS OF DATA GATEWAYS CAN BE SLOWER THAN EXPECTED WHEN /STORE IS LOW ON FREE SPACE OPEN Workaround
No workaround available. IBM DevOps support for QRadar On Cloud is working on implementing an automated solution to address this issue.

APARs identified with no workaround typically require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
Data Gateway responsiveness can be slower than expected when the /store partition on the Data Gateway is low on available free space.

This can cause various QRadar performance related issues with the processes that require communication between the QRadar on Cloud Console and Data Gateways.
22 April 2021
CENTRIFY REDROCK RESTAPI PROTOCOL IJ30101 LOG SOURCES USING CENTRIFYREDROCKRESTAPI PROTOCOL CAN STOP RECEIVING EVENTS WHEN UNABLE TO OBTAIN A THREAD CONNECTION OPEN Workaround
Performing a manual stop/start of the affected log source should allow the connection to occur correctly.

APARs identified with no workaround typically require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
Log Sources configured to use the CentrifyRedrockRESTAPI can stop collecting logs and not automatically recover a proper connection on it's own when an active thread connection cannot be obtained by the Protocol.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[Centrify Redrock REST API Provider Protocol Provider Thread:
class com.q1labs.semsources.sources.centrifyredrockrestapi.CentrifyRed
RockRESTAPIProvider54] com.q1labs.semsources.sources.centrifyredrockrestapi.CentrifyRed
RockRESTAPIProvider: [ERROR] [NOT:0000003000][127.0.0.1/- -]
[-/- -] Unable to find any active query threads.
06 January 2021
QRADAR PULSE APP IJ26452 ORDER OF RETURNED AQL RESULTS DISPLAYED CAN VARY WHEN USING THE QRADAR PULSE APP CLOSED Resolved in
QRadar Pulse App v2.2.6.

Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
When using an AQL query within the Pulse App, and a parameter is changed, both searches (refresh time and parameter update) run at the same time.

Both results get displayed one after the other and so the result that finishes running last is the one is displayed. This only occurs for AQL queries as these are the only data sources that support parameters.
26 April 2021
LOG SOURCE MANAGEMENT APP IJ20697 UNABLE TO SAVE CHANGES TO WINCOLLECT LOG SOURCES WHEN USING THE LOG SOURCE MANAGEMENT APP CLOSED Resolved in
QRadar Log Source Management app v7.0.0.

Workaround
Edit the WinCollect Log Source(s) using the legacy log source user interface. From the Admin tab, click the Log Sources icon.

Issue
It has been identified that in some instances, when editing a WinCollect log source using the Log Source Managment (LSM) app, clicking the Save button does nothing and no error is displayed.
27 April 2021
QRADAR NETWORK INSIGHTS (QNI) IJ29129 RULE 'QNI: FILE EXTENSION/CONTENT TYPE VERIFICATION' FROM QNI CONTENT PACK V1.51 PARSES FILE EXTENSION INCORECTLY CLOSED Resolved in
QRadar Network Insights Content pack V1.5.2.

Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
False positive rule results can be experienced due to the rule "QNI: File Extension/Content Type Verification" from QNI Content Pack v1.5.1.

Files with names containing more than one dot(.) are handled incorrectly by the rule.

For example:
  1. Have a flow with filename "jquery-1.8.3.js" and content type = "application/javascript".
  2. The rule uses an AQL filter test:
    when the flow matches
    strpos("file name",'.') >= 0 
    and not REFERENCESETCONTAINS('QNI : File Extension / Content Type Verification Exclusions', LOWER(SUBSTRING("file
    name",STRPOS("file name",'.'),STRLEN("file name")))) 
    and not REFERENCEMAPSETCONTAINS('QNI-Extension-ContentType-Pairs',LOWER(
    SUBSTRING("file name",STRPOS("file name",'.'),STRLEN("file
    name"))),"content type")

    Results
    The STRPOS("file name",'.') returns the first dot position, which captures .8.3.js instead of .js in above example and so the combination cannot be found in reference map.
27 April 2021
DOCUMENTATION IJ29297 INSTALL OF QRADAR MARKETPLACE IMAGES FAIL WITH 'PANIC:RUNTIME ERROR: INDEX OUT OF RANGE' WHEN MORE THAN TWO DNS ENTRIES EXIST CLOSED Resolved in
QRadar documentation was updated in the following chapters: Workaround
Ensure only a maximum of two DNS entries exist in /etc/resolve.conf prior to the setup of a QRadar marketplace image installation.

Issue
The installation of QRadar marketplace images fail when more than two DNS entries are present in /etc/resolve.conf. The error message generated at the file of installtion failure is similar to:
panic: runtime error: index out of range.
27 April 2021
MANAGED HOSTS IJ26182 QRADAR DATABASE REPLICATION REBUILD FUNCTION CAN SOMETIMES FAIL DUE TO A MISSING SQL FILE REFERENCE CLOSED Resolved in
QRadar 7.4.1 (7.4.1.20200716115107)

Workaround
If you are unable to upgrade to resolve this issue, contact QRadar Support for a possible workaround.

Issue
The QRadar database replication rebuild function to Managed Hosts can fail due to the sql script db_update_235970.add_backup_build_version.sql being omitted from the /opt/qradar/conf/templates/installation_ordering.txt file.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext] [Thread-70] ComponentOutput: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication:
psql:/store/replication/tx0000000000000241053.sql:14325693:
ERROR: extra data after last expected column
[hostcontext.hostcontext] [Thread-70] ComponentOutput: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication:
CONTEXT:  COPY backup, line 1
27 April 2021
ADVANCED SEARCH (AQL) IJ27235 THE 'REFERENCESETCONTAINS' AQL FUNCTION DOES NOT SEARCH INDEX FILES FOR QRADAR ON CLOUD CLOSED Resolved in
QRadar on Cloud 7.4.1 Fix Pack 2 Interim Fix 1.

Workaround
Where possible, use the search functionality in the QRadar User Interface to perform the required searches.

Issue
AQL queries using referencesetcontains() lookups fail to search against index files when searching against indexed properties, only data files are searched.

Performing the same searches using the QRadar User Interface works as expected.

Messages similar to the following might be observed in /var/log/qradar.log when this issue occurs while performing related searches:
ariel_client /127.0.0.1:47392 | [Action] [Search]
[SearchExecuted] query starts,
description="User:admin,Source:UI,Params:Id:ab137002-2aed-4433-9
5d4-baaf53d399f2, DB:, Time:<20-08-07,08:00:00 to
20-08-07,12:00:00>, progress details 100, data snapshot size
40, Criteria=,
MappingFactory=com.q1labs.core.types.event.mapping.NormalizedEve
ntMappingFactory@4ee, retentionTime=86400000,
prio=NORMAL,AQL:select 1 from events where
REFERENCESETCONTAINS('HM_TestSet',"File Hash") start
'2020-08-07 08:00' stop '2020-08-07 12:00'"
ariel_query_1:ab137002-2aed-4433-95d4-baaf53d399f2 | [Action]
[Search] [SearchCompleted] query finished, status=COMPLETED,
stat details="Id:ab137002-2aed-4433-95d4-baaf53d399f2,
FileStats [dataFileCount=480, compressedDataFileCount=0,
indexFileCount=0, dataTotalSize=34790213,
compressedDataTotalSize=0, indexTotalSize=0, progress=100.0%,
totalResult=0, totalResultDataSize=24, searchTime=2476ms]",
concurrent queries="1"

Administrators should not that this issue does not generate an error, instead data from the search does not hit the indexes as expected as the query lists: indexFileCount=0
27 April 2021
QRADAR WORKFLOW ANALYST APP IJ22582 CHANGING THE DISPLAY (GROUP BY) OF AN EXISTING SEARCH CAN RETURN INACCURATE RESULTS UNTIL 'UPDATE' BUTTON SELECTED CLOSED Resolved in
QRadar Analyst Workflow App v1.9.16.

Workaround
Click the Update button to see the correct search results after grouping by a specific category.

Issue
After executing a Search using filters and a "Results Limit", if the "Display" field is changed to a "group by" ("Low Level Category" for example), some search results are not returned until the Update button is selected/clicked.
27 April 2021
QRADAR WORKFLOW ANALYST APP IJ17196 ADVANCED SEARCH (AQL) RETURNS ERROR 'REQUEST-URL TOO LARGE' CLOSED Resolved in
QRadar Analyst Workflow App v1.9.16.

Workaround
Click the Update button to see the correct search results after grouping by a specific category.

Issue
It has been identified that an Advanced Search (AQL) can return a message after executing the following that is similar to:
Request-URI Too Large


Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
org.antlr.v4.runtime.Parser: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Parse error:  and
(INCIDR('127.0.0.1/23', IP_source_...
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
com.q1labs.ariel.ql.parser.AQLParserException: Unrecognized
context (Line: 1, Position: 130): " and (INCIDR('127.0.0.1/23',
IP_source_..."
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
com.q1labs.ariel.ql.parser.ParserBase.parseStatement(ParserBase.java:488)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
com.q1labs.ariel.ql.parser.Parser.processRequest(Parser.java:102)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java:93)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClient.java:361)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java:306)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:134)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
utor.java:1157)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
cutor.java:627)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
at java.lang.Thread.run(Thread.java:798)
27 April 2021
QRADAR WORKFLOW ANALYST APP IJ28494 QRADAR USERS WITHOUT "VIEW CUSTOM RULES" AND "MAINTAIN CUSTOM RULES" ACCESS CAN STILL SEE FULL LIST OF CUSTOM RULES UNDER LOG CLOSED Resolved in
QRadar Analyst Workflow App v1.9.16.

Workaround
No workaround available. Administrators must upgrade the application to resolve this issue.

Issue
QRadar users can access custom rules even when their access has not been granted to 'View Custom Rules' and 'Maintain Custom Rules' while searching in Log Activity.

To recreate this issue:
  1. Log in to QRadar as an administrator.
  2. Click the Admin tab.
  3. Click User Roles.
  4. Create a new user role without the View Custom Rules and Maintain Custom Rules permission.
  5. Click the Users icon.
  6. Assign the user role to the new user.
  7. Log in to QRadar as the new user.
  8. Click the Log Activity tab.
  9. Click Search > New Search.
  10. Click Search parameters > Parameter Custom rule [Indexed].

    Results
    Verify both Rule Group and Rules are visible by the user who should not have access.
27 April 2021
QRADAR WORKFLOW ANALYST APP IJ24469 ADVANCED SEARCH (AQL) RESULT 'CLIENT EXCEPTION OCCURRED WHILE HANDLING THE SERVER RESPONSE' WHEN USING \U CLOSED Resolved in
QRadar Analyst Workflow App v1.9.16. Workaround
Where possible: Using Wildcard character '_' (Matches any single character) in the AQL so that it can avoid Unicode escapes, match any single character(include backslash) followed by u.

Issue
When the AQL search contains backslash u (\u) character, the Log Activity Advanced Search (AQL) user interface returns the error:
client exception occurred while handling the server response

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [Token: ArcherBridge@127.0.0.1 (8425)
/console/do/core/;jsessionid=99572ED7939336B1E986C7D45BE43B70]
org.apache.struts.action.RequestProcessor: [ERROR] Invalid path
/core/ was requested
27 April 2021
DEPOLYMENT IJ26156 DUPLICATE DEPLOYMENT ARROWS CAN BE VISIBLE IN THE 'VIEW DEPLOYMENT' WINDOW WHEN A MANAGED HOST ID IS 128 OR HIGHER CLOSED Reason
Closed as Permanent restriction. This issue is only graphical and doesn't affect event collection. Closing as won't fix. Workaround
No workaround available.

Issue
A Managed Host id of 128 or greated can cause duplicate deployment arrows to be visible in the "View Deployment" window of the QRadar User Interface.

Note: This issue is only graphical and does not affect event collection.
27 April 2021
NETWORK IJ04296 CONFIGURING THE 169.154 CIDR FOR QRADAR APPLIANCE INTERFACES CAN CAUSE QRADAR APPS (DOCKER) TO FAIL CLOSED Reason
Closed as Permanent restriction. This issue will not be fixed. Workaround
Contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
Configuring QRadar Appliance interfaces to use IPs within the 169.154 CIDR causes QRadar Apps to fail when there is a conflict with the Docker IPs that are used from within that CIDR.
27 April 2021
UPGRADE IJ28895 HOSTCONTEXT SERVICE FAILS TO START AFTER PATCHING OR UPGRADE FROM 7.3.X TO 7.4.X CLOSED Resolved in
This fix is available in the weekly auto update starting on 09 March 2021. Administrators who manually update RPM can download and install the following file from IBM Fix Central: DSM-RadwareDefensePro-7.3-20210218181623.noarch.rpm

Workaround
  1. Contact QRadar Support before patching or upgrading from 7.3.x to 7.4.x to apply a workaround in advance that prevents this issue from occurring.
  2. If you have already patched or upgraded from 7.3.x to 7.4.x, and are experiencing this issue, contact QRadar Support for a possible workaround that might address this issue in some instances.

A technical note is available with more information for administrators on APAR IJ28895.

Issue
After patching or upgrading from QRadar 7.3.x to 7.4.x, the hostcontext service can fail to start on the QRadar Console. This issue has been determined to be caused by a QRadar Autoupdate bundle installation, specifically with the guava-28.0-jre.jar file that is installed as part of the QRadar patch/upgrade process. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[main] java.lang.NoClassDefFoundError: com.google.common.cache.CacheBuilder
[main] at com.q1labs.core.dao.qidmap.SensorProtocolConfigParameters.<clinit>(SensorProtocolConfigParameters.java:37)
[main] at sun.misc.Unsafe.ensureClassInitialized(Native Method)
[main] at sun.reflect.UnsafeFieldAccessorFactory.newFieldAccessor(UnsafeFi
eldAccessorFactory.java:55)
[main] at sun.reflect.ReflectionFactory.newFieldAccessor(ReflectionFactory.java:154)
[main] at java.lang.reflect.Field.acquireFieldAccessor(Field.java:1103)
[main] at java.lang.reflect.Field.getFieldAccessor(Field.java:1079)
[main] at java.lang.reflect.Field.set(Field.java:774)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.checkNameConstant(FrameworksNaming.java:412)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.loadClasses(FrameworksNaming.java:323)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(FrameworksNaming.java:171)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.loadClasses(FrameworksNaming.java:270)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(FrameworksNaming.java:171)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(FrameworksNaming.java:105)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.(FrameworksNaming.java:86)
[main] at com.q1labs.frameworks.core.FrameworksContext.initServices(FrameworksContext.java:620)
[main] at com.q1labs.frameworks.core.FrameworksContext.initFrameworks(FrameworksContext.java:257)
[main] at com.q1labs.qvm.workflow.FrameworksJsvcBootstrapper.init(FrameworksJsvcBootstrapper.java:135)
[main] at com.q1labs.qvm.workflow.FrameworksJsvcBootstrapper.main(FrameworksJsvcBootstrapper.java:243)
[main] Caused by:
[main] java.lang.ClassNotFoundException:
com.google.common.cache.CacheBuilder
[main] at java.net.URLClassLoader.findClass(URLClassLoader.java:610)
[main] at java.lang.ClassLoader.loadClassHelper(ClassLoader.java:943)
[main] at java.lang.ClassLoader.loadClass(ClassLoader.java:888)
[main] at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
[main] at java.lang.ClassLoader.loadClass(ClassLoader.java:871)
[main] ... 18 more
28 April 2021
VULNERABILITY SCANNER IJ31088 QRADAR CAN SOMETIMES CONTINUE TO ATTEMPT TO DOWNLOAD A CERT FOR A SCANNER THAT HAS BEEN REMOVED CLOSED Reason
Closed as Permanent restriction. We have identified this issue as a permanent restriction for this integration. A fix for this issue will not be provided. Workaround
  1. From an SSH session to the QRadar Console.
  2. Optional. Open an SSH session to the Managed Host that runs the scan.
  3. Navigate to the directory that contains the certificate_catalogue.txt.
  4. Remove the bad scanner record, then save the file.
  5. From the Admin tab, click Deploy Changes.

    Results
    After the deploy changes completes, the cert should no longer attempt to be downloaded from the QRadar Managed Host.

Issue
QRadar can sometimes try to download a VA Scanner certificate even if scanner configuration was removed from QRadar. This is due to a cached value written in a temporary file. System Notifications similar to the following might be visible in /var/log/qradar.log when this issue occurs:
generateNotification: An attempt to download the server
certificate for [IP ADDRESS:443] to
[/opt/qradar/conf/trusted_certificates/IP_443.crt] has failed
28 April 2021
TLS SYSLOG PROTOCOL IJ25789 TLS SYSLOG LOG SOURCE CAN FAIL TO WORK AFTER USING INCORRECT PRIVATE KEY AT SETUP EVEN AFTER IT HAS BEEN CORRECTED CLOSED Reason
Closed as Permanent restriction. We have identified this issue as a permanent restriction for this integration. A fix for this issue will not be provided. Workaround
  1. Rename the certificate to any new name.
  2. Disable/enable the log source.


  3. Results
    The log source should then work and retrieve events as expected.

Issue
A TLS Syslog Log Source can fail to ingest events when initially configured with an incorrect private key even after the private key has been corrected.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]
com.q1labs.semsources.sources.tlssyslog.TLSSecurityManager:
[ERROR] Error adding key to TLS keystore.
[ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]
java.security.spec.InvalidKeySpecException: Inappropriate key
specification: PrivateKeyInfo parsing error.
[ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
com.ibm.crypto.provider.RSAKeyFactory.engineGeneratePrivate(Unknown Source)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
java.security.KeyFactory.generatePrivate(KeyFactory.java:383)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
com.q1labs.semsources.sources.tlssyslog.TLSSecurityManager.addKe
yToKeyStore(TLSSecurityManager.java:408)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
com.q1labs.semsources.sources.tlssyslog.TLSSyslogProvider.setupS
erverKeyStore(TLSSyslogProvider.java:487)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
com.q1labs.semsources.sources.tlssyslog.TLSSyslogProvider.preExe
cuteConfigure(TLSSyslogProvider.java:94)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv
ider.java:181)
28 April 2021
PROTOCOL IJ29518 SMBTAILPROTOCOL LOG SOURCES CAN FUNCTION NORMALLY BUT DISPLAY IN 'ERROR' STATE WHEN A JNQEXCEPTION OCCURS CLOSED Resolved in
This fix is dependent upon the QRadar version and is available in the following RPMs on IBM Fix Central:

Version 7.3.x:
  • PROTOCOL-SmbTailProtocol-7.3-20210329122540.noarch.rpm
  • PROTOCOL-WindowsDHCPProtocol-7.3-20210315133009.noarch.rpm
  • PROTOCOL-WindowsExchangeProtocol-7.3-20210315133009.noarch.rpm
  • PROTOCOL-WindowsIISProtocol-7.3-20210315133009.noarch.rpm
  • PROTOCOL-OracleDatabaseListener-7.3-20210315133009.noarch.rpm
  • PROTOCOL-WindowsEventRPC-7.3-20210315133009.noarch.rpm

  • Version 7.4.x:
  • PROTOCOL-SmbTailProtocol-7.4-20210329122529.noarch.rpm

  • Workaround
    No workaround available. Administators must install the RPM files where this issue is resolved from IBM Fix Central. These files are NOT included through QRadar Auto Updates.

    Issue
    Log Sources using the SMBTail Protocol display in an error state when a jNQ exception is thrown, but the Log Source continues to function as expected. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
    [127.0.0.1][smb://127.0.0.1/dhcplog/]]
    com.q1labs.semsources.sources.smbtail.io.jnq.JNQException:
    Unable to create/open - j50.log status = -1073741757
    (0xc0000043) (0xC0000043)
    [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
    [127.0.0.1][smb://127.0.0.1/dhcplog/]]
    com.q1labs.semsources.sources.windowsdhcp.WindowsDHCPTailProvide
    r: [ERROR] [NOT:0000003000][IP ADDRESS/- -] [-/-
    -]TailingException: Unable to create/open - examplename.log status =
    -1073741757 (0xc0000043) (0xC0000043)
    28 April 2021
    PROTOCOL IJ26183 ECS-EC-INGRESS PROCESS CAN SOMETIMES GO OUT OF MEMORY WHEN LOG SOURCES ARE USING THE WINDOWS IIS PROTOCOL CLOSED Resolved in
    This fix is available in the following RPMs on IBM Fix Central:
  • PROTOCOL-SmbTailProtocol-7.3-20201007124637.noarch.rpm
  • PROTOCOL-SmbTailProtocol-7.4-20201007123631.noarch.rpm
  • PROTOCOL-WindowsEventRPC-7.3-20210315133009.noarch.rpm
  • PROTOCOL-WindowsEventRPC-7.4-20210113131122.noarch.rpm

  • The PROTOCOL-SmbTailProtocol release is also available in the weekly auto update for 25 April 2021 (Build 1619381033). The PROTOCOL-WindowsEventRPC RPM release is not included in automatic updates. Administrators must download and install the latest version of the Microsoft Windows Security Event Log over MSRPC RPM file on the Console using the YUM command.

    Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    In some instances, the ecs-ec-ingress process (required for event collection) can experience out of memory occurences that are caused by Log Sources using the Windows IIS Protocol when an incorrect .jar file is referenced for use. Messages similar to the following that are referencing a Log Source connecting to an SMB Host might be visible in /var/log/qradar.log when this issue is occuring:
    [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
    [x.x.x.x][smb://x.x.x.x/LogFiles/]]
    com.q1labs.semsources.sources.smbtail.io.SmbFileWithRetries:
    [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/-
    -][smb://x.x.x.x/LogFiles/W3SVC13] exists(): Failed: Access
    error for file W3SVC13 status = -1073741790 (0xc0000022)
    (0xC0000022)
    28 April 2021
    PROTOCOL IJ28166 LOG SOURCES CONFIGURED TO USE THE WINDOWS EVENT LOG RPC PROTOCOL CAN GO INTO ERROR STATE DISPLAYING 'INTERNAL ERROR' CLOSED Resolved in
    This fix is available in the following RPMs on IBM Fix Central:
  • PROTOCOL-SmbTailProtocol-7.3-20201007124637.noarch.rpm
  • PROTOCOL-SmbTailProtocol-7.4-20201007123631.noarch.rpm
  • PROTOCOL-WindowsEventRPC-7.3-20210315133009.noarch.rpm
  • PROTOCOL-WindowsEventRPC-7.4-20210113131122.noarch.rpm

  • The PROTOCOL-SmbTailProtocol release is also available in the weekly auto update for 25 April 2021 (Build 1619381033). The PROTOCOL-WindowsEventRPC RPM release is not included in automatic updates. Administrators must download and install the latest version of the Microsoft Windows Security Event Log over MSRPC RPM file on the Console using the YUM command.

    Workaround
    No workaround available as this issue is closed as a vendor solution. Administrator must install the RPMs listed to resolve this issue or update to the latest version of the SMB Tail Protocol and Microsoft Windows Security Event Log over MSRPC protocol, if a newer version exist.

    Issue
    Some log source that are configured to use the Windows Event Log RPC Protocol can go into "Error" state with an "Internal Error".

    These instances have been identified as being caused when the jNQ jar file is required for use by the Protocol.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]] java.lang.ArrayIndexOutOfBoundsException
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    jcifs.util.Encdec.dec_uint32le(Encdec.java:90)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    ndr.NdrBuffer.dec_ndr_long(NdrBuffer.java:135)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    ndr.NetworkDataRepresentation.readUnsignedLong(NetworkDataRepres
    entation.java:64)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    com.q1labs.semsources.sources.windowseventrpc.ndr.util.NetworkDa
    taRepresentationAdapter.readUnsignedLong(NetworkDataRepresentationAdapter.java:34)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]] java.lang.NullPointerException
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    com.visuality.nq.client.rpc.Dcerpc.close(Dcerpc.java:901)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    com.q1labs.semsources.sources.windowseventrpc.eventsource.common
    .EventLogWinRegistry.disconnectRemoteRegistry(EventLogWinRegistry.java:245)
    27 April 2021
    QRADAR NETWORK INSIGHTS IJ30955 PERFORMING A FORENSICS RECOVERY CAN APPEAR TO SUCCEED WHEN THE TASK FAILED SILENTLY AND NEVER STARTED OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    Attempting to perform a Forensics Recovery can appear to succeed but the job never starts and there are no results in the Incident Recovery Grid when a user has over 25 characters. In these instances, messages in the logs indicate a postgres error if either of the username or submitter fields are greater than 25 characters.

    Example of error log written in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [HttpServletRequest-3016-Idle]
    com.ibm.qradar.wfObjects.wfDBConnect: [ERROR] Database error:
         SQLException: ERROR: value too long for type character
    varying(25)
     SQLState: 22001
     VendorError: 0
    06 March 2021
    REPORTS IJ30954 AFTER REFRESHING PAGE AFTER CHANGES ARE MADE FOR SHARING REPORTING GROUPS THE CHANGES DO NOT APPEAR TO HAVE BEEN SAVED OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    An issue has been identified in the Reports > Managed Groups > 'Share with Users Matching the following criteria' interface where sharing a report does not appear to save as expected.

    If a user shares a report group with specific user role and security profile, then clicks the refresh option the change does not appear to save. This is misleading to users as the report is saved succesfully and shared with the selected user, but does not display as shared correctly. If a recipient of the shared report logs in, they can see the shared reports as (Shared)Report name.
    05 March 2021
    HIGH AVAILABILITY (HA) IJ30664 HIGH AVAILABILITY (HA) JOIN FAILS DUE TO INCORRECT SIZE OF /STORE AND /TRANSIENT PARTITION IN NON-CONSOLE BUILD OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    In some instances, the /store partition on a High Availability (HA) Primary appliance can be larger and /transient partition smaller than expected on a software installation build of a non console QRadar appliance.

    When this occurs, the HA join process fails due to the incorrect and mismatched partition sizing between the Primary and Secondary appliances.

    The /var/log/setup-xxx/qradar_partsetup.log file displays similar messages as the following when this issue occurs:
    Wed Jul 31 03:31:24 +03 2019 [lvm_resize.sh] [InitLog] Log file
    set to /var/log/setup-7.3.2.20190410024210/qradar_partsetup.log
    Wed Jul 31 03:31:24 +03 2019 [lvm_resize.sh] [getopts]
    Pre-check argument passed
    Wed Jul 31 03:31:29 +03 2019 [lvm_resize.sh] [InitLog] Log file
    set to /var/log/setup-7.3.2.20190410024210/qradar_partsetup.log
    Wed Jul 31 03:31:29 +03 2019 [lvm_resize.sh] ERROR: Failed to
    unmount /store 
    06 March 2021
    DATA DEOBFUSCATION IJ30950 DATA DEOBFUSCATION DOES NOT WORK AS EXPECTED AFTER REASSIGNING A LOG SOURCE TO A DIFFERENT DOMAIN UNTIL PERFORMING FULL DEPLOY CLOSED Resolved in
    QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
    QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

    Workaround
    Perform a Deploy Full Configuration from the User Interface after moving a Log Source to a Log Source Group that is part of a different domain:
    1. Log in to the Console as an administrator.
    2. Click the Admin tab.
    3. Select Advanced > Deploy Full Configuration.
      For more information, see QRadar: What is the difference between 'Deploy Changes' and a 'Deploy Full Configuration'?

      Issue
      When a Log Source is reassigned to a different Log Source group and that Log Source group is part of a different domain, data deobfuscation doesn't work as expected with the new domain's data obfuscation profile key.

      Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
      [tomcat.tomcat] [admin@127.0.0.1 (3282)
      /console/do/obfuscation/obfuscationdecryption]
      com.q1labs.obfuscation.ui.action.ObfuscationDecryptionAction:
      [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
      -]qradar.obfuscation.ui.obfuscationdecryption.error.CORRESPONDIN
      G_DECRYPTION_KEY_FOUND_IN_SESSION_BUT_DECRYPTION_FAIL,
      javax.crypto.BadPaddingException: decryption fail.
      javax.crypto.BadPaddingException: Given final block not
      properly padded
      [tomcat.tomcat] [admin@127.0.0.1 (3282)
      /console/do/obfuscation/obfuscationdecryption]
      com.q1labs.obfuscation.ui.action.ObfuscationDecryptionAction:
      [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]decryption fail
    12 July 2021
    ACCUMULATOR IJ31082 'ACCUMULATOR FALLING BEHIND' NOTIFICATIONS AFTER DEFAULT GLOBAL VIEWS FOR EVENT RATE AND FLOW RATE HAVE BEEN RECREATED OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    QRadar environments where the default Global Views for Event Rate (EPS) and Flow Rate (FPS) have been deleted and then recreated can experience Accumulator Falling Behind notifications during search processes.

    This is due to the addition of a locale which occurs in these instances that uses "contains" for its algorithm which is considerably slower for searches.
    05 March 2021
    VULNERABILITY SCANNER IJ31109 TENABLE SCAN TASK CAN HANG AND NOT COMPLETE SUCCESSFULLY DUE TO A NULL KEY OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    Tenable IO is inserting a null key/element into spillOverCache, which causes the scan task to hang until it fails to complete successfully. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [vis] [Tenable.io-454-worker]
    com.q1labs.vis.exceptions.ScannerTaskException: This cache
    cannot accept null elements or null keys
    [vis] [Tenable.io-454-worker] at
    com.q1labs.vis.scanners.tenable.io.IOModule.scan(IOModule.java:187)
    [vis] [Tenable.io-454-worker] at
    com.q1labs.vis.scanners.base.ScannerModule.run(ScannerModule.jav
    a:221)
    05 March 2021
    DOMAINS AND TENANTS IJ31107 TENENTQUEUEDEVENTTHROTTLEFILTER DOES NOT PERFORM AS EXPECTED WITH A LOW EPS LIMIT AND CAN CAUSE DROPPED EVENTS OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    The TenantQueuedEventThrottleFilter does not perform as expected with a low EPS limit and can cause dropped events. As a result, it can be observed for a low tenant EPS limit configuration that the limit cannot be attained without dropping events.

    For example:
    1. Have a tenant and assign them a tenant EPS limit of 100.
    2. Have a low EPS of traffic for that tenant (example ~100EPS)

      Results
      Log Activity displays only "Receiving an average of 63 results per second" or something similar.
    06 March 2021
    PROTOCOLS IJ31086 LOG SOURCES USING RABBITMQ CAN SOMETIMES FAIL TO CONNECT AS EXPECTED DUE TO ROGUE CONNECTIONS CREATED OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    RabbitMQ can sometimes create new connections before the old one is removed. When this occurs, it can result in having multiple rogue connections on CiscoAMP causing events to not be received into QRadar.
    06 March 2021
    UPGRADE IJ31095 QRADAR PATCHING TO VERSION 7.4.1 OR NEWER CAN FAIL ON MANAGED HOSTS WITH ''ERROR: COULD NOT CREATE UNIQUE INDEX..." OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    Patching to QRadar 7.4.1 or newer can fail on Managed Hosts due to an index that causes an SQL to fail on duplicate data. Messages similar to the following might be visible during patching when this issue occurs:
    2 SQL script errors were detected; Error applying script [26/32]
    '/media/updates/opt/qradar/conf/templates/db_update_250323.ref_s
    et_import1.sql' for Test_qradar database.; details:
    WARNING:  SET TRANSACTION can only be used in transaction blocks
    NOTICE:  index "reference_data_element_unique_rdata1" does not
    exist, skipping
    ERROR:  could not create unique index
    "reference_data_element_unique_rdata1"
    DETAIL:  Key (md5((rdk_id::text || '_'::text) ||
    data))=(af781b7cdfc258bf8698f03aa207f885) is duplicated.Error
    applying script [29/32]
    '/media/updates/opt/qradar/conf/templates/db_update_248240.ref_s
    et_import1.sql' for Test_qradar database.; details:
    WARNING:  SET TRANSACTION can only be used in transaction blocks
    NOTICE:  index "reference_data_element_unique_rdata1" does not
    exist, skipping
    ERROR:  could not create unique index
    "reference_data_element_unique_rdata1"
    DETAIL:  Key (md5((rdk_id::text || '_'::text) ||
    data))=(af781b7cdfc258bf8698f03aa207f885) is duplicated.
    <hostname> :  patch rolled back.
    05 March 2021
    UPGRADE IJ31096 QRADAR MANAGED HOST PATCH COMPLETES SUCCESSFULLY BUT WITH ERRORS RUNNING "/MEDIA/UPDATES/SCRIPTS/QRADAR-2072.INSTALL" OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    QRadar Managed Hosts (MH) can patch successfully but with errors when the tomcat process on the Console appliance is unavailable during MH patching. A messages similar to the following can be displayed when this occurs:
    (hostname)-primary : patch test succeeded.
    (hostname)-secondary : patch test succeeded.
    Error running 143: /media/updates/scripts/QRADAR-2072.install
    --mode mainpatch


    In /var/log/setup-xxxxx/patches.log messages similar to the following can also be observed when this issue occurs:
    Feb 22 04:31:18 2021: Feb 22 04:31:18
    2021:[DEBUG](-ni-patchmode) Running script
    /media/updates/scripts/QRADAR-2072.install --mode mainpatch
    Feb 22 04:31:18 2021: [QRADAR-2072] [mainpatch:Run]
    /opt/qradar/bin/generate_cert_from_csr.sh
    parse error: Invalid numeric literal at line 1, column 8
    Feb 22 04:33:22 2021: Feb 22 04:33:22
    2021:[DEBUG](-ni-patchmode) Error running 73:
    /media/updates/scripts/QRADAR-2072.install --mode mainpatch;
    Got error code of 1.
    Feb 22 04:33:22 2021: Feb 22 04:33:22
    2021:[ERROR](-ni-patchmode) Error running 73:
    /media/updates/scripts/QRADAR-2072.install --mode mainpatch
    05 March 2021
    PROTOCOLS IJ31102 LOG SOURCES CONFIGURED TO USE THE IBMSIMJDBC PROTOCOL CAN FAIL TO WORK AS EXPECTED DUE TO A JAR DEPENDENCY OPEN Workaround
    In the following path: /opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/IBMSIMJDBC/
    1. Make a copy of mssql-jdbc-7.2.0.jar.
    2. Name it mssql-IBMSIMJDBC-7.2.0.jar.

    Issue
    Log Sources configured to use the IBM Security Identity Manager Protocol can stop working with a 'NoClassDefFoundError' due to a jar dependency.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-25]
    com.eventgnosis.ecs: [ERROR] [NOT:0000003000][127.0.0.1/- -]
    [-/- -]Error attempting to load
    (device):ecs-ec-ingress/EC_Ingress/Q1_I BMSIMJDBCEventSource
    Error : java.lang.NoClassDefFoundError:
    com.microsoft.sqlserver.jdbc.SQLServerException
    05 March 2021
    LICENSE IJ07953 'FAILED TO GET EPS FPM ALLOCATION VALUES' IN LOG ACTIVITY TAB OR 'FAILED TO LOAD DATA' IN LICENSE POOL MANAGEMENT CLOSED Resolved in
    QRadar 7.3.2 (7.3.2.20190201201121)
    QRadar 7.3.1 Fix Pack 7 (7.3.1.20181123182336)

    Workaround
    Administrators can upgrade to a release where this issue is resolved. For more information, review the following resources:
    Issue
    It has been identified in instances where manual database changes have been made to license_key and serverhosts table that the license pool management page sometimes does not load and displays error "Failed to load data". The message "Failed to Get EPS FPM allocation values" can also be observed in the Log Activity tab when this issue is occurring.

    Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool] Caused by:
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]
    com.q1labs.restapi_annotations.content.exceptions.endpointExcept
    ions.ServerProcessingException: Failed to retrieve the deployed
    license pool
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.ibm.si.configservices.api.impl.license_pool.LicensePoolGetIm
    pl.buildPool(LicensePoolGetImpl.java:42)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.ibm.si.configservices.api.impl.license_pool.LicensePoolGetIm
    pl.getLicensePool(LicensePoolGetImpl.java:18)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.q1labs.configservices.api.v8_0.license_pool.LicensePoolAPI.g
    etDeployedLicensePool(LicensePoolAPI.java:70)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    java.lang.reflect.Method.invoke(Method.java:508)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet
    hod(APIRequestHandler.java:1031)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR
    equest(APIRequestHandler.java:399)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool] ... 46 more
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool] Caused by:
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]
    java.lang.NullPointerException
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.q1labs.core.shared.license.LicenseKeyManager.getHostType(Lic
    enseKeyManager.java:4305)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.q1labs.core.shared.license.LicensePoolAllocationManager.getT
    otalCapacities(LicensePoolAllocationManager.java:652)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.q1labs.core.shared.license.LicensePoolAllocationManager.getT
    otalCapacities(LicensePoolAllocationManager.java:629)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.ibm.si.configservices.api.impl.license_pool.LicensePoolGetIm
    pl.buildPool(LicensePoolGetImpl.java:33)
    26 February 2019
    QRADAR ON CLOUD IJ32040 QRADAR ON CLOUD USER INTERFACE CAN EXPERIENCE UNPOPULATED LIST BOXES OR ONES ONLY DISPLAYING AN "X" OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Some QRadar On Cloud instances on Akamai can experience User Interface (UI) display issues such as unpopulated list boxes or list boxes with only "X" being displayed. This UI display behavior can be intermittent.

    This behavior has been identified as being caused by downloads of CSS resources, such as dojo.css, failing authentication and getting redirected to login.ibm.com. As these static resource downloads do not handle the HTTP 302 redirection, the CSS is not downloaded and the UI is incomplete.
    16 April 2021
    PROTOCOL IJ32029 LOG SOURCES CONFIGURED TO USE THE VMWARE PROTOCOL CAN STOP WORKING AFTER INSTALLING UPDATED PROTOCOL VERSION OPEN Workaround
    The workaround is QRadar version dependent. Note: Restarting the ecs-ec-ingress service stops event collection. For more information, see: Impact of restarting QRadar services.

    For QRadar 7.4.x:
    1. Remove the file /opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/dom4j.jar.
    2. To restart the ecs-ec-ingress service, select Admin > Advanced > Restart Event Collection Service.

    For QRadar 7.3.x:
    1. Remove the file /opt/ibm/si/services/ecs-ec-ingress/current/bin/dom4j-1.3.jar.
    2. To restart the ecs-ec-ingress service, select Admin > Advanced > Restart Event Collection Service.

    Issue
    Log Sources configured to use the VMware protocol can stop working and display "Invalid Credentials when initializing EMCVmWareProtocol" after installing a new EMCVmware protocol rpm manually or via the AutoUpdate feature in QRadar.

    Affected RPM versions:
    • PROTOCOL-EMCVMWareProtocol-7.3-20200916171440.noarch.rpm
    • PROTOCOL-EMCVMWareProtocol-7.4-20200916171516.noarch.rpm

    Run the following command to identify the currently installed rpm version from an SSH session to the QRadar Console for verification of this identified issue:
    rpm -qa | grep -i emcvmwareprotocol


    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] 
    Caused by: 
    java.rmi.RemoteException: VI SDK invoke
    exception:java.rmi.RemoteException: VI SDK invoke
    exception:org.dom4j.DocumentException:
    org.dom4j.DocumentFactory incompatible with
    org.dom4j.DocumentFactory
    [ecs-ec-ingress.ecs-ec-ingress]
    [Thread-246] at com.vmware.vim25.ws.WSClient.invoke(Unknown
    Source)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at
    com.vmware.vim25.ws.VimStub.retrieveServiceContent(Unknown
    Source)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at
    com.vmware.vim25.mo.ServiceInstance.<init>(Unknown
    Source)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at
    com.vmware.vim25.mo.ServiceInstance.<init>(Unknown
    Source)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at com.q1la
    bs.semsources.sources.vmware.api.VmApi.init(VmApi.java:90)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] ... 4
    more
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246]
    com.q1labs.semsources.sources.vmware.EMCVmWareProtocol: [DEBUG]
    EMC Vm Ware Protocol Provider 'class
    com.q1labs.semsources.sources.vmware.VmWareAPIProvider6'
    changed state from STARTING to STOPPED.
    16 April 2021
    UPGRADE IJ31972 RESIDUAL JDBC PROTOCOL JAR FILES ARE LEFT BEHIND WHEN UPGRADING FROM QRADAR 7.3.X TO 7.4.X OPEN Workaround
    The residual .jar files from the 7.3.x JDBC protocol can be ignored.

    Issue
    When patching from QRadar 7.3.x to QRadar 7.4.x there are residual JDBC Protocol .jar files that are left behind from the older protocol version. These residual .jar files are benign and can be safely ignored.
    16 April 2021
    ADVANCED SEARCH (AQL) IJ31912 DATA CONTAINED WITHIN "< >" FROM PAYLOADS IS MISSING IN CSV EXPORT FROM AN AQL ADVANCED SEARCH CONTAINING A GROUP BY OPEN Workaround
    Where possible, perform the AQL search without the GROUP BY condition.

    Issue
    When performing an AQL search with a GROUP BY condition, and exporting the visible columns to a CSV file, any priority headers contained in the event payloads (e.g. "<13>") are missing in the .csv export file. For example:
    1. QRadar user interface, select Log Activity > Quick Filter > Advanced Search.
    2. Search for events with GROUP BY condition where the results contains the "< >" symbols.
    3. Select Actions > Export to CSV > Visible Columns.
    4. Save and open the file.

      Result
      From the output csv columns, the strings contained by the "< >" symbols are missing.
    16 April 2021
    PROTOCOL IJ31913 JDBC TIMEOUT VALUE CONFIGURED FOR ORACLE LOG SOURCES IS SET AT 1 MINUTE VS 5 MINUTES FOR MSDB LOG SOURCES OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    The JDBC timeout value used for Oracle Log Sources is set at 1 minute, but when JDBC is used for MSDB Log Sources it is set at 5 minutes. This can cause Oracle Log Sources to go into a failed state earlier than expected.

    Messages similar to the following might be visible in /var/log/qradar.log when the timeout occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [*Oracle*//LxxxxxA@ipaddress
    Protocol Provider Thread: class
    com.q1labs.semsources.sources.jdbc.JdbcEventConnector5530]
    com.q1labs.semsources.sources.jdbc.JdbcEventConnector: [WARN]
    [NOT:0000004000][ipaddress/- -] [-/- -]IO Error: Socket read
    timed out on Oracle//LxxxxxA@ipaddress
    16 April 2021
    MANAGED HOST / ADD HOST IJ32092 ADMIN USER WITH NO LOCALE CONFIGURED IS UNABLE TO ADD A MANAGED HOST TO THE QRADAR DEPLOYMENT OPEN Workaround
    1. Set the locale to English using the following command from an SSH session to the QRadar Console:
      psql -U qradar -c "update
      user_settings set locale='en',use_browser_locale = 'f' where
      security_id = (select security_id from security_descriptors
      where label = 'admin');"
    2. To restart hostcontext, type:
      systemctl restart hostcontext
    3. Restart tomcat, type:
      systemctl restart tomcat
    4. Attempt to add the managed host to the deployment again.


    5. Issue
      The Add Host process fails with a message similar to "Cannot connect to the host. Check password and IP" for an admin user with no QRadar locale configured.

      Messages similar to the following might be visible in /var.log/qradar.log when this issue occurs:
      [tomcat.tomcat] [Thread-503]
      com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI:
      [ERROR] [NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]unable to add
      managed host: null
      [tomcat.tomcat] [Thread-503] com.q1labs.resta
      pi_annotations.content.exceptions.endpointExceptions.ServerProcessingException
      [tomcat.tomcat] [Thread-503] at com.ibm.si.config
      services.api.impl.DeploymentAPIImpl.addManagedHost(DeploymentAPIImpl.java:924)
      [tomcat.tomcat] [Thread-503] at com.ibm.si.config
      services.api.v3_0.deployment.DeploymentAPI$AddHostThread.run(Dep
      loymentAPI.java:1003)
      [tomcat.tomcat] [Thread-503] at
      java.lang.Thread.run(Thread.java:822)
      [tomcat.tomcat]
      [Thread-503] Caused by:
      [tomcat.tomcat] [Thread-503]
      com.q1labs.configservices.common.ConfigServicesException:
      Unable to add managed host.
      [tomcat.tomcat] [Thread-503] at com.
      q1labs.configservices.capabilities.CapabilitiesHandler.addManage
      dHost(CapabilitiesHandler.java:2025)
      [tomcat.tomcat]
      [Thread-503] at com.ibm.si.configservices.api.impl.DeploymentAPI
      Impl.addManagedHost(DeploymentAPIImpl.java:893)
      [tomcat.tomcat]
      [Thread-503] ... 2 more
    16 April 2021
    ROUTING RULES IJ31911 ROUTING RULES WITH A FILTER CONTAINING A TRAILING BACKSLASH ARE NOT EDITABLE ONCE SAVED OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    Routing Rules with a filter containing a trailing backslash are not editable once saved. For example:
    1. Log in to the QRadar Console as an administrator.
    2. Click the Admin tab.
    3. Click the Routing Rules icon.
    4. Create a new rule.
    5. Add a filter to the rule that uses a trailing backslash. For example:
      Filename is equal to any of C:\Users\Test\
    6. Click Save.
    7. Attempt to edit the rule.

      Results
      The edit interface does not open. Users are unable to use the Edit button in the user interface.
    16 April 2021
    EVENT DATA IJ31537 MESSAGESIZEEXCEPTION CAN CAUSE THE QRADAR EVENT PIPELINE TO STOP FUNCTIONING AS EXPECTED CLOSED Resolved in
    QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)

    Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    The QRadar event pipeline can stop working as expected when a message size exception is encountered causing a failure of events to be processed.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]
    com.q1labs.sem.nio.network.StreamProcessor: [ERROR]
    [NOT:0000003000][x.x.x.x/- -] [-/- -]Cannot get the event from
    SpilloverQueue
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]
    com.q1labs.frameworks.nio.exceptions.MessageSizeException:
    Message size exceeds communication buffer capacity 131062
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]    at
    com.q1labs.frameworks.nio.network.protocol.CollectionHandler.put
    (CollectionHandler.java:66)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]    at
    com.ibm.si.ecingress.destinations.SECStoreForwardDestination.sen
    dEventFromQ(SECStoreForwardDestination.java:471)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]    at
    com.q1labs.sem.nio.network.StreamProcessor.sendMessage(StreamPro
    cessor.java:96)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]    at
    com.q1labs.sem.nio.network.StreamProcessor.run(StreamProcessor.java:55)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]    at
    java.lang.Thread.run(Thread.java:818)
    16 April 2021
    LOG SOURCES IJ31917 LOG SOURCE IDENTIFIER COLUMN DISPLAYS "N/A" WHEN SELECTED IN A LOG ACTIVITY PAGE SEARCH OPEN Workaround
    This issue only affects users in the legacy user inteface, this issue does not affect the Log Source Management app. The Log Source Management App displays the correct Log Source Identifier value.

    Where possible, use the Log Source Management app to view Log Source Identifier data.

    Issue
    The Log Source Identifier column displays N/A when it is selected in a search in Log Activity page of the QRadar User Interface. This prevents being able to group by Log Source Identifier.

    When opening a received event, the Log Source Identifier column displays the expected data within that view.
    16 April 2021
    PROTOCOL IJ32031 LOG SOURCES CONFIGURED TO USE THE GOOGLE CLOUD PUB SUB PROTOCOL CAN INCORRECTLY DISPLAY ERROR STATUS OPEN Workaround
    1. Confirm events are being received by the Log Source by performing an event search.
    2. Toggling affected Log Sources to disabled and then back to enabled can temporarily correct the error status for the Google Pub/Sub log source.


      1. Issue
        Log Sources that are configured to use the Google Cloud Pub Sub Protocol can sometimes incorrectly display a status of "Error" when they are working correctly.
    16 April 2021
    UPGRADE IJ32030 QRADAR PATCH PRETEST FAILS TO RUN ON MANAGED HOSTS UNTIL CONSOLE IS PATCHED OPEN Workaround
    Perform the QRadar pretest and complete the Console software update. After the Console patching is successfully completed, the pretest can be run on the remaining Managed Hosts in the deployment.

    Issue
    The QRadar patch pretest function cannot be run on a Managed Host when the QRadar Console has not yet been patched. This issue prevents a pretest of a complete QRadar deployment prior to performing the patching process until after the Console is patched.

    A message similar to the following might be visible when attempting to run the pretest function:
    [ERROR] Failed to determine the patch level of the Console.
    16 April 2021
    UPGRADE IJ32036 LOG SOURCES CONFIGURED TO USE THE MQJMS PROTOCOL CAN STOP WORKING UNEXPECTEDLY OPEN Workaround
    Toggle the affected MQ JMS log source to disabled and then enable it again to correct the issue.

    Issue
    Log Sources that are configured to use the MQJMS Protocol stop working when a JMSWMQ1107 error occurs. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32]
    com.q1labs.semsources.sources.mqjms.MQJMSErrorHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Error Message:
    JMSWMQ1107: A problem with this connection has
    occurred.
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32]
    com.ibm.msg.client.jms.DetailedIllegalStateException:
    JMSWMQ1107: A problem with this connection has
    occurred.
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32] An error has occurred with the IBM
    MQ JMS connection.
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32] Use the linked exception to
    determine the cause of this error.
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.wmq.common.inte
    rnal.Reason.reasonToException(Reason.java:489)
    [ecs-ec-ingress.e
    cs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.
    wmq.common.internal.Reason.createException(Reason.java:215)
    [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ib
    m.msg.client.wmq.internal.WMQMessageConsumer.checkJmqiCallSucces
    s(WMQMessageConsumer.java:217)
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.wmq.internal.WM
    QMessageConsumer.checkJmqiCallSuccess(WMQMessageConsumer.java:273)
    [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32]
    at com.ibm.msg.client.wmq.internal.WMQAsyncConsumerShadow.consum
    er(WMQAsyncConsumerShadow.java:615)
    [ecs-ec-ingress.ecs-ec-ingre
    ss] [JMSCCThreadPoolWorker-32] at com.ibm.mq.jmqi.remote.impl.Re
    moteProxyQueue.callConsumer(RemoteProxyQueue.java:3616)
    [ecs-ec-
    ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.mq
    .jmqi.remote.impl.RemoteDispatchThread.run(RemoteDispatchThread.java:269)
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.commonservices.
    workqueue.WorkQueueItem.runTask(WorkQueueItem.java:319)
    [ecs-ec-
    ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.ms
    g.client.commonservices.workqueue.SimpleWorkQueueItem.runItem(Si
    mpleWorkQueueItem.java:99)
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.commonservices.
    workqueue.WorkQueueItem.run(WorkQueueItem.java:343)
    [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.msg.cl
    ient.commonservices.workqueue.WorkQueueManager.runWorkQueueItem(
    WorkQueueManager.java:312)
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.commonservices.
    j2se.workqueue.WorkQueueManagerImplementation$ThreadPoolWorker.r
    un(WorkQueueManagerImplementation.java:1227)
    [ecs-ec-ingress.ecs
    -ec-ingress] [JMSCCThreadPoolWorker-32] 
    Caused by:
    com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with
    compcode '2' ('MQCC_FAILED') reason '2202'
    ('MQRC_CONNECTION_QUIESCING').
    16 April 2021
    SECURITY BULLETIN CVE-2020-7692 GOOGLE-API-CLIENT AS USED BY IBM QRADAR SIEM IS VULNERABLE TO AUTHORIZATION BYPASS CLOSED Resolved in
    7.3.0-QRADAR-PROTOCOL-GoogleCommon-7.3-20210126200436
    7.4.0-QRADAR-PROTOCOL-GoogleCommon-7.4-20210126200430

    Affected versions
    • All GoogleCommon versions before 7.3.0-QRADAR-PROTOCOL-GoogleCommon-7.3-20210126200436
    • All GoogleCommon versions before 7.4.0-QRADAR-PROTOCOL-GoogleCommon-7.4-20210126200430
    Issue
    CVE-2020-7692: Google APIs google-oauth-java-client could allow a remote attacker to bypass security restrictions, caused by no PKCE support implemented. By executing a specially-crafted application, an attacker could exploit this vulnerability to obtain the authorization code, and gain authorization to the protected resource. CVSS Base score: 7.4
    04 March 2021
    SERVICES IJ31105 POSTFIX SERVICE IN A BAD STATE CAN CAUSE HOSTCONTEXT TO HANG OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    QRadar's hostcontext (responsible for multiple QRadar functions) can go into a hung state when the postfix service is not working correctly.

    Checking the status of postfix can help to identify that it may be in a bad state and can be perfomed via an SSH session to the QRadar Console:
    # systemctl status postfix
    postfix.service - Postfix Mail Transport Agent
       Loaded: loaded (/usr/lib/systemd/system/postfix.service;
    enabled; vendor preset: disabled)
      Drop-In: /etc/systemd/system/postfix.service.d
               80-si-postfix.conf
       Active: active (running) since Tue 2021-02-23 14:14:49 EST;
    1h 15min ago
     Main PID: 22618 (master)
        Tasks: 3
       Memory: 3.1M
       CGroup: /system.slice/postfix.service
               22618 /usr/libexec/postfix/master -w
               22619 pickup -l -t unix -u
               22620 qmgr -l -t unix -uFeb 23 15:26:02 (console)
    postfix/master[22618]: warning: /usr/libexec/postfix/smtpd: bad
    command startup -- throttling
    (console) postfix/smtpd[69654]: fatal: bad numerical
    configuration: unknown_local_recipient_reject_code = 550
    relayhost =
     (console) postfix/master[22618]: warning: process
    /usr/libexec/postfix/smtpd pid 69654 exit status 1
     (console) postfix/master[22618]: warning:
    /usr/libexec/postfix/smtpd: bad command startup -- throttling
    Feb 23 15:28:03 (console) postfix/smtpd[85954]: fatal: bad
    numerical configuration: unknown_local_recipient_reject_code =
    550 relayhost =
    (console) postfix/master[22618]: warning: process
    /usr/libexec/postfix/smtpd pid 85954 exit status 1
    (console) postfix/master[22618]: warning:
    /usr/libexec/postfix/smtpd: bad command startup -- throttling
    (console) postfix/smtpd[96641]: fatal: bad numerical
    configuration: unknown_local_recipient_reject_code = 550
    relayhost =
    (console) postfix/master[22618]: warning: process
    /usr/libexec/postfix/smtpd pid 96641 exit status 1
    (console) postfix/master[22618]: warning:
    /usr/libexec/postfix/smtpd: bad command startup -- throttlin

    More information on hostconext in QRadar, see: QRadar: Hostcontext service and the impact of a service restart
    31 March 2021
    LOG SOURCES IJ31534 AUTODISCOVERED LOG SOURCES WITH A 127.0.0.1 IP ADDRESS CAN CAUSE SYSTEM EVENTS TO BE CATEGORIZED INCORRECT OPEN Workaround
    Update your parsing order for log sources to move the autodiscovered log sources below the QRadar system log sources. For more information, see: Adding a log source parsing order.

    Issue
    Autodiscovered log sources with an IP Address of 127.0.0.1 can have a higher value in the parsing order than the system based log sources. This can cause internal events (example SIM Audit) to be associated to the incorrect log source.

    To identifiy if this is the issue for incorrect Log Source association for internal events, check the parsing order:
    1. Open the Log Source parsing order User Interface in the Admin tab
    2. Filter by identifier = 127.0.0.1.

      Results
      When this issue occurs, there will be log sources above internal log sources in the parsing order list. Updating the parsing order can resolve this issue. For more information about QRadar system (internal) log sources, see: Creating an Offense for Monitoring an Internal Log Source.
    31 March 2021
    LOG SOURCES IJ31840 LOG SOURCES CONFIGURED FOR IBM SECURITY IDENTITY MANAGER JDBC CAN FAIL TO PARSE AS EXPECTED OPEN Workaround
    1. Open the affected Log Source
    2. Save the log source.
    3. Verify that the Log Source is parsing the expected data from new events after re-saving it.
    4. Note: In some instances, a change to the Log Source might be needed, then save the Log Source anc check for proper event parsing.

      Issue
      Log Sources configured for use with IBM Security Identity Manager JDBC can fail to work as expected.

      Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
      [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol
      Provider Thread: class
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r2018]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]disconnected
      [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol
      Provider Thread: class
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r2018]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventSource:
      [INFO] [NOT:0000006000][epIp/- -] [-/- -]Provider 'class
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r2018' stopped.
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]Polling interval in
      milliseconds = 30000
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]jdbc session
      properties file already exists, loading its values
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r: [WARN] [NOT:0000004000][epIp/- -] [-/- -]null on
      DB2//ITIMDB@dbHost
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
      java.lang.NullPointerException
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
      com.q1labs.semsources.sources.jdbc.SourceDatabaseType$2.composeU
      rl(SourceDatabaseType.java:90)
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
      com.q1labs.semsources.sources.jdbc.JdbcEventConnector.connect(Jd
      bcEventConnector.java:482)
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
      com.q1labs.semsources.sources.jdbc.JdbcEventConnector.preExecute
      Configure(JdbcEventConnector.java:1060)
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r.preExecuteConfigure(IBMSIMJDBCEventConnector.java:483)
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
      com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv
      ider.java:179)
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r: [ERROR] [NOT:0000003000][epIp/- -] [-/- -]Unable to obtain a
      comparable value for the RECERTIFICATIONLOG table!
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
      java.lang.NullPointerException
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r.preExecuteConfigure(IBMSIMJDBCEventConnector.java:500)
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
      com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv
      ider.java:179)
      [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol
      Provider Thread: class
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r2018]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventSource:
      [INFO] [NOT:0000006000][epIp/- -] [-/- -]IBMSIMJDBC provider
      'class
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r2018' config ok; now trying to run...
      [ecs-ec-ingress.ecs-ec-ingress]
      [a5a99e1b-3d31-4659-8586-b5dcbbe148c6/SequentialEventDispatcher]
      com.q1labs.semsources.sources.base.SourceConfigDB: [INFO]
      [NOT:0000006000][epIp/- -] [-/- -]Updating provider (id = 2018)
      because its parameters have changed.
      [ecs-ec-ingress.ecs-ec-ingress]
      [a5a99e1b-3d31-4659-8586-b5dcbbe148c6/SequentialEventDispatcher]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventSource:
      [INFO] [NOT:0000006000][epIp/- -] [-/- -]Stopping provider
      'class
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r2018'.
      [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol
      Provider Thread: class
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r2018]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]disconnected
    31 March 2021
    VULNERABILITY SCANNER IJ30930 QRADAR SCANS ARE CALLING DEPRECATED TENABLE ENDPOINTS OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    QRadar scans continue to call deprecated Tenable endpoints after updates have been made within the Tenable API. Changes within QRadar scanning are needed so that only the appropriate endoint fields are being parsed.
    05 March 2021
    APPLICATION FRAMEWORK IJ30953 DRQ DIAGNOSTIC TEST RUNS ON ANY HOST CAPABLE OF RUNNING APPS (CONSOLE OR APPHOST) AND FAILS ON STANDBY HOSTS OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    The drq diagnostic test for docker runs on any QRadar app capable host (console or App Host). When it runs on a Standby host (High Availability), the drq test fails as docker is inactive on Standby hosts.

    This drq diagnostic test failure on Standby hosts is benign and can be safely ignored.

    Messages similar to the following might be visible when drq is run on Standy hosts:
    root@hostname-secondary ~]# drq
    DrQ version 1.4.1 (mode(s): checkup, tag(s): , verbosity: summary)
    ------
    Docker Running Check
    Check if Docker is installed and running [FAILURE]
    'docker.service' is not active.
    05 March 2021
    UPGRADE IJ31087 PATCHING FROM A MOUNTED .SFS IN /STORE IS ALLOWED BY QRADAR BUT CAN CAUSE HIGH AVAILABILITY PATCHING TO FAIL OPEN Workaround
    Prior to a patch being run, ensure it is run from a mount of /tmp or /root (or another non High Availability filesytem). If the patching is in progress on an HA configured system from an .sfs mount point of /store and fails, please Contact QRadar Support.

    Issue
    QRadar patching via .sfs is allowed to be run when it's mounted in /store partition. If it's run from this location, patch failure can occur when run on High Availability (HA) appliances.
    05 March 2021
    UPGRADE IJ31084 PATCHING TO QRADAR 7.3.3 FP7 CAN FAIL WITH DRACUT RPM DEPENDENCIES OPEN Workaround
    If the patches.log contains the above messages, then remove the required file(s) using the following command from an SSH session to the QRadar Console:
    1. Type the following command:
      yum remove dracut-config-generic
    2. If that states it has no dependencies, then proceed to remove the dracut RPM.
    3. Re-run the patch Installer.

    Issue
    Patching to QRadar 7.3.3 FP7 can fail with due to RPM dependencies. Messages simlar to the following might be visible in /var/log/setup-#####/patches.log:
    Feb  5 08:22:07 2021: Feb  5 08:22:07 2021:[ERROR](testmode)
    sql pretest errored, halting.[6/9] Install & Upgrade Packages
    failed to complete successfully.
    Errors:
    [6/9] Install & Upgrade Packages  upgrading produced:
    Error: Package:
     dracut-config-generic-033-535.el7.x86_64 (installed)
    Requires: dracut = 033-535.el7
    Removing: dracut-033-535.el7.x86_64 (installed)
    dracut = 033-535.el7
    Updated By: dracut-033-564.el7.x86_64 (local)dracut =
    033-564.el7
    05 March 2021
    UPGRADE IJ31085 GLUSTERFS TO DRBD MIGRATION FAILS WHEN HOSTNAME IS LONGER THAN 54 CHARACTERS OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    The glusterfs to DRBD migration fails when the hostname it is being run on is longer than 54 characters.
    05 March 2021
    UPGRADE IJ31074 QRADAR PATCHING PROCESS CAN HANG AT MESSAGE "UPDATING : SYSTEMD-219-78.EL7.X86_64" OPEN Workaround
    It is possible old heap dumps need to be removed from /store/jheap/<dir> prior to patching.

    If you require any assistance to identify and remove these old heap dumps, Contact QRadar Support.

    Issue
    The QRadar patching process can hang with a message similar to the following being displayed on screen:
    Feb 21 11:53:44 2021: Feb 21 11:53:44 2021: [INFO](patchmode)
    Updating : systemd-219-78.el7.x86_64
    This issue can occur when there are dump files located in
    /store/jheap/ on a QRadar appliance being patched.
    27 March 2021
    UPGRADE IJ31079 '[WARNING] ALL APPLICABLE HOSTS HAVE MIGRATED FROM GLUSTERFS TO DRBD. EXITING' WHEN RUNNING GLUSTERFS TO DRBD MIGRATION TOOL OPEN Workaround
    If you experience issues with the glusterfs_migration_manager, move the report on the Console to another directory location, such as /store/ibm_support. For example:
    1. Log in to the QRadar Console as the root user.
    2. To create a directory, type: mkdir /store/ibm_support
    3. To move the report, type: mv /etc/qradar/ha/glusterfs_migration_report.json /store/ibm_support
    4. Run the glusterfs_migration_manager.py tool again.

      Results
      If you are still facing issues, or require assistance with the workaround, Contact QRadar Support.

    Issue
    Running the glusterfs to DRBD migration in a QRadar Deployment with multiple affected hosts can fail to start again if one appliance fails the migration process.

    A message similar to the following might be visible when this issue occurs:
    [WARNING] All applicable hosts have migrated from GlusterFS to
    DRBD. Exiting.

    This is caused by the logic in glusterfs_migration_manager.py to check if all hosts are migrated and occurs if the report contains more than 1 host and the first host in the list has already completed migration.

    This then causes the system to call sys.exit(1) closing out the script saying all migration has completed.
    27 March 2021
    VULNERABILITY SCANNER IJ31088 QRADAR CAN SOMETIMES CONTINUE TO ATTEMPT TO DOWNLOAD A CERT FOR A SCANNER THAT HAS BEEN REMOVED OPEN Workaround
    From an SSH session to the QRadar Console:
    1. Log in to the QRadar Console as the root user.
    2. Find and modify the file "certificate_catalogue.txt", remove the bad scanner record, then save the file.

    Issue
    QRadar can sometimes try to download a VA Scanner certificate even if scanner configuration was removed from QRadar. This is due to a cached value written in a temporary file. System Notifications similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    generateNotification: An attempt to download the server
    certificate for [IP:443] to
    [/opt/qradar/conf/trusted_certificates/IP_443.crt] has failed
    05 March 2021
    INDEX MANAGEMENT IJ31090 INDEX MANAGEMENT CAN DISPLAY ZEROS (0) ACROSS ALL COLUMNS WHEN A LARGE TIME RANGE IS CHOSEN OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Index management can show zeros (0) for every column of each index if a large time range is chosen. This occurs when a backend timeout happens due to the large amount of data processed.
    05 March 2021
    SYSTEM SETTINGS IJ31083 GEOGRAPHIC SETTINGS CAN FAIL TO WORK AS EXPECTED WHEN AN INCORRECT USERID AS BEEN INPUT OPEN Workaround
    Verify that the correct UserId data is entered into the field.

    Issue
    Geographic updates can fail in QRadar if incorrect values are input for the UserId text box in the Geographic Settings section of the System Settings page. UserIds provided are only numbers, but a lack of data validation in the UserId field allows users to input any characters.

    When incorrect information for UserId is entered, this can cause the GeoIP.conf file to have bad values in it.
    05 March 2021
    PROTOCOLS IJ31080 EVENTS COMING FROM THE SAME SOURCE CAN SOMETIMES BE PLACED WITH DIFFERENT GOOGLE PUB/SUB LOG SOURCES OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    An issue with with Google Pub/Sub log source auto-detection can occur when it sometimes randomly selects the last character of the regex "} and appends to the Log Source Identifier. When this occurs, events coming from the same source can be placed within different Log Sources.
    05 March 2021
    DEPLOY CHANGES IJ31081 DEPLOY FUNCTION CAN FAIL ON SOME MANAGED HOSTS IF A LEGACY DEPLOYMENT.XML FILE REMAINS IN /STORE/CONFIGSERVICES/DEPLOYED/ OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    The QRadar deploy function can fail on some Managed Hosts when there is a legacy deployment.xml file located in /store/configservices/deployed/.

    This deploy failure occurs when ECIngressConfigBuilder verifies if a file exists in the deployed folder, and only if not, then reads the staging folder. On a Managed Host that usually does not have a file in the deployed folder, this can result in deploy issues if a legacy file has been left there. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    com.q1labs.configservices.common.ConfigServicesException:
    Failed to create EC_Ingress.xml for component
    eventcollectoringress102.
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.localset.sem.ECIngressConfigBui
    lder.buildConfig(ECIngressConfigBuilder.java:130)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.AbstractComponentConfigBuilder.
    buildComponentConfig(AbstractComponentConfigBuilder.java:54)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.localset.component.ComponentTra
    nsformerManager.processComponent(ComponentTransformerManager.java:206)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.localset.component.ComponentTra
    nsformerManager.buildConfiguration(ComponentTransformerManager.java:117)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] ...22 more
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    Caused by:
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    java.lang.RuntimeException: Error merging velocity template and
    context
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.VelocityFileProducer.createConf
    igFile(VelocityFileProducer.java:56)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.localset.sem.ECIngressConfigBui
    lder.buildConfig(ECIngressConfigBuilder.java:126)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] ...25 more
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    Caused by:
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    org.apache.velocity.exception.MethodInvocationException:
    Invocation of method 'getEventThreshold' in class
    com.q1labs.configservices.config.localset.sem.ECIngressConfigBui
    lder threw exception java.lang.NumberFormatException: null at
    EC_Ingress.vm[line 498, column 79]
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.runtime.parser.node.ASTMethod.handleInvocati
    onException(ASTMethod.java:243)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMet
    hod.java:187)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.runtime.parser.node.ASTReference.execute(AST
    Reference.java:280)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.runtime.parser.node.ASTReference.render(ASTR
    eference.java:369)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.runtime.parser.node.ASTBlock.render(ASTBlock
    .java:72)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.runtime.parser.node.ASTIfStatement.render(AS
    TIfStatement.java:87)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.runtime.parser.node.SimpleNode.render(Simple
    Node.java:342)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.Template.merge(Template.java:356)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.Template.merge(Template.java:260)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.VelocityFileProducer.createConf
    igFile(VelocityFileProducer.java:50)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] ...26 more
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    Caused by:
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    java.lang.NumberFormatException: null
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    java.lang.Long.parseLong(Long.java:564)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    java.lang.Long.parseLong(Long.java:643)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.localset.sem.ECIngressConfigBui
    lder.getEPSThreshold(ECIngressConfigBuilder.java:315)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.localset.sem.ECIngressConfigBui
    lder.getEventThreshold(ECIngressConfigBuilder.java:307)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    java.lang.reflect.Method.invoke(Method.java:508)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.util.introspection.UberspectImpl$VelMethodIm
    pl.doInvoke(UberspectImpl.java:395)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.util.introspection.UberspectImpl$VelMethodIm
    pl.invoke(UberspectImpl.java:384)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMet
    hod.java:173)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] ...34 more
    05 March 2021
    UPGRADE IJ31092 QRADAR PATCHING CAN FAIL DUE TO A FREE SPACE CHECK THAT FAILS OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    QRadar patching can fail because of an invalid drq check. This check of /var/log/lastlog is not required and should not cause QRadar patching to fail. Messages similar to the following might be visible when this issue occurs:
    Available Space Checks
      Checks if /var/log has enough space
    
       [FAILURE]
        Not enough space in /var/log: Available Space: 14108 MB - File:
        /var/log/lastlog 99520 MB. This will cause logrotate to fail.
    
       [REMEDIATION]
        Free up space in /var/log. You need at least 99720 MB free.
    05 March 2021
    CONTENT MANAGEMENT TOOL (CMT) IJ30916 HIDDEN CONTROL CHARACTERS CAN CAUSE A CONTENT MANAGEMENT TOOL (CMT) IMPORT TO FAIL OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Performing a Content Management Tool import can fail when there are hidden control characters in the import. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ContentManager.cmt] [root@127.0.0.1:60778
    (ContentManagementCLI)] javax.xml.bind.UnmarshalException
    [ContentManager.cmt] [root@127.0.0.1:60778
    (ContentManagementCLI)] - with linked exception:
    [ContentManager.cmt] [root@127.0.0.1:60778
    (ContentManagementCLI)] [org.xml.sax.SAXParseException: An
    invalid XML character (Unicode: 0x3) was found in the element
    content of the document.]
    05 March 2021
    LOG SOURCES IJ31577 LOG FILE PROTOCOL STOPS PROCCESSING ANY FURTHER FILES WHEN AN EMPTY FILE IS READ IN A ZIPPED FILE OPEN Workaround
    • Manually unzip the files, remove the empty files and zip them again.
    • OR
    • If download size is not important (storage free space), there is the option to directly process text files instead of zipped files.

    Issue
    When an empty file is encountered in a zipped file, Log File Protocol stops processing any further files and repeatedly proceses the last file that was not empty.

    For example:
    3 files are in a .zip file as file1, file2, and file3 and in this instance, file2 is empty. The protocol stops when processing file2 to post events from file1 repeatedly and never reaches file3.
    31 March 2021
    LOG SOURCES IJ31868 "THE FIELD MUST NOT EXCEED 2047 CHARACTERS" MESSAGE CAN BE GENERATED WHEN CONFIGURING A TLS SYSLOG PROTOCOL CERTIFICATE OPEN Workaround
    Close out of the Log Source interface if editing, and then change the allowable character limit using the following command from an SSH session to the QRadar Console:
    psql -U qradar -c "UPDATE sensorprotocolparameter SET maxlength
    = 4096 WHERE id = 22022 AND name = 'issuerPk';"

    Issue
    The TLS syslog protocol character limit for entering a Root/Intermediate Issuer's Certificate is set at 2047 and attempting to enter anything longer fails with a message similar to:
    The field must not exceed 2047 characters
    31 March 2021
    DEPLOYMENT IJ31762 RE-ADD OF A MANAGED HOST CAN FAIL DUE TO INCORRECT STATUS OF THE MANANGED HOST IN THE QRADAR DATABASE OPEN Workaround
    From an SSH session to the QRadar console, identify the id number and set the affected Managed Host to "Deleted" in the managedhost database table:
    1. To locate the id of the managed host that failed to add, type:
      psql -U qradar -c "select * from managedhost where hostname
      like '%hostname%'"

      Note the id value from the query as it is required for the next step.
    2. To set the managed host to deleted by id, type the following command and use the id from the query in step 1:
      psql -U qradar -c "update managedhost set status ='Deleted'
      where id=xxx"
    3. Attempt the re-add process for the affected Managed Host.

    Issue
    Re-adding a Managed Host can fail when the status of the Managed Host is not correct in the QRadar database. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext]
    [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
    com.q1labs.configservices.capabilities.AddHost: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]host already exists with
    that ip: (ipaddress) with status: ADD_FAILED_CHECK_LOGS
    [hostcontext.hostcontext]
    [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
    com.q1labs.configservices.capabilities.AddHost: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Precheck: unable to mark
    host as being added
    [hostcontext.hostcontext]
    [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
    com.q1labs.configservices.common.ConfigServicesException:
    Precheck: unable to mark host as being added
    [hostcontext.hostcontext]
    [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.add(AddHost.java:
    1241)
    [hostcontext.hostcontext]
    [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.addManagedHost(Ad
    dHost.java:324)
    [hostcontext.hostcontext]
    [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH
    ost(AddHostExecutor.java:74)
    31 March 2021
    EMC VMWARE PROTOCOL IJ31531 VCENTER LOG SOURCES USING THE EMCVMWARE PROTOCOL CAN FAIL TO CONNECT DUE TO IPADDRESS IN CONFIGURATION VERSUS A FQDN OPEN Workaround
    No workaround available.

    APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

    Issue
    VCenter Log Sources can fail to connect as the single sign-on (SSO) mechanism for VCenter 7.0 accepts only a server's fully qualified domain name (FQDN) under the https requests. As the accepted value of the VCenter Log Source address can be only be an IP address, the connection from QRadar to the VCenter server cannot be established.
    31 March 2021
    BACKUP AND RESTORE IJ31100 QRADAR 7.4.X CONFIGURATION RESTORE FAILS DUE TO DUPLICATE ENTRIES IN THE ATTACKER_HISTORY DATABASE TABLE OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Restoring a config backup from QRadar 7.4.x fails due to duplicate entries in attacker_history database table. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext] [Thread-355377] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    pg_restore: pg_restore: [archiver (db)] COPY failed for table
    "attacker_history": ERROR: duplicate key value violates unique
    constraint "attacker_history_ipaddress_key"
    [hostcontext.hostcontext] [Thread-355377] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    pg_restore: DETAIL: Key (ipaddress, domain_id)=(ip_address, 1)
    already exists.
    31 March 2021
    AUTHENTICATION IJ31665 ATTEMPTING TO REMOVE A GROUP MAPPING FROM LDAP GROUP BASED AUTHENTICATION CAN FAIL TO WORK AS EXPECTED OPEN Workaround

    Option 1
    When removing a group, and then adding a group, and then clicking save, the process works as expected.

    Option 2
    Disable group based authentication, click save. Then before performing a deploy function, re-enable group mapping and configure it from the beginning.

    If this still does not correct the issue, contact Support for a an additional workaround that might address this issue in some instances.

    Issue
    While attempting to remove a group mapping in LDAP group based authentication from a Security role, the group can fail to be removed and is still displayed when navigating back to the configuration settings. For example:
    1. Have group based LDAP authentication.
    2. Add a group to the group mapping.
    3. Deploy changes.
    4. Remove a group.

      Result
      No deploy is needed, and if you go back in the configuration settings, the group is again displayed.
    31 March 2021
    ASSETS IJ31924 THE CLEAN VULNERABILITES FUNCTION DOES NOT WORK AS EXPECTED FOR ASSETS THAT DO NOT HAVE AN IP ADDRESS CONFIGURED OPEN Workaround
    Where possible, use one of the following methods to workaround the issue described above:
    • Assign the asset an IP address.
    • OR
    • Delete the vulnerability from the asset UI.
    • OR
    • Delete the asset.
      • For more information, see: working with assets.

        Issue
        When an asset has no IP address assigned to it, the clean vulnerabilities option does not remove the vulnerabilities from the asset. For Example:
        1. Have an asset with vulnerabilities with no IP address assigned to it in the Asset tab.
        2. For that asset, select Actions > Clean Vulnerabilities.
        3. Select the date for today for remove vulnerabilities and select the scanner.

          Result
          When the clean vulnerabilities runs, the vulnerabilities remainl listed in the User Interface (UI) and under the asset.
    16 April 2021
    QRADAR NETWORK INSIGHTS (QNI) IJ30903 SOME QRADAR NETWORK INSIGHTS (QNI) APPLIANCES CANNOT BE SETUP TO CONNECT TO QRADAR ON CLOUD (QRoC) ENVIRONMENTS CLOSED Resolved in
    QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)

    Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Virtual QRadar Network Insights QNI (6500) and 1940/6600 40Gbps appliance types cannot be setup to connect to QRadar On Cloud (QRoC) due to variables within the setup_qradar_host.py script. Messages similar to the following might be visible when this issue occurs:
    Skipping apply VPN action: This host does not support VPN
    actions.
    12 July 2021
    QRADAR PACKET CAPTURE IJ32043 NAPATECH CARD FIRMWARE INSTALLED IN PACKET CAPTURE APPLIANCES CAN BE AT AN OLDER VERSION THAN EXPECTED OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Some Napatech cards that were installed in QRadar Packet Capture appliances have a down level firmware version (9232-52-13). The Packet Capture software installation does not attempt detection and upgrade of the firmware to the expected version.

    To verify the Napatech firmware version, type the following command from an SSH session to the appliance:
    /opt/napatech3/bin/adapterinfo

    Result
    • FPGA ID: 200-9232-52-13-0000 (down leveled firmware version)
    • FPGA ID: 200-9232-53-01-0000 (expected firmware version)
    15 April 2021
    VULNERABILITY SCANNER IJ26097 MAXPATROL VULNERABILITY SCANNER CAN FAIL TO CONNECT TO QRADAR AS IT USES THE DEPRECATED MICROSOFT WINDOWS SMBV1 OPEN Workaround
    No workaround available.

    Issue
    The Positive Technologies MaxPatrol vulnerabilities scanner can fail to connect to QRadar as expected as it is configured to use the now deprecated Microsoft Windows SMBv1 network protocol.

    This protocol version is no longer installed by default on computer systems running Microsoft Windows.
    15 July 2020
    USER INTERFACE IJ31931 QRRADAR RISK MANAGER: AN 'APPLICATION ERROR' CAN OCCUR WHEN OPENING THE RISKS TAB IN THE USER INTERFACE DUE TO IPV6 SETTINGS IN A CONFIGURATION FILE OPEN Workaround
    1. Edit the following file using the vi command on the QRadar Risk Manager server appliance:
      /opt/tomcat-rm/conf/server.xml
    2. Remove address="::" from this section of the file:
      <Connector port="18009" address="::"
      enableLookups="false" redirectPort="18443" protocol="AJP/1.3"
      URIEncoding="UTF-8" maxPostSize="67108864"
      secretRequired="false"/> <!-- 67 108 864 = 64 MB -->
    3. Save your changes and exit vi.
    4. Type the following command:
      systemctl restart tomcat-rm

    Issue
    An "Application Error" can be displayed on the Risks tab of the QRadar User Interface if Internet Protocol version 6 is disabled on the QRadar Risk Manager (QRM) server appliance.

    Messages similar to the following might be visible in /var/log/qradar.log on the QRadar Console when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1 (6623)
    /console/do/120/networkTopology]
    com.q1labs.srmconsole.util.WSUtil$WebClientProxy: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Error invoking method
    isTopologyReloading on the appliance; full error details in
    appliance log
    [tomcat.tomcat] [admin@127.0.0.1 (6623)
    /console/do/120/networkTopology]
    com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
    while processing the request:
    [tomcat.tomcat] [admin@127.0.0.1 (6623)
    /console/do/120/networkTopology]
    com.sun.xml.ws.client.ClientTransportException: The server sent
    HTTP status code 503: Service Unavailable
    Messages similar to the following might be visible in
    logging on the QRM server appliance when this issue
    occurs:
    Mar 26 13:33:28 hostname tomcat-rm[17470]: SEVERE: Failed to
    initialize connector [Connector[AJP/1.3-18009]]
    Mar 26 13:33:28 hostname tomcat-rm[17470]:
    org.apache.catalina.LifecycleException: Protocol handler
    initialization failed
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.connector.Connector.initInternal(Connector.java:1077)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.core.StandardService.initInternal(StandardSe
    rvice.java:552)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.core.StandardServer.initInternal(StandardSer
    ver.java:848)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.startup.Catalina.load(Catalina.java:639)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.startup.Catalina.load(Catalina.java:662)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    java.lang.reflect.Method.invoke(Method.java:508)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: Caused by:
    java.net.SocketException: Protocol family unavailable
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    sun.nio.ch.Net.bind0(Native Method)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    sun.nio.ch.Net.bind(Net.java:460)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    sun.nio.ch.Net.bind(Net.java:452)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.
    java:253)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:86)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:221)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoin
    t.java:1118)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJss
    eEndpoint.java:222)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:587)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.connector.Connector.initInternal(Connector.java:1075)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: ... 13 more
    07 April 2021
    WINCOLLECT IJ31843 WINCOLLECT 7.3.0 P1 AGENTS CAN STOP SENDING LOGS WHEN INFORMATION AND WARN EVENT TYPES ARE NOT SELECTED OPEN Workaround
    • Ensure that information, and warning messages are selected to be sent to QRadar from the WinCollect agent.
      OR
    • Configure Xpath for required Critical and Error logs to be retrieved: https://www.ibm.com/support/pages/how-use-xpath-queries-wincollect-suppress-specific-events

      For example:
      <QueryList>
      <Query Id="0" Path="System">
      <Select Path="System">*[System[(Level=1 or Level=2)]]</Select>
      </Query>
      </QueryList>

      • Issue
        WinCollect 7.3.0 P1 agents can stop sending logs to QRadar when information and warn type events are not selected. When this issue occurs, affected WinCollect agent hosts can be checked for messages that include "Error code 15001: The specified query is invalid." when the host agent logs are placed into debug.

        To place a WinCollect agent host into debug, see: https://www.ibm.com/support/pages/node/6404330#localsrv
        Note: Ensure to disable Debug as soon as possible to prevent log bloat.
    13 April 2021
    WINCOLLECT IJ32028 WINCOLLECT LOG SOURCE MANAGEMENT DISPLAYS MULTIPLE INCORRECT ENTRIES WHEN A MANAGED HOST IS REMOVED AND ADDED BACK OPEN Workaround
    Create a WinCollect destination in the WinCollect UI and configure the WinCollect log sources to use this destination instead: https://www.ibm.com/community/qradar/2019/06/11/wincollect-configure-local-collection-when-installing-agent/

    Issue
    When a Managed Host is removed from a QRadar deployment and then added back with either the same or a new hostname and/or same or different IP address, the database does not get updated correctly.

    When this occurs it creates additional duplicate Target Internal Destination options in the Log Source Management App for WinCollect log sources that can be invalid.
    12 April 2021
    WINCOLLECT IJ31923 STANDALONE WINCOLLECT CAN FAIL TO WORK WHEN USING TCP TLS CONFIGURATION AND A CERTIFICATE SIZE OVER 8000 CHARACTERS OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums: https://ibm.biz/wincollectforums

    Issue
    Standalone WinCollect fails to receive logs and work as expected when using TCP TLS configuration and a certificate with a character size over 8000 characters. When using a certificate that is too large, the deploy changes does not work to push out required deployconfiguration changes.
    12 April 2021
    SCAN RESULTS IJ32044 QRADAR VULNERABILITY MANAGER (QVM) SCAN STATUS REMAINS AT 'OUTSIDE OPERATIONAL WINDOW' AFTER SCAN COMPLETES OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    When a scan uses operational windows, the scan status remains at "Outside Operational Window" after the scan completes.

    The asset model is updated, but the user is unable to open the scan results.
    12 April 2021
    SECURITY BULLETIN CVE-2020-2773
    CVE-2020-14797
    CVE-2020-14779
    CVE-2020-14796
    CVE-2020-14803
    CVE-2020-27221
    CVE-2020-14782
    CVE-2020-14781
    MULTIPLE VULNERABILITIES IN IBM JAVA SDK AND IBM JAVA RUNTIME AFFECT IBM QRADAR SIEM CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
    QRadar 7.3.3 Fix Pack 7 Interim Fix 2 (7.3.3.20210330030509)

    Affected versions
    • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
    • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
    Issue
    • CVE-2020-2773: An unspecified vulnerability in Java SE related to the Java SE Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7
    • CVE-2020-14797: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 3.7
    • CVE-2020-14779: An unspecified vulnerability in Java SE related to the Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7
    • CVE-2020-14796: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 3.1
    • CVE-2020-14803: An unspecified vulnerability in Java SE could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 5.3
    • CVE-2020-27221: Eclipse OpenJ9 is vulnerable to a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base score: 9.8
    • CVE-2020-14782: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 3.7
    • CVE-2020-14781: An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 3.7
    12 April 2021
    SECURITY BULLETIN CVE-2021-3156 SUDO AS USED BY IBM QRADAR SIEM IS VULNERABLE TO ARBITRARY CODE EXECUTION CLOSED Resolved in
    QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
    QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
    QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

    Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

    Affected versions
    • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
    • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
    Issue
    CVE-2021-3156: Sudo is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when parsing command line arguments. By sending an "sudoedit -s" and a command-line argument that ends with a single backslash character, a local attacker could overflow a buffer and execute arbitrary code on the system with root privileges. This vulnerability is also known as Baron Samedit. CVSS Base score: 8.4
    12 April 2021
    DEPLOYMENT IJ32056 RE-ADD OF MANAGED HOST ON QRADAR 7.4.2 FIX PACK 3 HANGS AT "HOST IS BEING ADDED TO THE DEPLOYMENT" AFTER A QCHANGE_NETSETUP COMMAND IS PERFORMED OPEN Workaround
    1. After you have confirmed you are experiencing the issue described has occurred during re-add (unable to add managed host: SSH connection or SSH command execution failed), close the QRadar user interface window for the re-add.
    2. Verify in Admin tab > System and License Management that the Managed Host has not been re-added.
    3. After verification the Managed Host has not be re-added, attempt the Add Host steps again.

      Results
      A second attempt to add the managed host should complete successfully and Managed Host should be correctly added to the deployment.

      1. Issue
        When re-adding a Managed Host to a QRadar deployment running 7.4.2 Fix Pack 3 after it has been removed, and qchange_netsetup has been run prior to the re-add attempt, the Managed Host can fail to add and the Add Host process appears in a hung state with a message similar to:
        Host is being added to the deployment.

        Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
        [hostcontext.hostcontext] [a65729b7-ff60-47c7-bdef-33c4b20063e8/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to add host. Output: 'Done Presence Script', data:'hostcontext is already stopped, no need to stop the service.
        [hostcontext.hostcontext] [a65729b7-ff60-47c7-bdef-33c4b20063e8/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to read output from ssh connection on host 127.0.0.1
        [hostcontext.hostcontext] [a65729b7-ff60-47c7-bdef-33c4b20063e8/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]SSH connection or SSH command execution failed. The ip of the host is: 127.0.0.1
        [hostcontext.hostcontext] [a65729b7-ff60-47c7-bdef-33c4b20063e8/SequentialEventDispatcher] com.q1labs.configservices.hostcontext.core.HostContextServices: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error retrieving message
        [tomcat.tomcat] [Thread-644] com.q1labs.configservices.capabilities.CapabilitiesHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Removing host 127.0.0.1 from the deployment model, if present, due to add_host failure.
        [tomcat.tomcat] [Thread-644] com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]unable to add managed host: SSH connection or SSH command execution failed.
    12 April 2021
    NETWORK CONFIGURATION IJ31239 A CRITICAL ISSUE HAS BEEN IDENTIFIED IN /OPT/QRADAR/BIN/QCHANGE_NETSETUP CLOSED Resolved in
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    A flash notice is available for administrators that describes how to confirm information in qradar_netsetup.log before you complete any network changes using the /opt/qradar/bin/qchange_netsetup utility. For more information, see: Important: A critical issue has been identified in /opt/qradar/bin/qchange_netsetup (IJ31239).

    Issue
    QRadar development has identified a defect in the network component /opt/qradar/bin/qchange_netsetup where a hostname issue can cause a critical error, impacting the appliance configuration.
    31 March 2021
    APPLICATION FRAMEWORK IJ25911 QRADAR APPS CAN FAIL TO INSTALL AFTER TOMCAT CLIENT CERTIFICATE(S) ARE RENEWED UNTIL SERVICE RESTARTS OCCUR CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Note: This issue was resolved for QRadar on Cloud administrators in 7.4.1 Fix Pack 2 QRoC Interim Fix 1, which is not available to on-premise users.

    Workaround
    If you are unable to upgrade, administrators can restart the Tomcat and Hostcontext services. Before you complete this procedure, administrators can alert their users that the user interface is unavailable and all users will be required to log back in when Tomcat is restarted. The user interface is unavailable until all required services are running as expected.
    1. Use SSH to log in to the Console as the root user.
    2. Type the following command:
      systemctl restart tomcat
    3. Wait until the service succesfully restarts.
    4. Type the following command:
      systemctl restart hostcontext

    For more details on the effects of QRadar service restarts, see:
    • QRadar: Hostcontext service and the impact of a service restart
    • QRadar Core Services and the Impact when Restarted

    • Issue
      QRadar Apps can fail to install after Tomcat client certificate(s) are renewed (eg. tomcat-client-conman or tomcat-client-traefik) until the tomcat service and hostcontext have been succesfully restarted.

      Messages similar to the following might be visible in journalctl -u conman when this issue is occuring:
      {host}.com conman-server[23711]: 2020/06/28 21:23:32 http: TLS
      handshake error from 127.0.0.1:47032: tls: failed to verify
      client's certificate: x509: certificate has expired or is not
      yet valid
      {host}.com conman-server[23711]: 2020/06/28 21:23:36 http: TLS
      handshake error from 127.0.0.1:47602: tls: failed to verify
      client's certificate: x509: certificate has expired or is not
      yet valid
    24 March 2021
    UPGRADE IJ30763 QRADAR APPLICATION FRAMEWORK CAN FAIL AFTER PATCHING DUE TO INCORRECT HANDLING OF CASE SENSITIVITY OF HOSTNAMES CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances. More information is available for administrators in this technical note: Upgrades can fail for hosts that contain case sensitivity of hostnames (APAR IJ30763).

    Issue
    After performing the QRadar patching process, the QRadar Application Framework can fail due to incorrect handling of the case sensitivity of hostnames.

    When this occurs, QRadar apps fail to load.
    09 February 2021
    SEARCH IJ26117 PERFORMING A FREE TEXT SEARCH IN THE LAST FEW SECONDS OF AN HOUR CAN RETURN PARTIAL RESULTS AND CAUSE INDEX CORRUPTION CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    Where possible, do not perform a free text Quick Filter search in the last 5-10 seconds of the hour.

    Issue
    Due to a timing issue (race condition), performing a free text Quick Filter search can sometimes only return partial results and cause corrupted indexes when the free text search is performed in the in last 5-10 seconds of an hour. A message generated in the QRadar User Interface can be similar to:
    Partial results may be returned due to incomplete payload
    indexes for the specified time range".

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    /events/records/aux/1/2020/5/4/13/lucene
    lockFactory=org.apache.lucene.store.NativeFSLockFactory@87bbef33: 
    org.apache.lucene.store.LockObtainFailedException: Lock held
    by this virtual machine:
    /store/ariel/events/records/aux/1/2020/5/4/13/lucene/write.lock
    [ariel.ariel_query_server] [odi_31]    at
    org.apache.lucene.store.SleepingLockWrapper.obtainLock(SleepingL
    ockWrapper.java:102)
    [ariel.ariel_query_server] [odi_31]    at
    org.apache.lucene.index.IndexWriter.(IndexWriter.java:800)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.FTSIndexWriter.(FTSIndexWriter.java:34)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.FTSIndexWriter_MT.(FTSIndexWriter_MT.java:106)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.LuManager.createIndexWriter(LuManager.java:308)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.LuIndexer.getODIWriter(LuIndexer.java:412)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.LuIndexer.indexDirectory(LuIndexer.java:466)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.LuIndexer.indexDirectory(LuIndexer.java:429)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.ReaderCache$IndexReaderInfo.reIndexDire
    ctory(ReaderCache.java:156)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.ReaderCache$IndexReaderInfo.openDirecto
    ryReader(ReaderCache.java:139)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.ReaderCache$IndexReaderInfo.call(ReaderCache.java:187)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.ReaderCache$IndexReaderInfo.call(ReaderCache.java:59)
    [ariel.ariel_query_server] [odi_31]    at
    java.util.concurrent.FutureTask.run(FutureTask.java:277)
    [ariel.ariel_query_server] [odi_31]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [ariel.ariel_query_server] [odi_31]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
    [ariel.ariel_query_server] [odi_31]    at
    java.lang.Thread.run(Thread.java:818)
    [ariel.ariel_query_server] [odi_31] Caused by:
    [ariel.ariel_query_server] [odi_31]
    org.apache.lucene.store.LockObtainFailedException: Lock held by
    this virtual machine:
    /store/ariel/events/records/aux/1/2020/5/4/13/lucene/write.lock
    [ariel.ariel_query_server] [odi_31]    at
    org.apache.lucene.store.NativeFSLockFactory.obtainFSLock(NativeF
    SLockFactory.java:127)
    [ariel.ariel_query_server] [odi_31]    at
    org.apache.lucene.store.FSLockFactory.obtainLock(FSLockFactory.java:41)
    [ariel.ariel_query_server] [odi_31]    at
    org.apache.lucene.store.BaseDirectory.obtainLock(BaseDirectory.java:45)
    [ariel.ariel_query_server] [odi_31]    at
    org.apache.lucene.store.SleepingLockWrapper.obtainLock(SleepingLockWrapper.java:84)
    [ariel.ariel_query_server] [odi_31]    ... 15 more
    12 April 2021
    DASHBOARD IJ24804 'AVAILABLE DASHBOARDS' AND SELECTED DASHBOARDS' TABLES CAN SOMETIMES BE BLANK WHEN ATTEMPTING TO SHARE DASHBOARDS CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    No workaround available.

    Issue
    QRadar users are sometimes unable to share dashboards amongst other users. When navigating the following; Admin > User Roles, the two tables "available dashboards" and "selected dashboards" can be blank.
    12 April 2021
    AMAZON AWS PROTOCOL IJ28708 ALL QRADAR EVENT COLLECTION CAN UNEXPECTEDLY STOP WHEN USING A LOG SOURCE WITH THE AMAZON AWS S3 REST API PROTOCOL CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

    Issue
    QRadar administrators can sometimes observe that no events are being received/processed by QRadar in instances where they have a Log Source in use configured with the Amazon AWS S3 Rest API protocol.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread]
    java.lang.RuntimeException: Error attempting to load
    host.q1labs.lab:ecs-ec-ingress/EC_Ingress/Q1Labs_AmazonAWSREST
    Error : java.lang.NoClassDefFoundError:
    com.amazonaws.auth.AWSCredentialsProvider
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] Since
    there isn't a configuration error handler defined, the original
    error is wrapped in a new RuntimeException
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] at
    com.eventgnosis.system.SystemObject.installChildByName(SystemObj
    ect.java:317)
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] at
    com.eventgnosis.sources.EventSourceListenerManager.doWork(EventS
    ourceListenerManager.java:88)
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] at
    com.eventgnosis.system.SystemObject$DoWork.doIt(SystemObject.java:876)
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] at
    com.eventgnosis.system.SystemObject.doForAllMembers(SystemObject
    .java:854)
    12 April 2021
    HIGH AVAILABILITY (HA) IJ26435 HIGH AVAILABILITY APPLIANCE JOIN CAN FAIL WHEN THE /STORE PARTITION ON THE SECONDARY APPLIANCE IS BUSY CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

    Issue
    When attempting to create a High Availability (HA) pair, the process can fail when the /store partition on the Secondary appliance is unexpectedly in a busy state and unable to be accessed.

    A message similar to the following might be visible in the logs when this issue occurs.

    In qradar_hasetup.log:
    [HA Setup (S-M----)] [ERROR] Failed to start repartitioning on
    the slave host

    In the ha_part_setup.log file:
    mkfs.xfs: cannot open /dev/mapper/storerhel-store: Device or resource busy
    12 April 2021
    BACKUP AND RESTORE IJ30677 DISCREPANCIES IN ARCHIVE DB TABLES CAN CAUSE ISSUES WITH BACKUP AND RESTORE FUNCTION ON FRESH INSTALL VS PATCHED APPLIANCE CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)

    Workaround
    If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

    Issue
    Discrepancies in archive database tables can cause issues in the backup and restore function on fresh install versus patched QRadar appliances.

    Messages similar to the following might be visible in qradar logging when this issue occurs:
    ErrorStream pg_restore: pg_restore: [archiver (db)] could not
    execute query: ERROR: column "column name x" of relation
    "column name y" does not exist
    12 April 2021
    PROTOCOLS IJ28166 LOG SOURCES CONFIGURED TO USE THE WINDOWS EVENT LOG RPC PROTOCOL CAN GO INTO ERROR STATE DISPLAYING 'INTERNAL ERROR' OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number. If you have questions about this issue, ask in our Support Forums.

    Issue
    Some log source that are configured to use the Windows Event Log RPC Protocol can go into "Error" state with an "Internal Error".

    These instances have been identified as being caused when the jNQ jar file is required for use by the Protocol.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]] java.lang.ArrayIndexOutOfBoundsException
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]   at
    jcifs.util.Encdec.dec_uint32le(Encdec.java:90)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    ndr.NdrBuffer.dec_ndr_long(NdrBuffer.java:135)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    ndr.NetworkDataRepresentation.readUnsignedLong(NetworkDataRepres
    entation.java:64)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    com.q1labs.semsources.sources.windowseventrpc.ndr.util.NetworkDa
    taRepresentationAdapter.readUnsignedLong(NetworkDataRepresentati
    onAdapter.java:34)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]] java.lang.NullPointerException
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    com.visuality.nq.client.rpc.Dcerpc.close(Dcerpc.java:901)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    com.q1labs.semsources.sources.windowseventrpc.eventsource.common
    .EventLogWinRegistry.disconnectRemoteRegistry(EventLogWinRegistr
    y.java:245)
    23 September 2020
    PROTOCOL IJ31104 LOG SOURCES CAN FAIL (IBMSIMJDBC, ORABLE, MCAFEE EPO) AFTER INSTALLATION OF PROTOCOL-JDBC-20201123202423.NOARCH.RPM OPEN Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    Some Log Sources (IBMSIMJDBC, Oracle, McAfee EPO) can stop working as expected after the Autoupdate installation of the following Protocol due to a an SQLException that occurs: PROTOCOL-JDBC-7.4-20201123202423.noarch.rpm

    If these types of Log Sources have stopped working, verify if the Protocol version named above is installed: https://www.ibm.com/support/pages/qradar-using-yum-manually-install-reinstall-or-search-rpm-packages.
    06 March 2021
    WINCOLLECT IJ30911 MICROSOFT EXCHANGE LOG SOURCES CONFIGURED TO USE WINCOLLECT MICROSOFT EXCHANGE PROTOCOL MISS MSGTRKMD(DATE)-*.LOG FILES OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

    Issue
    Microsoft Exchange Log Sources that are configured using the WinCollect Microsoft Exchange protocol fail to read MSGTRKMD(date)-*.log files (containing DELIVER logs), resulting in those logs not being processed by QRadar. This affects WinCollect v7.3.0 p1
    10 March 2021
    UPGRADE IJ31253 PATCHING A DETACHED QRADAR APP HOST CAN HANG AT 'APPLYING PRESQL SCRIPT' COMMAND DUE TO IMQ CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    Administrators who experience an issue where the App Host appliance appears to be hung on 'Running presqlscripts' can locate the IMQ PID and force it to exit to complete the App Host appliance upgrade. A support technical note is also available for this issue.

    If you believe to be encountering this issue and would like assistance completing the workaround, contact support.
    1. From an SSH session run the following to find any IMQ PID still running:
      systemctl status imq | grep -i PID
    2. Use GDB to stop IMQ processes still running:
      gdb --batch --eval-command 'call exit(0)' --pid {IMQPID}
    3. The App Host appliance upgrade should now proceed.

    Issue
    Applying a patch on a detached QRadar App Host can sometimes hang at applying presql scripts. When App Host is stuck upgrading, 'Applying presql script' can be displayed in the command line without progressing and the ugprade cannot continue. For example:
    When App Host is stuck upgrading, 'Applying presql script' can  be displayed in the command line and the ugprade cannot continue.

    Administrators can confirm if the App Host upgrade appears to be hung on 'Applying presql script' in the command line.
    [INFO] (-i-patchmode) Runing presql scripts
    Applying presql script (57/57)
    12 April 2021
    REPORTS IJ31245 REPORTS BASED ON AQL CAN RETURN INCORRECT RESULTS COMPARED TO RUNNING THE REPORT ON RAW DATA OPEN Workaround
    Run a daily report on raw data to provide the correct results.

    Issue
    Reports generate properly when run on raw data (values returned are the same as performing a search in log activity) but when the report is using AQL and run scheduled/manually (daily), the values do not represent 24 hours.

    For Example:
    1. Have a simple AQL, such as:
      SELECT UNIQUECOUNT("userName") as 'Unique Usernames Count'
      from events
      GROUP BY 'userName'
      LAST 1 DAYS
    2. Create a daily report by checking all days.

      Results
      Differences are observed in the scheduled report and the raw data or log activity results.
    18 March 2021
    PROTOCOLS IJ30702 UNKNOWN EVENT TYPE FOR LOG SOURCES USING SALESFORCE PROTOCOL CAN CAUSE 'UNABLE TO RETRIEVE SOME EVENT LOG FILE EVENTS' OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

    Issue
    QRadar can experience a Null Pointer Exception when some unknown events are processed by Log Sources using the Salesforce protocol.

    A message similar to the following can be observed in the User Interface when this issue occurs:
    "Unable to retrieve some
    event log file events."
    Also, messages similar to the following might be visible in /var/log/qradar.log:
    [ecs-ec-ingress.ecs-ec-ingress] [Salesforce REST API Provider
    Protocol Provider Thread: class
    com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP
    IProvider5405]
    com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP
    IProvider: [WARN] [NOT:0000004000][ipaddress/- -] [-/- -]Null
    Pointer Exception while procesing Event Log File API result
    [ecs-ec-ingress.ecs-ec-ingress] [Salesforce REST API Provider
    Protocol Provider Thread: class
    com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP
    IProvider5405] java.lang.NullPointerException
    [ecs-ec-ingress.ecs-ec-ingress] [Salesforce REST API Provider
    Protocol Provider Thread: class
    com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP
    IProvider5405] at java.lang.String.compareTo(String.java:1405)
    [ecs-ec-ingress.ecs-ec-ingress] [Salesforce REST API Provider
    Protocol Provider Thread: class
    com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP
    IProvider5405] at
    com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP
    IProvider.processEventLogFileAPIResults(SalesforceRESTAPIProvide
    r.java:464)
    26 February 2021
    APPLICATION FRAMEWORK IJ28791 DSM EXPORT FUNCTION FAILS WHEN AUTHOR FIELD IS LEFT BLANK CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 (7.4.2.20201113144954)
    Note: This issue was also resolved in an interim fix for QRadar on Cloud appliances.

    Workaround
    Use the qappmanager utility to transition the affected app back into RUNNING state.

    Issue
    QRadar Apps can sometimes go into ERROR state after a tomcat service restart. This can occur when the call of the App Framework API is performed prior to the Rest API running successfully.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [pool-1-thread-2]
    com.q1labs.uiframeworks.application.api.service.status.tasks.StartAppAsyncTask:
    [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -] An error occurred while 
    attempting to update app status for app instance with id [qapp-1155] to [RUNNING]
    [tomcat.tomcat] [pool-1-thread-2]
    com.q1labs.restapi_annotations.content.exceptions.endpointExcept
    ions.ServerProcessingException: An exception occurred while
    waiting for task to complete.
    [tomcat.tomcat] [pool-1-thread-2]    at
    com.q1labs.configservices.task.AbstractTaskPoller.getFinishedTas
    kState(AbstractTaskPoller.java:41)
    [tomcat.tomcat] [pool-1-thread-2]    at
    com.q1labs.configservices.task.AbstractTaskPoller.getFinishedTas
    kState(AbstractTaskPoller.java:22)
    [tomcat.tomcat] [pool-1-thread-2]    at
    com.q1labs.uiframeworks.application.api.service.status.tasks.Sta
    rtAppAsyncTask.pollForCompletion(StartAppAsyncTask.java:202)
    [tomcat.tomcat] [pool-1-thread-2]    at
    com.q1labs.uiframeworks.application.api.service.status.tasks.Sta
    rtAppAsyncTask.startAppInstance(StartAppAsyncTask.java:152)
    [tomcat.tomcat] [pool-1-thread-2]    at
    com.q1labs.uiframeworks.application.api.service.status.tasks.Sta
    rtAppAsyncTask.runTask(StartAppAsyncTask.java:109)
    [tomcat.tomcat] [pool-1-thread-2]    at
    com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
    [tomcat.tomcat] [pool-1-thread-2]    at
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
    [tomcat.tomcat] [pool-1-thread-2]    at
    java.util.concurrent.FutureTask.run(FutureTask.java:277)
    [tomcat.tomcat] [pool-1-thread-2]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
    [tomcat.tomcat] [pool-1-thread-2]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
    [tomcat.tomcat] [pool-1-thread-2]    at
    java.lang.Thread.run(Thread.java:818)
    [tomcat.tomcat] [pool-1-thread-2] Caused by:
    [tomcat.tomcat] [pool-1-thread-2]
    java.util.concurrent.ExecutionException:
    com.q1labs.configservices.task.TaskTimeoutException: Task did
    not complete within timeout of [300] seconds
    [tomcat.tomcat] [pool-1-thread-2]    at
    java.util.concurrent.FutureTask.report(FutureTask.java:133)
    [tomcat.tomcat] [pool-1-thread-2]    at
    java.util.concurrent.FutureTask.get(FutureTask.java:203)
    [tomcat.tomcat] [pool-1-thread-2]    at
    com.q1labs.configservices.task.SimpleTaskPoller.getTaskResponse(
    SimpleTaskPoller.java:45)
    [tomcat.tomcat] [pool-1-thread-2]    at
    com.q1labs.configservices.task.AbstractTaskPoller.getFinishedTas
    kState(AbstractTaskPoller.java:37)
    [tomcat.tomcat] [pool-1-thread-2]    ... 10 more
    [tomcat.tomcat] [pool-1-thread-2] Caused by:
    [tomcat.tomcat] [pool-1-thread-2]
    com.q1labs.configservices.task.TaskTimeoutException: Task did
    not complete within timeout of [300] seconds
    [tomcat.tomcat] [pool-1-thread-2]    at
    com.q1labs.configservices.task.TaskResponsePollerThread.call(Tas
    kResponsePollerThread.java:92)
    [tomcat.tomcat] [pool-1-thread-2]    at
    com.q1labs.configservices.task.TaskResponsePollerThread.call(Tas
    kResponsePollerThread.java:16)
    [tomcat.tomcat] [pool-1-thread-2]    ... 4 more
    24 May 2021
    QRADAR VULNERABILITY MANAGER IJ28786 RESULTS DISPLAYED ON 'SCAN RESULTS' SCREEN DO NOT ACCOUNT FOR 'PURGE SCAN RESULTS AFTER PERIOD (IN EXECUTION CYCLES)' SETTING CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)

    Workaround
    No workaround available. APARs identified with no workaround require administrators to upgrade their software version to resolve this issue.

    Issue
    The results displayed on the Scan Results screen does not take into account the value of "Purge Scan Results After Period (In Execution Cycles)".

    Results of scans that were run before the value of "Purge Scan Results After Period (In Days)" are not displayed.
    29 January 2021
    LOG ACTIVITY / SEARCH IJ29703 REAL TIME EVENT STREAMING CAN SOMETIMES FAIL TO DISPLAY WHILE EVENTS ARE STILL BEING RECEIVED BY QRADAR CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)

    Workaround
    If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

    Issue
    In some instances, real time streaming can fail to display while events are still received by QRadar. This can be caused when custom properties exceed the default allocated spillover cache size configured for CustomPropertyCache.spillover.threshold and then begins spilling to disk.

    While still being able to view events in QRadar when this is occuring, other behavior can be observed indicating that this issue is being experienced:
    • Missing properties from the drop down menus.
    • Missing reference data sets.
    • Broken accumulation.
    • Searches fail to work.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [localhost-startStop-1]
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error reading
    custom properities.
    [tomcat.tomcat] [localhost-startStop-1]
    com.q1labs.frameworks.cache.SpilloverCacheException: Error
    reading object from buffer
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.GenericSerializer.objectFromByteBuff
    er(GenericSerializer.java:49)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali
    zer.java:83)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali
    zer.java:17)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.chainentry.InsertionChainEntry.deser
    ialize(InsertionChainEntry.java:69)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.chainentry.ChainEntry.read(ChainEntr
    y.java:60)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.ChainAppendCache.readChainEntry(Chai
    nAppendCache.java:1362)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.ChainAppendCache.findOnDisk(ChainApp
    endCache.java:1213)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.ChainAppendCache.needsDiskUpdate(Cha
    inAppendCache.java:407)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.ChainAppendCache.access$100(ChainApp
    endCache.java:55)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.ChainAppendCache$ChainAppendCacheMem
    oryMap.removeEldestEntry(ChainAppendCache.java:298)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.util.LinkedHashMap.afterNodeInsertion(LinkedHashMap.java:310)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.util.HashMap.putVal(HashMap.java:675)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.util.HashMap.put(HashMap.java:623)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.ChainAppendCache.put(ChainAppendCach
    e.java:1128)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.core.shared.ariel.CustomPropertyServices.constructAnd
    CacheProperty(CustomPropertyServices.java:410)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.core.shared.ariel.CustomPropertyServices.loadCustomPr
    operty(CustomPropertyServices.java:539)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.core.shared.ariel.CustomPropertyServices.getCustomPro
    pertyNoCache(CustomPropertyServices.java:77)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.t
    estCustomEventProperties(GlobalViewConfiguration.java:559)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.r
    ead(GlobalViewConfiguration.java:513)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.l
    oad(GlobalViewConfiguration.java:593)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.l
    oad(GlobalViewConfiguration.java:210)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.cve.accumulation.definition.GlobalViewsManager.{init}
    (GlobalViewsManager.java:102)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.cve.accumulation.definition.GlobalViewsManager.getIns
    tance(GlobalViewsManager.java:141)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.reporting.ReportServices.loadTemplates(ReportServices
    .java:683)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.reporting.ReportServices.onInit(ReportServices.java:279)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:916)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop
    edComponent(FrameworksNaming.java:897)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc
    e(FrameworksContext.java:1369)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.reports.ui.ReportsApplication.{init}(ReportsApplicati
    on.java:47)
    [tomcat.tomcat] [localhost-startStop-1]    at
    sun.reflect.NativeConstructorAccessorImpl.newInstance0(NativeMethod)
    [tomcat.tomcat] [localhost-startStop-1]    at
    sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeCons
    tructorAccessorImpl.java:83)
    [tomcat.tomcat] [localhost-startStop-1]    at
    sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delega
    tingConstructorAccessorImpl.java:57)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.lang.reflect.Constructor.newInstance(Constructor.java:437)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.uiframeworks.listener.FrameworksLifeCycle.contextInit
    ialized(FrameworksLifeCycle.java:364)
    [tomcat.tomcat] [localhost-startStop-1]    at
    org.apache.catalina.core.StandardContext.listenerStart(StandardC
    ontext.java:4689)
    [tomcat.tomcat] [localhost-startStop-1]    at
    org.apache.catalina.core.StandardContext.startInternal(StandardC
    ontext.java:5155)
    [tomcat.tomcat] [localhost-startStop-1]    at
    org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
    [tomcat.tomcat] [localhost-startStop-1]    at
    org.apache.catalina.core.ContainerBase.addChildInternal(Containe
    rBase.java:743)
    [tomcat.tomcat] [localhost-startStop-1]    at
    org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:719)
    [tomcat.tomcat] [localhost-startStop-1]    at
    org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
    [tomcat.tomcat] [localhost-startStop-1]    at
    org.apache.catalina.startup.HostConfig.deployDirectory(HostConfi
    g.java:1125)
    [tomcat.tomcat] [localhost-startStop-1]    at
    org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostC
    onfig.java:1858)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.ja
    va:522)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.util.concurrent.FutureTask.run(FutureTask.java:277)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.lang.Thread.run(Thread.java:822)
    [tomcat.tomcat] [localhost-startStop-1] Caused by:
    [tomcat.tomcat] [localhost-startStop-1] java.io.IOException:
    Not enough buffer to read object from.
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.GenericSerializer.objectFromByteBuff
    er(GenericSerializer.java:37)
    [tomcat.tomcat] [localhost-startStop-1]    ... 46 more
    29 January 2021
    UPGRADE IJ29511 QRADAR PATCHING PROCESS FAILS WHEN A DUPLICATE IP '0.0.0.0' EXISITS IN THE ATTACKER DATABASE TABLE CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)

    Workaround
    If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

    Issue
    Patching to QRadar 7.4.x fails when there is a duplicate IP "0.0.0.0" in the attacker database table as the patch process is unable to create a proper index due to the duplication in attacker address.
    29 January 2021
    FORWARDED EVENTS IJ29516 ONLINE FORWARDER CAN STOP SENDING EVENTS DUE TO A NULLPOINTEREXCEPTION WHEN SENDING TOO MANY EVENTS CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    • Use the offline forwarder option instead of online as it does not experience this issue.
      OR
    • Decrease the "default inactivity timeout" to be 2000 milliseconds (example below) or 1000 milliseconds instead of the default 3000 value.

      This can be done by modifying the /opt/qradar/conf/frameworks.properties on the QRadar Console to add or update the following property:
      selectiveforwarding.communicator.inactivity=2000

      Issue
      When using the Online Forwarder in QRadar and configured with UDP protocol, a NullPointerException can occur causing the forwarding to stop when there are too many events being sent. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
      [ecs-ec.ecs-ec] [SFCT_67] java.lang.NullPointerException
      [ecs-ec.ecs-ec] [SFCT_67] at
      com.q1labs.sem.forwarding.network.ForwardingUDPConnector.send(Fo
      rwardingUDPConnector.java:93)
      [ecs-ec.ecs-ec] [SFCT_67] at
      com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
      orThread.process(SelectiveForwardingCommunicatorThread.java:289)
      [ecs-ec.ecs-ec] [SFCT_67] at
      com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
      orThread.run(SelectiveForwardingCommunicatorThread.java:169)
    29 January 2021
    QFLOW IJ29315 QFLOW SERVICE CAN STOP PROCESSING FLOWS AND SWAP MEMORY USAGE CONTINUALLY GROWS UNTIL THE SERVICE IS RESTARTED CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    A technical note with a support utility is available for this issue to assist administrators. For more information about the SwapMonitor utility for APAR IJ29315, see: https://www.ibm.com/support/pages/node/6370705.

    Issue
    The QRadar qflow process can stop receiving and processing flows from some flow sources causing the received packet count to drop and the qflow swap memory to start growing continually until the qflow service is restarted.

    Memory fixes were implemeted to address this behavior within QRadar QRM QVM release 7.4.1 Fix Pack 1, but the behavior can still occur until an upgrade to QRadar 7.4.2 Fix Pack 2 is completed.
    29 January 2021
    SERVICES IJ28752 THE QRADAR PIPELINE CAN STOP RECEIVING ALL EVENTS DUE TO A STRINGOUTOUFBOUNDSEXCEPTION OCCURRING CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    Perform a restart of the ecs-ingress service.
    1. On the navigation menu, click the Admin tab.
    2. On the Advanced menu, click Restart Event Collection Services. Event collection is briefly interrupted on all appliances while the service restarts.

    Issue
    In some instances, the QRadar pipeline can stop receiving all events when a stringoutofbounds exception occurs. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]
    java.lang.StringIndexOutOfBoundsException: String index out of
    range: 43
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at
    java.lang.String.substring(String.java:2682)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at
    com.q1labs.sem.types.SyslogSourcePayload.parseLine(SyslogSourceP
    ayload.java:196)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at
    com.q1labs.sem.types.SyslogSourcePayload.getSourceName(SyslogSou
    rcePayload.java:159)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at
    com.q1labs.sem.types.SourcePayloadBase.put(SourcePayloadBase.jav
    a:331)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at
    com.q1labs.sem.types.SyslogSourcePayload.put(SyslogSourcePayload
    .java:412)
    29 January 2021
    RULES / AQL IJ28798 'THERE WAS A PROBLEM PARSING THE AQL QUERY. INVALID ESCAPE SEQUENCES DETECTED' WHEN " \ " IS USED IN AQL RULE FILTER CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)

    Workaround
    Use an underscore character instead of a backslash character. As in the example above: "Process Commandline" ILIKE '%C:_Program Files%'

    Issue
    When editing or creating a rule that references a file path or filename that contains a backslash character " \ " in the AQL rule filter, a parsing error similar to the following can be displayed:
    There was a problem parsing the AQL query. Invalid escape sequences detected.

    For Example:
    • Edit or create a rule.
    • In the condition for the AQL Filter, click this to add an AQL query.
    • In the text field, type "Process Commandline" ILIKE '%C:\Program Files%'
    • .
    • Attempt to save the rule change.

      Result
      The query fails to save and displays the error: There was a problem parsing the AQL query. Invalid escape sequences detected.
    29 January 2021
    RULE RESPONSE IJ25315 EMAILS FROM RULE RESPONSES CAN FAIL AND NOT BE SENT PROPERLY CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    As a temporary workaround, you can set the smtp_host_lookup value from "dns" to "dns,native" in the /etc/postfix/main.cf file by running the following commands in CLI on the host(s) that the email server is configured:
    sed -i "s/smtp_host_lookup = dns/smtp_host_lookup =
    dns,native/g" /etc/postfix/main.cf
    You will also need to change the script /opt/ibm/si/si-postfix/bin/configure-postfix.sh to prevent the postfix service to reset the configuration by running this command:
    sed -i "s/'tls|sasl|smtp' |/'tls|sasl|smtp' | grep -v
    smtp_host_lookup |/g"
    /opt/ibm/si/si-postfix/bin/configure-postfix.sh


    Issue
    Due to the new SMTP changes in QRadar v7.4.0 where the relay host is changed to localhost, the SMTP configuration is overwritten for the lookup causing emails to not be sent properly. This can prevent emails from features such as the rule response to not be sent.

    To identify the issue you can use the grep command to verify if the error is found such as:
    grep -A1 "relayhost configuration problem" /var/log/maillog


    The following errors can be seen in the /var/log/maillog file when this issue occurs:
    May 29 10:17:37 postfix/smtp[1446]: warning: relayhost
    configuration problem
    May 29 10:17:37 postfix/smtp[1448]: 31145B59:
    to=, relay=none, delay=435,
    delays=395/0.03/40/0, dsn=4.4.3, status=deferred (Host or
    domain name not found. Name service error for name=localhost
    type=AAAA: Host not found)
    29 January 2021
    SERVICES IJ22145 NEWLY CREATED QRADAR OUT OF MEMORY JAVA HEAP DUMPS DO NOT OVERWRITE PREVIOUSLY EXISTING ONES IN /STORE/JHEAP CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    No workaround available. APARs identified with no workaround require administrators to upgrade their software version to resolve this issue.

    Issue
    Newly created QRadar "out of memory" java heap dumps do not overwrite older/existing heap dumps found in /store/jheap. This issue can cause an accumulation of unneeded files and file space consumed in /store/jheap on QRadar appliances.
    29 January 2021
    APPLICATIONS / USER INTERFACE IJ28638 SOME QRADAR APPS CAN DISPLAY AS A PAGE WITH RANDOM TEXT WHEN A HOSTNAME BEGINS WITH 'CONSOLE' CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

    Workaround
    No workaround available.

    APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

    Issue
    Attempting to load some QRadar Apps within the User Interface can instead result in the displaying of a page with random text. This has been identifed as being caused by a error within the QRadar app framework when a hostname in the deployment begins with 'console'.

    Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [tomcat.tomcat] (474) /console/plugins/1301/app_proxy/]
    com.q1labs.uiframeworks.application.servlet.ContainerServlet:
    [ERROR] Unable to generate xConsoleHostHeader
    [tomcat.tomcat] (474) /console/plugins/1301/app_proxy/]
    java.lang.StringIndexOutOfBoundsException: String index out of
    range: 8
    [tomcat.tomcat]  (474) /console/plugins/1301/app_proxy/]    at
    java.lang.String.substring(String.java:2682)
    [tomcat.tomcat] (474) /console/plugins/1301/app_proxy/]    at
    com.q1labs.uiframeworks.application.servlet.ContainerServlet.cre
    ateConnection(ContainerServlet.java:382)
    [tomcat.tomcat]  (474) /console/plugins/1301/app_proxy/]    at
    com.q1labs.uiframeworks.application.servlet.ContainerServlet.ser
    vice(ContainerServlet.java:129)
    29 January 2021
    APPLICATIONS / HIGH AVAILABILITY IJ21232 QRADAR APPS CAN FAIL TO LOAD AFTER A HIGH AVAILABILITY (HA) FAILOVER DUE TO SHARED SERVICE (VAULT) NOT WORKING AS EXPECTED CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    No workaround available.

    Issue
    It has been identified that QRadar defined users can have different uid (user id) and gid (group id) for the same username on different systems resulting in shared services (vault) on High Availability (HA) failing to start after a HA failover occurs.
    29 January 2021
    DOMAIN MANAGEMENT IJ28496 ATTACKER DATA FROM ANOTHER DOMAIN CAN BE VIEWED BY USERS NOT AUTHORIZED FOR THAT DOMAIN CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Users that are assigned rights to a specific domain can see attacker info from a domain they have not been assigned to in multi domain QRadar environments.

    For example:
    When viewing the top source dashboard targets, attacker data from a different domain can be observed.
    29 January 2021
    QRADAR VULNERABILITY MANAGER IJ28480 VULNERABILITY DETAILS SCREEN DISPLAYS ASSETS ON WHICH THE VULNERABILITY HAS BEEN REMEDIATED CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    No workaround available.

    APARs identified with no workaround require administrators to upgrade their software version to resolve this issue.

    Issue
    When a vulnerability is selected to view the details, the Vulnerability Details screen displays assets on which the vulnerability has been remediated.
    For example:
    1. Run a scan against an asset and make a note of a vulnerability.
    2. Search for the vulnerability on the Research screen, then click on the vulnerability. The asset is displayed on the Vulnerability Details screen.
    3. Remediate the vulnerability on the asset.
    4. Run the scan again.
    5. Search for the vulnerability on the Research screen, then click on the vulnerability.

      Results The asset is still displayed on the Vulnerability Details screen.
    29 January 2021
    QRADAR VULNERABILITY MANAGER IJ28757 ASSET VULNERABILITY ASSIGNMENTS CAN FAIL TO WORK AS EXPECTED DUE TO AN INCORRECT JAR REFERENCE CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    The classpath in the script needs to reference an updated version of the icu4j jar file.
    1. Use SSH to log in to the QRadar Console as the root user.
    2. Navigate to /opt/qvm/assetupdates/
    3. Update the classpath setting in the following script: run-qvm-assetupdates.sh
    4. Update the line:
      APP_CP=${APP_CP}:${QRADAR_JARS}/icu4j-58.2.jar
      with
      APP_CP=${APP_CP}:${QRADAR_JARS}/icu4j-65.1.jar
    5. Save the changes.

    Issue
    Asset Vulnerability assignments updates can fail to work as expected when an incorrect jar file is used within QRadar (icu4j-58.2.jar instead of icu4j-65.1.jar)

    The crontab entry on the QRadar Console that runs the script /opt/qvm/assetupdates/run-qvm-assetupdates.sh fails with "class not found error", but the error is only visible when the command is run on the command line. For example:
    # /opt/qvm/assetupdates/run-qvm-assetupdates.sh
    The following error is displayed:
    09:07:19,962 INFO  [FrameworksContext]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Initializing resource
    loggers:
    [Lcom.q1labs.frameworks.core.IFrameworksContext$ResourceLogger;@
    41bb258b
    09:07:19,968 INFO  [FrameworksContext]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Frameworks instance name:
    09:07:19,968 INFO  [FrameworksContext]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Initializing with URL:
    file:/opt/qradar/conf/
    09:07:19,968 INFO  [FrameworksContext]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Frameworks booting -
    logging, loader complete
    09:07:19,969 INFO  [FrameworksContext]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Loading
    frameworks.properties
    09:07:20,244 INFO  [NamedThreadFactory]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Thread factory created:
    Spillover Cache Vacuum
    09:07:20,256 INFO  [FrameworksContext]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Frameworks global cache
    manager was initialized using: /opt/qradar/conf/ehcache.xml
    09:07:20,256 INFO  [FrameworksContext]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Initializing jpa
    09:07:21,003 INFO  [FrameworksContext]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Initializing naming
    09:07:21,005 INFO  [FrameworksNaming]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Naming initializing,
    failFast disabled: false
    09:07:21,441 INFO  [FrameworksNaming]
    [NOT:0000006000][127.0.0.1/- -] [-/-
    -]com.q1labs.assetprofile.service.ui.UIByVulnerability.NAME
    MUST be public, static and not final for naming to help with
    setting of NAME
    09:07:21,446 INFO  [FrameworksNaming]
    [NOT:0000006000][127.0.0.1/- -] [-/-
    -]com.q1labs.assetprofile.service.ui.UIVulnerabilityService.NAME
    MUST be public, static and not final for naming to help with
    setting of NAME
    09:07:22,072 INFO  [FrameworksNaming]
    [NOT:0000006000][127.0.0.1/- -] [-/-
    -]com.q1labs.core.api.impl.health.HealthMetricAPIImpl.NAME MUST
    be public, static and not final for naming to help with setting
    of NAME
    09:07:22,099 INFO  [FrameworksNaming]
    [NOT:0000006000][127.0.0.1/- -] [-/-
    -]com.q1labs.core.dao.application.ApplicationUserRoleMapping.App
    licationUserRoleMapping.NAME MUST be public, static and not
    final for naming to help with setting of NAME
    09:07:22,100 INFO  [FrameworksNaming]
    [NOT:0000006000][127.0.0.1/- -] [-/-
    -]com.q1labs.core.dao.application.AugmentedSecurityProfile.NAME
    MUST be public, static and not final for naming to help with
    setting of NAME
    09:07:22,495 ERROR [ThreadExceptionHandler]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught
    in thread: main
    org.springframework.beans.factory.BeanCreationException: Error
    creating bean with name 'qradarFrameworksContextService'
    defined in class path resource [appContext.xml]: Invocation of
    init method failed; nested exception is
    java.lang.NoClassDefFoundError: com.ibm.icu.text.DateFormat
            at
    org.springframework.beans.factory.support.AbstractAutowireCapabl
    eBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.j
    ava:1745)
            at
    org.springframework.beans.factory.support.AbstractAutowireCapabl
    eBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.jav
    a:576)
            at
    org.springframework.beans.factory.support.AbstractAutowireCapabl
    eBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:
    498)
            at
    org.springframework.beans.factory.support.AbstractBeanFactory.la
    mbda$doGetBean$0(AbstractBeanFactory.java:320)
            at
    org.springframework.beans.factory.support.AbstractBeanFactory$$L
    ambda$7.0000000014E93B30.getObject(Unknown Source)
            at
    org.springframework.beans.factory.support.DefaultSingletonBeanRe
    gistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
            at
    org.springframework.beans.factory.support.AbstractBeanFactory.do
    GetBean(AbstractBeanFactory.java:318)
            at
    org.springframework.beans.factory.support.AbstractBeanFactory.ge
    tBean(AbstractBeanFactory.java:199)
            at
    org.springframework.beans.factory.support.DefaultListableBeanFac
    tory.preInstantiateSingletons(DefaultListableBeanFactory.java:846)
            at
    org.springframework.context.support.AbstractApplicationContext.f
    inishBeanFactoryInitialization(AbstractApplicationContext.java:863)
            at
    org.springframework.context.support.AbstractApplicationContext.r
    efresh(AbstractApplicationContext.java:546)
            at
    org.springframework.context.support.ClassPathXmlApplicationConte
    xt.{init}(ClassPathXmlApplicationContext.java:144)
            at
    org.springframework.context.support.ClassPathXmlApplicationConte
    xt.{init}(ClassPathXmlApplicationContext.java:85)
            at
    com.q1labs.qvm.assetupdates.Bootstrapper.initialize(Bootstrapper
    .java:42)
            at
    com.q1labs.qvm.assetupdates.Bootstrapper.main(Bootstrapper.java:106)
    Caused by:
    java.lang.NoClassDefFoundError: com.ibm.icu.text.DateFormat
            at java.lang.J9VMInternals.prepareClassImpl(Native
    Method)
            at
    java.lang.J9VMInternals.prepare(J9VMInternals.java:304)
            at java.lang.Class.getField(Class.java:1079)
            at
    com.q1labs.frameworks.naming.FrameworksNaming.checkNameConstant(
    FrameworksNaming.java:399)
            at
    com.q1labs.frameworks.naming.FrameworksNaming.loadClasses(Framew
    orksNaming.java:323)
            at
    com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(Framewo
    rksNaming.java:171)
            at
    com.q1labs.frameworks.naming.FrameworksNaming.loadClasses(Framew
    orksNaming.java:270)
            at
    com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(Framewo
    rksNaming.java:171)
            at
    com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(Framewo
    rksNaming.java:105)
            at
    com.q1labs.frameworks.naming.FrameworksNaming.{init}(FrameworksN
    aming.java:86)
            at
    com.q1labs.frameworks.core.FrameworksContext.initServices(Framew
    orksContext.java:620)
            at
    com.q1labs.frameworks.core.FrameworksContext.initFrameworks(Fram
    eworksContext.java:257)
            at
    com.q1labs.qvm.assetupdates.frameworks.FrameworksContextServiceI
    mpl.retrieveFrameworkContext(FrameworksContextServiceImpl.java:31)
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
    Method)
            at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
            at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
            at java.lang.reflect.Method.invoke(Method.java:508)
            at
    org.springframework.beans.factory.support.AbstractAutowireCapabl
    eBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanF
    actory.java:1870)
            at
    org.springframework.beans.factory.support.AbstractAutowireCapabl
    eBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactor
    y.java:1813)
            at
    org.springframework.beans.factory.support.AbstractAutowireCapabl
    eBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.j
    ava:1741)
            ... 14 more
    Caused by:
    java.lang.ClassNotFoundException: com.ibm.icu.text.DateFormat
            at
    java.net.URLClassLoader.findClass(URLClassLoader.java:610)
            at
    java.lang.ClassLoader.loadClassHelper(ClassLoader.java:943)
            at java.lang.ClassLoader.loadClass(ClassLoader.java:888)
            at
    sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
            at java.lang.ClassLoader.loadClass(ClassLoader.java:871)
            ... 34 more
    29 January 2021
    APPLICATION FRAMEWORK IJ28835 QRADAR APPS CAN DISPLAY A BLANK PAGE AFTER A SPECIFIC QRADAR ENVIRONMENT PATCHING PATH HAS BEEN FOLLOWED CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Complete a restart of the ecs-ec-ingress service.

    Issue
    QRadar Apps can display a blank page when using QRadar 7.4.x that has been patched from 7.3.0 (or 7.3.1) to 7.4.0 and then patched to 7.4.1 or later.

    This issue can be caused by database table components of the "authorization manager" being left behind from version 7.3 during the pathcing processes.

      To identify if this is causing blank page QRadar Apps:
    1. The patching path above was followed.
    2. Running the command on the Console via an SSH session can generate a blank "Name" line output:
      /opt/qradar/support/recon ps
    21 May 2021
    APPLICATIONS / DEPLOY CHANGES IJ28820 DEPLOY FUNCTION CAN BE SLOW TO COMPLETE AND APPS CAN FAIL TO LOAD AFTER IPTABLES RESTART ON A CONSOLE UNDER HEAVY LOAD CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    No workaround available.

    APARs identified with no workaround require administrators to upgrade their software version to resolve this issue.

    Issue
    Docker rules can fail to be restored after a restart of iptables on a Console appliance under heavy load (high event processing, high CPU usage, ariel searches, system activity, etc.). When this occurs, multiple issues within QRadar can be experienced. For example:
    1. Performing a 'Deploy Changes' can take longer than expected to complete.
    2. QRadar apps can fail to load.
    Messages similar to the following might be visible in /var/log/messages when this issue occurs:
    hostname systemd[1]: Stopping IPv4 firewall with iptables...
    hostname preserve-docker-iptables-rules.sh[10574]: iptables:
    Setting chains to policy ACCEPT: filter nat [  OK  ]
    hostname preserve-docker-iptables-rules.sh[10574]: iptables:
    Flushing firewall rules: [  OK  ]
    hostname preserve-docker-iptables-rules.sh[10574]: iptables:
    Unloading modules:  ip_tables[FAILED]
    hostname systemd[1]: iptables.service: control process exited,
    code=exited status=1
    hostname systemd[1]: Stopped IPv4 firewall with iptables.
    hostname systemd[1]: Unit iptables.service entered failed state.
    hostname systemd[1]: iptables.service failed.
    hostname systemd[1]: Starting IPv4 firewall with iptables...
    hostname iptables.init[11422]: iptables: Applying firewall
    rules: [  OK  ]
    hostname configure-docker-firewall.sh[12072]: Tue Feb 18
    22:18:11 AST 2020 [configure_docker_firewall] Docker and
    iptables are running: will attempt to restore docker iptables
    hostname configure-docker-firewall.sh[12072]: Tue Feb 18
    22:18:11 AST 2020 [configure_docker_firewall] Running 'bash -x
    /etc/docker/.docker_iptables_rules'
    hostname configure-docker-firewall.sh[12072]: Tue Feb 18
    22:18:17 AST 2020 [configure_docker_firewall] Cleaning up
    stored docker iptables rules
    hostname configure-docker-firewall.sh[12072]: Tue Feb 18
    22:18:17 AST 2020 [configure_docker_firewall] Running 'rm -f
    /etc/docker/.docker_iptables_rules'
    hostname systemd[1]: Started IPv4 firewall with iptables.
    hostname systemd[1]: Stopping IPv4 firewall with iptables...
    hostname preserve-docker-iptables-rules.sh[12930]: iptables:
    Setting chains to policy ACCEPT: nat filter [  OK  ]
    hostname preserve-docker-iptables-rules.sh[12930]: iptables:
    Flushing firewall rules: [  OK  ]
    hostname preserve-docker-iptables-rules.sh[12930]: iptables:
    Unloading modules:  iptable_nat iptable_nat ip_tables[FAILED]
    hostname systemd[1]: iptables.service: control process exited,
    code=exited status=3
    29 January 2021
    DSM EDITOR IJ25729 EVENTS CONTAINING A CLOSED BRACKET " } " IN THE VALUE FIELD OF A JSON ARE NOT PARSED CORRECTLY BY THE DSM EDITOR CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    No workaround available. APARs identified with no workaround require administrators to upgrade their software version to resolve this issue.

    Issue
    Events containing a single '}' in value field of the JSON is not parsed correctly by DSM editor.

    When in the DSM editor, the preview (highlight) works as expected, but the actual value does not extract when this issue occurs.

    For Example:
    Event 1: Having closing bracket in value field- ANDROID}.
    Mar 04 09:10:10  LEEF:2.0|YYYYY|XXXXX|1.0|Sandbox
    Report|^|Report={"Full Details":{"Summary":{"Status":"COMPLETED","Category":"ANDROID}",
    "FileType":"TEST"}}}
    Event 2: Not having the closing bracket in value field, parses properly.
    Mar 04 09:10:10  LEEF:2.0|YYYYY|XXXXX|1.0|Sandbox
    Report|^|Report={"Full Details":{"Summary":{"Status":"COMPLETED","Category":"ANDROID","
    FileType":"TEST"}}}
    29 January 2021
    MSRPC PROTOCOL IJ29923 THE QRADAR MSRPC PROTOCOL CAN INCREASE CPU UTILIZATION ON MICROSOFT WINDOWS SERVERS OPEN Workaround
    A flash notice is available for administrators that describes how to downgrade the Microsoft Windows Security Event Log over MSRPC version. For more information, see:https://www.ibm.com/support/pages/node/6382106

    Issue
    Administrators with the latest version of the MSRPC protocol from December 9th, 2020 weekly auto update can experience increased CPU utilization for the EventLog service under svchosts.exe on their Windows Servers. Over time, this issue can lead to instability for the remote server. Administrators can downgrade their Microsoft Security Event Log over MSRPC protocol (PROTOCOL-WindowsEventRPC) version to avoid this reported issue.

    The following RPM versions are affected by this issue:
    1. PROTOCOL-WindowsEventRPC-7.3-20201110190432.noarch.rpm
    2. PROTOCOL-WindowsEventRPC-7.4-20201110190414.noarch.rpm
    29 January 2021
    OFFICE 365 PROTOCOL IJ28711 UNABLE TO CAPTURE LOGS FROM AN OFFICE 365 TENANT THAT IS NOT A .COM CLOSED Resolved in
    The following RPMs were delivered during the 2 February 2021 (Build 1612292229) weekly auto update:
    1. PROTOCOL-Office365RESTAPI-7.3-20201207151632.noarch.rpm
    2. PROTOCOL-Office365RESTAPI-7.4-20201207151640.noarch.rpm
    Workaround
    Administrators can verify the latest RPM is installed for your QRadar version. If you continue to experience issues, contact support for a possible workaround that might address this issue in some instances or if you experience issues with your weekly auto update.

    Issue
    Attempting to capture logs from an Office 365 tenant can fail to receive any logs when the tenant does not end in ".com". The testing feature on the Log Source can successfully connect and authenticate to the API in these instances, but QRadar fails to receive the expected logs and stays in the state where it displays "Connected. Waiting for logs".
    03 February 2021
    OFFICE 365 PROTOCOL IJ28829 'WARNING: EXPECTED ROLE [ROLE] WAS NOT IN THE OBTAINED ACCESS TOKEN' MESSAGE DURING OFFICE 365 LOG SOURCE PROTOCOL TESTS CLOSED Resolved in
    The following RPMs were delivered during the 2 February 2021 (Build 1612292229) weekly auto update:
    1. PROTOCOL-Office365RESTAPI-7.3-20201207151632.noarch.rpm
    2. PROTOCOL-Office365RESTAPI-7.4-20201207151640.noarch.rpm
    Workaround
    Administrators can verify the latest RPM is installed for your QRadar version. If you continue to experience issues, contact support for a possible workaround that might address this issue in some instances or if you experience issues with your weekly auto update.

    Issue
    An error warning similar to the following can be observed when testing protocol parameters in Log Source Management for Office 365 Log Source. This is due to the Roles ThreatIntelligence.Read, and ActivityReports.Read now being deprecated. Administrators who attempt to test their configuration might experience the following error messages:
    Testing ClientID [ID] :: TenantID [ID]
    Successfully obtained Azure AD Access Token with supplied
    credentials
    Access Token Roles: [ActivityFeed.ReadDlp, ServiceHealth.Read,
    ActivityFeed.Read]
    Warning: Expected role [ThreatIntelligence.Read] was not in the
    obtained Access Token - this may cause issues with data
    collection
    Warning: Expected role [ActivityReports.Read] was not in the
    obtained Access Token - this may cause issues with data
    collection
    Access Token contained expected role [ActivityFeed.ReadDlp]
    Access Token contained expected role [ServiceHealth.Read]
    Access Token contained expected role [ActivityFeed.Read]
    03 February 2021
    JDBC PROTOCOL IJ26314 LOG SOURCE MANAGEMENT APP JDBC TESTS CAN FAIL WITH 'LOGIN FAILED FOR USER {USERNAME}' ON LOG SOURCES USING DOMAIN AUTHENTICATION CLOSED Resolved in
    The following RPMs were delivered during the 2 February 2021 (Build 1612292229) weekly auto update:
    1. PROTOCOL-JDBC-7.3-20201123202429.noarch.rpm
    2. PROTOCOL-JDBC-7.4-20201123202423.noarch.rpm
    Workaround
    Administrators can verify the latest RPM is installed for your QRadar version. If you continue to experience issues, contact support for a possible workaround that might address this issue in some instances or if you experience issues with your weekly auto update.

    Issue
    When using Domain Authentication for JDBC log source configuration, the log source can be in Success state and working as expected, but the Log Source Management App tests for those log sources can fail with a message similar to the following: "Login failed for user '{username}'"
    03 February 2021
    JDBC PROTOCOL IJ29049 LOG SOURCES CONFIGURED TO USE JDBC CAN FAIL TO COLLECT LOGS AFTER AN ECS-EC-INGRESS SERVICE RESTART HAS OCCURRED CLOSED Resolved in
    The following RPMs were delivered during the 2 February 2021 (Build 1612292229) weekly auto update:
    1. PROTOCOL-JDBC-7.3-20201123202429.noarch.rpm
    2. PROTOCOL-JDBC-7.4-20201123202423.noarch.rpm
    Workaround
    Administrators can verify the latest RPM is installed for your QRadar version. If you continue to experience issues, contact support for a possible workaround that might address this issue in some instances or if you experience issues with your weekly auto update.

    Issue
    JDBC Log Sources can fail to collect events after an ecs-ec-ingress service restart has occurred. In these instances, the Log Sources continue to display "Success" state with a last status update of days or weeks prior to the ecs-ec-ingress restart date.
    03 February 2021
    OFFENSES IJ15472 EVENT COUNT NUMBERS DOESN'T MATCH IN THE OFFENSE DETAILS SCREEN ON CLICKING THE EVENT/FLOW COUNT CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)

    Workaround
    No workaround available. APARs identified with no workaround require administrators to upgrade their software version to resolve this issue.

    Issue
    It has been identified that the Event count in the Offense details screen does not match with the event count displayed when clicking the event/flow count. Rules using "when at least this many events are seen with the same event properties in this many minutes condition" are not matching the Event/Flow count in an Offense versus the Ariel search list of Events/Flows.
    29 January 2021
    SEARCH / LOG ACTIVITY IJ25367 UNABLE TO DELETE AN EMPTY LOG SOURCE GROUP DUE TO DEPENDENCY CHECK FAIL OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Attempting to delete an empty Log Source Group can fail with an error similar to "Error while getting Saved Search dependents for this Log Source Group: {xxxxxx}".

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [pool-1-thread-4]
    com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error while
    getting Saved Search dependents for this Log Source Group:
    103540
    [tomcat.tomcat] [pool-1-thread-4]
    java.lang.ArrayIndexOutOfBoundsException
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.cve.utils.CustomColumnDefinition.fromString(CustomCol
    umnDefinition.java:386)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF
    orm.java:1396)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF
    orm.java:1301)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF
    orm.java:1290)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.requiresPayload(ArielSe
    archForm.java:1171)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getMappingFactory(Ariel
    SearchForm.java:1099)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getMappingFactory(Ariel
    SearchForm.java:1094)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.cve.utils.CriteriaParser.processPredicates(CriteriaPa
    rser.java:177)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:833)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:790)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:746)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:740)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:731)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getAr
    ielSavedSearchDependentsByGroupId(LogSourceGroupDeletion.java:131)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getUs
    age(LogSourceGroupDeletion.java:58)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getA
    ctualUsage(FindDependentsTask.java:291)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getC
    hildUsage(FindDependentsTask.java:212)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getD
    efaultUsage(FindDependentsTask.java:169)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.runT
    ask(FindDependentsTask.java:122)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.ja
    va:522)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.util.concurrent.FutureTask.run(FutureTask.java:277)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.lang.Thread.run(Thread.java:812)
    [tomcat.tomcat] [pool-1-thread-4]
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error trying to
    find Dependents for id: [103540], and type: LOG_SOURCE_GROUP
    [tomcat.tomcat] [pool-1-thread-4]
    java.lang.ArrayIndexOutOfBoundsException
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.cve.utils.CustomColumnDefinition.fromString(CustomCol
    umnDefinition.java:386)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF
    orm.java:1396)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF
    orm.java:1301)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF
    orm.java:1290)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.requiresPayload(ArielSe
    archForm.java:1171)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getMappingFactory(Ariel
    SearchForm.java:1099)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getMappingFactory(Ariel
    SearchForm.java:1094)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.cve.utils.CriteriaParser.processPredicates(CriteriaPa
    rser.java:177)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:833)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:790)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:746)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:740)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:731)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getAr
    ielSavedSearchDependentsByGroupId(LogSourceGroupDeletion.java:131)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getUs
    age(LogSourceGroupDeletion.java:58)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getA
    ctualUsage(FindDependentsTask.java:291)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getC
    hildUsage(FindDependentsTask.java:212)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getD
    efaultUsage(FindDependentsTask.java:169)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.runT
    ask(FindDependentsTask.java:122)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.ja
    va:522)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.util.concurrent.FutureTask.run(FutureTask.java:277)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.lang.Thread.run(Thread.java:812)
    12 June 2020
    SECURITY BULLETIN CVE-2020-4888 IBM QRADAR SIEM IS VULNERABLE TO DESERIALIZATION OF UNTRUSTED DATA CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 7 IF1 (7.3.3.20210120163940)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 7
    Issue
    CVE-2020-4888: IBM QRadar SIEM could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker could exploit this vulnerability to execute arbitrary commands on the system. CVSS Base score: 6.3
    28 January 2021
    SECURITY BULLETIN CVE-2019-19126
    CVE-2020-10754
    CVE-2019-19956
    CVE-2019-20388
    CVE-2020-7595
    CVE-2019-5482
    CVE-2018-20843
    CVE-2019-15903
    CVE-2019-20386
    CVE-2019-16935
    CVE-2020-8492
    CVE-2019-17498
    CVE-2019-2974
    CVE-2020-2574
    CVE-2020-2752
    CVE-2020-2780
    CVE-2020-2812
    CVE-2019-14907
    CVE-2019-14866
    IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Affected versions
    • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    Issue
    • CVE-2019-19126: GNU C Library could allow a local attacker to bypass security restrictions, caused by failing to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution. An attacker could exploit this vulnerability to bypass ASLR for a setuid program. CVSS Base score: 4
    • CVE-2020-10754: NetworkManager could allow a remote authenticated attacker to bypass security restrictions, caused by improper configuration in the nmcli. By connecting to a network, an attacker could exploit this vulnerability to bypass authentication. CVSS Base score: 4.3
    • CVE-2019-19956: libxml2 is vulnerable to a denial of service, caused by a memory leak in xmlParseBalancedChunkMemoryRecover in parser.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 3.3
    • CVE-2019-20388: GNOME libxml2 could allow a remote attacker to obtain sensitive information, caused by a xmlSchemaValidateStream memory leak in xmlSchemaPreRun in xmlschemas.c. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to obtain sensitive information.
    • CVE-2020-7595: The Gnome Project Libxml2 is vulnerable to a denial of service, caused by an error in xmlStringLenDecodeEntities in parser.c. An attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 7.5
    • CVE-2019-5482: cURL libcurl is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the tftp_receive_packet function. By sending specially-crafted request containing an OACK without the BLKSIZE option, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base score: 6.3
    • CVE-2018-20843: libexpat is vulnerable to a denial of service, caused by an error in the XML parser. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to consume all available CPU resources. CVSS Base score: 3.3
    • CVE-2019-15903: libexpat is vulnerable to a denial of service, caused by a heap-based buffer over-read in XML_GetCurrentLineNumber. By using a specially-crafted XML input, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
    • CVE-2019-20386: systemd is vulnerable to a denial of service, caused by a memory leak in the button_open function in login/logind-button.c. By executing the udevadm trigger command, a local attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 6.2
    • CVE-2019-16935: Python is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the python/Lib/DocXMLRPCServer.py. A remote attacker could exploit this vulnerability using the server_title field to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
    • CVE-2020-8492: Python is vulnerable to a denial of service, caused by a flaw in the urllib.request.AbstractBasicAuthHandler. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a Regular Expression Denial of Service (ReDoS). CVSS Base score: 5.3
    • CVE-2019-17498: libssh2 is vulnerable to a denial of service, caused by an out-of-bounds read when connecting to a malicious SSH server that sends a disconnect message. A remote attacker could exploit this vulnerability to cause a denial of service or obtain sensitive information. CVSS Base score: 6.5
    • CVE-2019-2974: An unspecified vulnerability in product related to the Server Oracle MySQL component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 6.5
    • CVE-2020-2574: An unspecified vulnerability in Oracle MySQL related to the Client C API component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 5.9
    • CVE-2020-2752: An unspecified vulnerability in Oracle MySQL related to the Client C API component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 5.3
    • CVE-2020-2780: An unspecified vulnerability in Oracle MySQL related to the Server Server: DML component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 6.5
    • CVE-2020-2812: An unspecified vulnerability in Oracle MySQL related to the Server Server: Stored Procedure component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 4.9
    • CVE-2019-14907: Samba is vulnerable to a denial of service, caused by an error after a failed character conversion at log level 3 or above. By sending a specially crafted string during the NTLMSSP authentication exchange, an attacker could exploit this vulnerability to cause a long-lived process to terminate. CVSS Base score: 6.5
    • CVE-2019-14866: GNU cpio could allow a local authenticated attacker to gain elevated privileges on the system, caused by the failure to properly validate input files when generating TAR archives. An attacker could exploit this vulnerability to inject any tar content and compromise the system. CVSS Base score: 6.7
    26 January 2021
    SECURITY BULLETIN CVE-2018-18074
    CVE-2018-20060
    CVE-2019-11236
    CVE-2019-11324
    CVE-2019-5094
    CVE-2019-5188
    CVE-2020-11008
    CVE-2019-12450
    CVE-2019-14822
    CVE-2019-14973
    CVE-2019-17546
    CVE-2017-15715
    CVE-2018-1283
    CVE-2018-1303
    CVE-2019-10098
    CVE-2020-1927
    CVE-2020-1934
    CVE-2017-18551
    CVE-2018-20836
    CVE-2019-15217
    CVE-2019-15807
    CVE-2019-15917
    CVE-2019-16231
    CVE-2019-16233
    CVE-2019-16994
    CVE-2019-17053
    CVE-2019-17055
    CVE-2019-19046
    CVE-2019-19062
    CVE-2019-19063
    CVE-2019-19332
    CVE-2019-19447
    CVE-2019-19524
    CVE-2019-19530
    CVE-2019-19534
    CVE-2019-19537
    CVE-2019-19767
    CVE-2019-19807
    CVE-2019-20054
    CVE-2019-20636
    CVE-2019-9454
    CVE-2019-9458
    CVE-2020-10690
    CVE-2020-10732
    CVE-2020-10742
    CVE-2020-10751
    CVE-2020-10942
    IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Affected versions
    • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    Issue
    • CVE-2018-18074: The Requests package for Python could allow a remote attacker to obtain sensitive information, caused by sending information in an insecure manner. By sniffing the network, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3
    • CVE-2018-20060: urllib3 could allow a remote attacker to obtain sensitive information, caused by the failure to remove the Authorization HTTP header when following a cross-origin redirect. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain credentials in the Authorization header. CVSS Base score: 7.5
    • CVE-2019-11236: Python urllib3 is vulnerable to CRLF injection, caused by improper validation of user-supplied input by the request parameter. By sending a specially-crafted HTTP response containing CRLF character sequences, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. CVSS Base score: 5.3
    • CVE-2019-11324: urllib3 could allow a remote attacker to bypass security restrictions, caused by mishandling of certificates. By sending a specially-crafted certificate, an attacker could exploit this vulnerability to allow SSL connections. CVSS Base score: 5.3
    • CVE-2019-5094: E2fsprogs could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the quota file functionality. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
    • CVE-2019-5188: E2fsprogs could allow a local authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the directory rehashing function. By using a specially-crafted ext4 directory, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
    • CVE-2020-11008: Git could allow a remote attacker to obtain sensitive information, caused by a flaw in the external "credential helper" programs. By feeding a specially-crafted URL to git clone, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. CVSS Base score: 7.5
    • CVE-2019-12450: GNOME GLib could allow a remote attacker to bypass security restrictions, caused by improper permission control in the file_copy_fallback in gio/gfile.c. An attacker could exploit this vulnerability to bypass access restrictions. CVSS Base score: 5.3
    • CVE-2019-14822: IBus could allow a local authenticated attacker to bypass security restrictions, caused by improper authorization validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to monitor and send method calls to the ibus bus of another user. CVSS Base score: 5.5
    • CVE-2019-14973: LibTIFF is vulnerable to a denial of service, caused by an iInteger overflow in the _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
    • CVE-2019-17546: libtiff is vulnerable to a heap-based buffer overflow, caused by an integer overflow in the tif_getimage.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base score: 7.8
    • CVE-2017-15715: Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by the FilesMatch expression matching '$' to a newline character in a malicious filename instead of the end of the filename. By matching the trailing portion of the filename, an attacker could exploit to bypass security controls that use the FilesMatch directive. CVSS Base score: 3.7
    • CVE-2018-1283: Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by an error when mod_session is configured with SessionEnv on to forward session data to CGI applications. By using a specially crafted "Session" header, an attacker could exploit this vulnerability to modify mod_session data on the system. CVSS Base score: 5.3
    • CVE-2018-1303: Apache HTTPD is vulnerable to a denial of service, caused by an out-of-bounds memory read error in mod_cache_socache. By sending a specially crafted HTTP request header, an attacker could exploit this vulnerability to cause the service to crash. CVSS Base score: 5.3
    • CVE-2019-10098: Apache HTTP Server could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the mod_rewrite module. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites. CVSS Base score: 3.7
    • CVE-2020-1927: Apache HTTP Server could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the mod_rewrite module. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites. CVSS Base score: 7.4
    • CVE-2020-1934: Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by the use of uninitialized value in mod_proxy_ftp. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. CVSS Base score: 8.1
    • CVE-2017-18551: Linux kernel is vulnerable to a buffer overflow, caused by a missing bounds check in drivers/i2c/i2c-core-smbus.c. An attacker could overflow an array and perform unspecified actions. CVSS Base score: 7.8
    • CVE-2018-20836: Linux Kernel is vulnerable to a denial of service, caused by a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c. A local attacker could exploit this vulnerability to cause the system to crash. CVSS Base score: 4
    • CVE-2019-15217: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the yurex.c driver. By using a specially-crafted USB device, a physical attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 4.6
    • CVE-2019-15807: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in sas_expander.c when SAS expander discovery fails. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5
    • CVE-2019-15917: Linux Kernel could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c. A remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. CVSS Base score: 7.3
    • CVE-2019-16231: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in drivers/net/fjes/fjes_main.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5
    • CVE-2019-16233: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in drivers/scsi/qla2xxx/qla_os.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5
    • CVE-2019-16994: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the sit_init_net function in net/ipv6/sit.c. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 6.2
    • CVE-2019-17053: Linux Kernel could allow a local authenticated attacker to bypass security restrictions, caused by not enforcing CAP_NET_RAW in the ieee802154_create function in net/ieee802154/socket.c in the AF_IEEE802154 network module. By sending a specially-crafted request, an attacker could exploit this vulnerability to create a raw socket. CVSS Base score: 5.5
    • CVE-2019-17055: Linux Kernel could allow a local authenticated attacker to bypass security restrictions, caused by not enforcing CAP_NET_RAW in the base_sock_create function in drivers/isdn/mISDN/socket.c in the AF_ISDN network module. By sending a specially-crafted request, an attacker could exploit this vulnerability to create a raw socket. CVSS Base score: 5.5
    • CVE-2019-19046: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c. A remote attacker could exploit this vulnerability to consume all available memory resources. CVSS Base score: 7.5
    • CVE-2019-19062: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the crypto_report() function in crypto/crypto_user_base.c. A remote attacker could exploit this vulnerability to consume all available memory resources. CVSS Base score: 7.5
    • CVE-2019-19063: Linux Kernel is vulnerable to a denial of service, caused by multiple memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c. A remote attacker could exploit this vulnerability to consume all available memory resources. CVSS Base score: 7.5
    • CVE-2019-19332: Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds memory write in KVM hypervisor. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.5
    • CVE-2019-19447: Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a use-after-free flaw in the ext4_put_super function in fs/ext4/super.c. By using a specially-crafted image file, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. CVSS Base score: 8.4
    • CVE-2019-19524: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/input/ff-memless.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic. CVSS Base score: 4.2
    • CVE-2019-19530: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/usb/class/cdc-acm.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic. CVSS Base score: 4.2
    • CVE-2019-19534: Linux Kernel could allow a local attacker to obtain sensitive information, caused by missing memory initialization in drivers/net/can/usb/peak_usb/pcan_usb_core.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 2.4
    • CVE-2019-19537: Linux Kernel is vulnerable to a denial of service, caused by a race condition in drivers/usb/core/file.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause the system to stop responding. CVSS Base score: 4.2
    • CVE-2019-19767: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in the __ext4_expand_extra_isize and ext4_xattr_set_entry functions in fs/ext4/inode.c and fs/ext4/super.c. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 6.2
    • CVE-2019-19807: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in sound/core/timer.c. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 4
    • CVE-2019-20054: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 4
    • CVE-2019-20636: Linux Linux could allow a local attacker to execute arbitrary code on the system, caused by an out-of-bounds write flaw in the input_set_keycode function. By using a specially-crafted keycode table, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. CVSS Base score: 8.4
    • CVE-2019-9454: Google Android could allow a local authenticated attacker to gain elevated privileges on the system, caused by a memory corruption in the i2c driver. An attacker could exploit this vulnerability to escalate privileges. CVSS Base score: 7.8
    • CVE-2019-9458: Google Android could allow a local attacker to gain elevated privileges on the system, caused by a race condition in the video driver. An attacker could exploit this vulnerability to escalate privileges. CVSS Base score: 8.4
    • CVE-2020-10690: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in the cdev_put function in the Precision Time Protocol (PTP). By removing a PTP device while chardev is open, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 4.4
    • CVE-2020-10732: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in the implementation of Userspace core dumps. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a program to crash. CVSS Base score: 3.3
    • CVE-2020-10742: Linux Kernel is vulnerable to a denial of service, caused by a stack-based buffer overflow during Direct IO write. A local authenticated attacker could exploit this vulnerability using a reach out of the index after one memory allocation by kmalloc to cause the NFS client to crash. CVSS Base score: 6
    • CVE-2020-10751: Linux Kernel could allow a local authenticated attacker to bypass security restrictions, caused by a flaw with improper validation of first netlink message by the SELinux LSM hook implementation. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow or deny the rest of the netlink messages within the skb with the granted permission without further processing. CVSS Base score: 6.1
    • CVE-2020-10942: Linux Kernel is vulnerable to a denial of service, caused by improper validation of an sk_family field by the get_raw_socket function in drivers/vhost/net.c. By sending specially-crafted system calls, a local attacker could exploit this vulnerability to cause a kernel stack corruption resulting in a denial of service condition. CVSS Base score: 6.2
    26 January 2021
    SECURITY BULLETIN CVE-2019-2974
    CVE-2020-2574
    CVE-2020-2752
    CVE-2020-2780
    CVE-2020-2812
    CVE-2019-14973
    CVE-2019-17546
    CVE-2019-17498
    CVE-2017-15715
    CVE-2018-1283
    CVE-2018-1303
    CVE-2017-15715
    CVE-2018-1283
    CVE-2018-1303
    CVE-2019-10098
    CVE-2020-1927
    CVE-2020-1934
    CVE-2017-18551
    CVE-2019-10098
    CVE-2020-1927
    CVE-2020-1934
    CVE-2019-5094
    CVE-2019-5188
    CVE-2020-0034
    IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Affected versions
    • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    Issue
    • CVE-2019-2974: An unspecified vulnerability in product related to the Server Oracle MySQL component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 6.5
    • CVE-2020-2574: An unspecified vulnerability in Oracle MySQL related to the Client C API component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 5.9
    • CVE-2020-2752: An unspecified vulnerability in Oracle MySQL related to the Client C API component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 5.3
    • CVE-2020-2780: An unspecified vulnerability in Oracle MySQL related to the Server Server: DML component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 6.5
    • CVE-2020-2812: An unspecified vulnerability in Oracle MySQL related to the Server Server: Stored Procedure component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 4.9
    • CVE-2019-14973: LibTIFF is vulnerable to a denial of service, caused by an iInteger overflow in the _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
    • CVE-2019-17546: libtiff is vulnerable to a heap-based buffer overflow, caused by an integer overflow in the tif_getimage.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base score: 7.8
    • CVE-2019-17498: libssh2 is vulnerable to a denial of service, caused by an out-of-bounds read when connecting to a malicious SSH server that sends a disconnect message. A remote attacker could exploit this vulnerability to cause a denial of service or obtain sensitive information. CVSS Base score: 6.5
    • CVE-2017-15715: Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by the FilesMatch expression matching '$' to a newline character in a malicious filename instead of the end of the filename. By matching the trailing portion of the filename, an attacker could exploit to bypass security controls that use the FilesMatch directive. CVSS Base score: 3.7
    • CVE-2018-1283: Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by an error when mod_session is configured with SessionEnv on to forward session data to CGI applications. By using a specially crafted "Session" header, an attacker could exploit this vulnerability to modify mod_session data on the system. CVSS Base score: 5.3
    • CVE-2018-1303: Apache HTTPD is vulnerable to a denial of service, caused by an out-of-bounds memory read error in mod_cache_socache. By sending a specially crafted HTTP request header, an attacker could exploit this vulnerability to cause the service to crash. CVSS Base score: 5.3
    • CVE-2019-10098: Apache HTTP Server could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the mod_rewrite module. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites. CVSS Base score: 3.7
    • CVE-2020-1927: Apache HTTP Server could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the mod_rewrite module. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites. CVSS Base score: 7.4
    • CVE-2020-1934: Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by the use of uninitialized value in mod_proxy_ftp. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. CVSS Base score: 8.1
    • CVE-2019-5094: E2fsprogs could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the quota file functionality. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
    • CVE-2019-5188: E2fsprogs could allow a local authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the directory rehashing function. By using a specially-crafted ext4 directory, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
    • CVE-2020-0034: Google Android could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read in the vp8_decode_frame of decodeframe.c. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 7.5
    26 January 2021
    SECURITY BULLETIN CVE-2020-11979
    APACHE ANT AS USED BY IBM QRADAR SIEM IS VULNERABLE TO INSECURE TEMPORARY FILES CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Affected versions
    • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    Issue
    CVE-2020-11979: Apache Ant could allow a remote authenticated attacker to bypass security restrictions, caused by an insecure temporary file flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to inject modified source files into the build process. CVSS Base score: 6.5
    26 January 2021
    SECURITY BULLETIN CVE-2020-4789
    IBM QRADAR SIEM IS VULNERABLE TO ARBITRARY FILE READ CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Affected versions
    • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    Issue
    CVE-2020-4789: IBM QRadar could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. CVSS Base score: 6.5
    26 January 2021
    SECURITY BULLETIN CVE-2020-4787
    IBM QRADAR SIEM IS VULNERABLE TO SERVER SIDE REQUEST FORGERY (SSRF) CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Affected versions
    • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    Issue
    CVE-2020-4787: IBM QRadar is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. CVSS Base score: 4.2
    26 January 2021
    SECURITY BULLETIN CVE-2020-4786
    IBM QRADAR SIEM IS VULNERABLE TO SERVER SIDE REQUEST FORGERY (SSRF) CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Affected versions
    • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    Issue
    CVE-2020-4786: IBM QRadar Network Security is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. CVSS Base score: 5.4
    26 January 2021
    SECURITY BULLETIN CVE-2020-5421
    SPRING FRAMEWORK AS USED BY IBM QRADAR SIEM IS VULNERABLE TO IMPROPER INPUT VALIDATION CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Affected versions
    • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    Issue
    CVE-2020-5421: VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by improper input validation. By using a specially-crafted jsessionid path parameter, an attacker could exploit this vulnerability to bypass RFD Protection. CVSS Base score: 5.3
    26 January 2021
    SERVICES IJ30161 A QRADAR "DEPLOY CHANGES" PERFORMED ON DECEMBER 31 2020 CAN CAUSE QRADAR FUNCTIONALITY ISSUES CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 1 (7.4.2.20210105144619)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Workaround
    For more detailed information, please see the following Flash Notification: https://ibm.biz/BdfDdV

    An issue report and FAQ is available for IJ30161 from QRadar Support. For more information, see: https://www.ibm.com/support/pages/node/6398674

    Issue
    Performing a "Deploy Changes" function on December 31 2020 can cause a QRadar deployment to stop functioning as expected. This issue is related to the function that validates a license key.

    Messages similar to the following might be visible in var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [main] com.eventgnosis.ecs:
    [INFO] [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid
    license...
    [ecs-ep.ecs-ep] [main] com.eventgnosis.ecs: [INFO]
    [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license...
    [ecs-ec.ecs-ec] [main] com.eventgnosis.ecs: [INFO]
    [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license..


    Note: This affects a manual "Deploy changes" function or any that are performed automatically (example: Auto Update)
    11 January 2021
    RULES IJ29115 PERFORMING AN EXTENSION MANAGEMENT UNINSTALL CAN SOMETIMES CORRUPT RULES WITHIN QRADAR CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Workaround
    Upgrade to a QRadar verison to resolve this issue or contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Performing an Uninstall with the Extension Manager can corrupt rules if QRadar's change-tracker has incorrectly recorded the "new_value" field in content_field_info within the QRadar database.

    When this occurs, attempting to modify a rule response or edit or delete a rule can generate an error pop-up similar to: A server exception occurred:
    PersistenceException: ERROR: could not parse XML document
    Detail: line 1: Start tag expected, '<' not found
    and messages in /varlog/qradar.log similar to:
    [tomcat.tomcat] [pool-1-thread-3]
    org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: could
    not parse XML document
      Detail: line 1: Start tag expected, '<' not found
    16 November 2020
    FORWARDING DESTINATIONS IJ27364 THE OPTION TO USE IPV6 SOURCE AND DESTINATION FROM AN EVENT WHEN CONFIGURING JSON FORWARDING DESTINATION IS NOT AVAILABLE CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Workaround
    A custom property could be added to parse IPv6 from events and used in the JSON format. For more information, see: How to create custom properties in QRadar.

    Issue
    When configuring Forwarding Destinations to forward data to other system using IPV6, the source or destination from an event is not an available option to select from when using JSON.
    02 September 2020
    FLOW FORWARDING IJ26689 FORWARDING NORMALIZED FLOWS THAT ARE ASSOCIATED TO A DOMAIN FAILS WITH A BUFFERUNDERFLOWEXCEPTION WRITTEN TO QRADAR LOGGING CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Workaround
    Potential workaround for this issue. Note: This will impact all event and flow forwarding of normalized data, setting it to the the default domain.

    1. On the QRadar Console that is sending, edit nva.conf:
      vi /store/configservices/staging/globalconfig/nva.conf
      Add and save the following line:
      IS_DOMAIN_FORWARDING=0
    2. Log in to QRadar as an administrator.
    3. Click the Admin tab > Deploy Changes.
    4. On the Managed Host that is sending events or flows, type the following command to restart the ecs-ec service:
      systemctl restart ecs-ec


      Issue
      Forwarding normalized flows that are associated to a domain on the sending side to another deployment fails and a BufferUnderflowException is generated in QRadar logging. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      com.q1labs.sem.nio.network.ReceiverServerWithChannelActivity
      0.0.0.0:32005: [WARN] [NOT:0000004000][X.X.X.X/- -] [-/-
      -]Error: /127.0.0.1:41902 : RuntimeException : 0 records read,
      type: 68, expected buffer size after decompression: 0, expected
      record size: 195, java.nio.DirectByteBuffer[pos=182 lim=209
      cap=13312000], Serializer:
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
      ECSMappingAll@1
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      java.lang.RuntimeException: 0 records read, type: 68, expected
      buffer size after decompression: 0, expected record size: 195,
      java.nio.DirectByteBuffer[pos=182 lim=209 cap=13312000],
      Serializer:
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
      ECSMappingAll@1
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
      ode(ProtocolProcessor.java:281)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
      odeCompressedObjectsSync(ProtocolProcessor.java:302)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
      Protocol.java:1185)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.Protocol$2.readFromCh
      annel(Protocol.java:126)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.Protocol.read(Protoco
      l.java:396)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.ReceiverServerProtocol.readAll
      (ReceiverServerProtocol.java:85)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.ReceiverServer.read(ReceiverSe
      rver.java:229)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.sem.nio.network.ReceiverServerWithChannelActivity.run
      (ReceiverServerWithChannelActivity.java:140)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at java.lang.Thread.run(Thread.java:818)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      Caused by: java.nio.BufferUnderflowException
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at java.nio.DirectByteBuffer.get(DirectByteBuffer.java:271)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at java.nio.ByteBuffer.get(ByteBuffer.java:715)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.CustomPropertyRecord.fromByte
      BufferForMPC(CustomPropertyRecord.java:164)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt
      ils.readCustomPropertiesWithMPCAttributes(NetworkEventMappingUti
      ls.java:435)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMappingECS.readCust
      omProperties(FlowRecordMappingECS.java:139)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMapping.getData(Flo
      wRecordMapping.java:393)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMapping.get(FlowRec
      ordMapping.java:226)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMappingECS.get(Flow
      RecordMappingECS.java:65)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMappingECSAll.get(F
      lowRecordMappingECSAll.java:30)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
      ECSMappingAll.getFlow(NetworkEventMappings.java:71)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappingEx
      .get(NetworkEventMappingEx.java:86)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappingEx
      .get(NetworkEventMappingEx.java:25)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
      ode(ProtocolProcessor.java:272)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        ... 8 more
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      com.q1labs.sem.nio.network.ReceiverServerWithChannelActivity
      0.0.0.0:32005: [WARN] [NOT:0000004000][X.X.X.X/- -] [-/-
      -]Error: /127.0.0.1:41930 : RuntimeException : 2 records read,
      type: 68, expected buffer size after decompression: 0, expected
      record size: 540, java.nio.DirectByteBuffer[pos=1130 lim=1411
      cap=65536], Serializer:
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
      ECSMappingAll@1
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      java.lang.RuntimeException: 2 records read, type: 68, expected
      buffer size after decompression: 0, expected record size: 540,
      java.nio.DirectByteBuffer[pos=1130 lim=1411 cap=65536],
      Serializer:
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
      ECSMappingAll@1
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
      ode(ProtocolProcessor.java:281)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
      odeCompressedObjectsSync(ProtocolProcessor.java:302)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
      Protocol.java:1185)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.Protocol$2.readFromCh
      annel(Protocol.java:126)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.Protocol.read(Protoco
      l.java:396)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.ReceiverServerProtocol.readAll
      (ReceiverServerProtocol.java:85)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.ReceiverServer.read(ReceiverSe
      rver.java:229)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.sem.nio.network.ReceiverServerWithChannelActivity.run
      (ReceiverServerWithChannelActivity.java:140)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at java.lang.Thread.run(Thread.java:818)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      Caused by: java.nio.BufferUnderflowException
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at java.nio.DirectByteBuffer.get(DirectByteBuffer.java:271)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at java.nio.ByteBuffer.get(ByteBuffer.java:715)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.CustomPropertyRecord.fromByte
      BufferForMPC(CustomPropertyRecord.java:164)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt
      ils.readCustomPropertiesWithMPCAttributes(NetworkEventMappingUti
      ls.java:435)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMappingECS.readCust
      omProperties(FlowRecordMappingECS.java:139)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMapping.getData(Flo
      wRecordMapping.java:393)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMapping.get(FlowRec
      ordMapping.java:226)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMappingECS.get(Flow
      RecordMappingECS.java:65)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMappingECSAll.get(F
      lowRecordMappingECSAll.java:30)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
      ECSMappingAll.getFlow(NetworkEventMappings.java:71)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappingEx
      .get(NetworkEventMappingEx.java:86)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappingEx
      .get(NetworkEventMappingEx.java:25)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
      ode(ProtocolProcessor.java:272)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        ... 8 more
    31 July 2020
    RULE RESPONSE IJ28818 ARIEL DATA FILE CORRUPTION CAN OCCUR CAUSING "I/O ERROR" DURING SEARCHES WHEN EMAIL RESPONSE TO A SPECIFIC RULE IS CONFIGURED CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Workaround
    Where possible, do not use the email response option when using the rule "log source stopped sending events".

    Issue
    Ariel data corruption can occur when using the rule "log source stopped sending events" with a large number of Custom Event Properties (CEP) and/or log sources in a log source group with an email response configured.

    When this data corruption is experienced, ariel searches can generate an "I/O error" in the QRadar User Interface if these corrupted files are acccessed.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    java.lang.IndexOutOfBoundsException
            at java.nio.Buffer.checkBounds(Buffer.java:578)
            at java.nio.ByteBuffer.get(ByteBuffer.java:686)
            at
    java.nio.DirectByteBuffer.get(DirectByteBuffer.java:285)
            at
    com.q1labs.core.types.BitMask.getBitMask(BitMask.java:107)
            at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.get
    (NormalizedEventMappingV2.java:61)
            at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.get
    (NormalizedEventMappingV2.java:31)
            at
    com.q1labs.ariel.FileReader.doRead(FileReader.java:192)
            at com.q1labs.ariel.FileReader.read(FileReader.java:184)
            at
    com.q1labs.ariel.RecordDumper.dumpRecords(RecordDumper.java:66)
            at
    com.q1labs.cve.utils.CommandLineClient.doDump(CommandLineClient.
    java:153)
            at
    com.q1labs.cve.utils.CommandLineClient.run(CommandLineClient.jav
    a:188)
            at
    com.q1labs.cve.utils.CommandLineClient.main(CommandLineClient.ja
    va:173)


    ------- or --------
    java.lang.IllegalStateException: Potential mapping error. Array
    size: -1792 Max is 32767
     at
    com.q1labs.frameworks.nio.MappingBase.getSizeShort(MappingBase.j
    ava:86)
     at
    com.q1labs.frameworks.nio.MappingBase.getSizeShort(MappingBase.j
    ava:80)
     at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt
    ils.readCustomRuleResultMap(NetworkEventMappingUtils.java:238)
     at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.rea
    dCustomRules(NormalizedEventMappingV2.java:715)
     at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.get
    (NormalizedEventMappingV2.java:147)
     at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.get
    (NormalizedEventMappingV2.java:35)
     at com.q1labs.ariel.FileReader.doRead(FileReader.java:192)
     at com.q1labs.ariel.FileReader.read(FileReader.java:184)
     at
    com.q1labs.ariel.searches.service.ids.ArielFile$Crawler.nextReco
    rd(ArielFile.java:31)
     at
    com.q1labs.ariel.searches.service.ids.ArielFile.next(ArielFile.j
    ava:206)
     at
    com.q1labs.ariel.searches.service.ids.FilteredSource.next(Filter
    edSource.java:39)
     at
    com.q1labs.ariel.searches.tasks.QueryWorker.execute(QueryWorker.
    java:53)
     at
    com.q1labs.ariel.searches.tasks.ServiceTaskBase.runTask(ServiceT
    askBase.java:89)
     at
    com.q1labs.ariel.searches.tasks.ServiceTask.runTask(ServiceTask.
    java:69)
     at
    com.q1labs.ariel.searches.tasks.ServiceTaskBase$Runner.run(Servi
    ceTaskBase.java:32)
     at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
     at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
     at java.lang.Thread.run(Thread.java:818)


    -------or-------
    [ecs-ep.ecs-ep] Ariel Writer#events
    com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
    [NOT:0000003000][ IP_ADDRESS/- -] [-/- -]Exception was uncaught
    in thread: Ariel Writer#events
    [ecs-ep.ecs-ep] Ariel Writer#events
    java.lang.NullPointerException
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.core.types.networkevent.CustomPropertyRecord.toByteBu
    ffer(CustomPropertyRecord.java:188)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt
    ils.writeCustomProperties(NetworkEventMappingUtils.java:326)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
    CustomProperties(NormalizedEventMappingV2.java:701)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
    Event(NormalizedEventMappingV2.java:541)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.core.types.event.mapping.NormalizedEventMappings$Exlu
    deCachedResults.putData(NormalizedEventMappings.java:68)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
    (NormalizedEventMappingV2.java:281)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
    (NormalizedEventMappingV2.java:35)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.ariel.io.NIOFileWriter.write(NIOFileWriter.java:110)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.ariel.io.SimpleWriter.writeRecord(SimpleWriter.java:47)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.ariel.io.BucketWriter.writeRecord(BucketWriter.java:62)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.ariel.io.AbstractDatabaseWriter.put(AbstractDatabaseW
    riter.java:114)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.ariel.DatabaseWriterAsync.processRecord(DatabaseWrite
    rAsync.java:131)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.ariel.ScatteringDatabaseWriter.access$401(ScatteringD
    atabaseWriter.java:30
    10 November 2020
    PROTOCOLS IJ29518 SMBTAILPROTOCOL LOG SOURCES CAN FUNCTION NORMALLY BUT DISPLAY IN 'ERROR' STATE WHEN A JNQEXCEPTION OCCURS OPEN Workaround
    No workaround available.

    APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

    Issue
    Log Sources using the SMBTail Protocol display in an error state when a jNQ exception is thrown, but the Log Source continues to function as expected. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
    [127.0.0.1][smb://127.0.0.1/dhcplog/]]
    com.q1labs.semsources.sources.smbtail.io.jnq.JNQException:
    Unable to create/open - j50.log status = -1073741757
    (0xc0000043) (0xC0000043)
    [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
    [127.0.0.1][smb://127.0.0.1/dhcplog/]]
    com.q1labs.semsources.sources.windowsdhcp.WindowsDHCPTailProvide
    r: [ERROR] [NOT:0000003000][10.42.165.13/- -] [-/-
    -]TailingException: Unable to create/open - j50.log status =
    -1073741757 (0xc0000043) (0xC0000043)
    02 December 2020
    PROTOCOLS IJ29923 THE QRADAR MSRPC PROTOCOL CAN INCREASE CPU UTILIZATION ON MICROSOFT WINDOWS SERVERS OPEN Workaround
    A flash notice is available for administrators that describes how to downgrade the Microsoft Windows Security Event Log over MSRPC version. For more information, see: https://www.ibm.com/support/pages/node/6382106.

    Issue
    Administrators with the latest version of the MSRPC protocol from 9 December 2020 weekly auto update can experience increased CPU utilization for the EventLog service under svchosts.exe on their Windows Servers. Over time, this issue can lead to instability for the remote server. Administrators can downgrade their Microsoft Security Event Log over MSRPC protocol (PROTOCOL-WindowsEventRPC) version to avoid this reported issue.

    The following RPM versions are affected by this issue:
    • PROTOCOL-WindowsEventRPC-7.3-20201110190432.noarch.rpm
    • PROTOCOL-WindowsEventRPC-7.4-20201110190414.noarch.rpm
    14 December 2020
    UPGRADE IJ28593 QRADAR PATCHING PROCESS CAN BE SLOWER THAN EXPECTED WHEN MILLIONS OF RECORDS EXIST IN DATABASE TARGET TABLES OPEN Workaround
    Contact support for a possible workaround that might address this issue in some instances.

    Issue
    The QRadar patching process can run slower than expected in instances where there are millions of records in the database target tables.

    To identify why the patching process is experiencing issues, review the patches.log file for database clean up ID messages. If /var/log/setup-#####/patches.log displays Removing ID messages for target database tales at a rate of less than 50 lines per second, this can indicate that you need to contact support. For example:
    Removing id = XXXXX from public.target table.
    08 December 2020
    SECURITY BULLETIN CVE-2020-2590
    CVE-2020-2601
    CVE-2020-14621
    CVE-2020-14577
    CVE-2020-14578
    CVE-2020-14579
    CVE-2020-2781
    CVE-2020-2583
    MULTIPLE VULNERABILITIES IN IBM JAVA SDK AND IBM JAVA RUNTIME AFFECT IBM QRADAR SIEM CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Affected versions
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    Issue
    • CVE-2020-2590: An unspecified vulnerability in Java SE related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 3.7
    • CVE-2020-2601: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVSS Base score: 6.8
    • CVE-2020-14621: An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 5.3
    • CVE-2020-14577: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 3.7
    • CVE-2020-14578: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7
    • CVE-2020-14579: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7
    • CVE-2020-2781: An unspecified vulnerability in Java SE related to the Java SE JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3
    • CVE-2020-2583: An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7
    15 December 2020
    SECURITY BULLETIN CVE-2019-12400 APACHE SANTUARIO AS USED IN IBM QRADAR SIEM IS VULNERABLE TO IMPROPER INPUT VALIDATION CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Affected versions
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    Issue
    Apache Santuario XML Security for Java could allow a remote attacker to bypass security restrictions, caused by the loading of XML parsing code from an untrusted source. An attacker could exploit this vulnerability to launch further attacks on the system when validating signed documents. CVSS Base score: 5.3
    15 December 2020
    SECURITY BULLETIN CVE-2020-13692 POSTGRESSQL JDBC DRIVER AS USED IN IBM QRADAR SIEM IS VULNERABLE TO INFORMATION DISCLOSURE CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Affected versions
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    Issue
    PostgreSQL JDBC Driver could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By sending specially crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 6.5
    15 December 2020
    SECURITY BULLETIN CVE-2014-3607 LDAPTIVE AS USED IN IBM QRADAR SIEM IS VULNERABLE TO SPOOFING CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Affected versions
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    Issue
    Ldaptive could allow a remote attacker to conduct spoofing attack in DefaultHostnameVerifier, caused by the failure to properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to spoof SSL server. CVSS Base score: 5.3
    15 December 2020
    LOG SOURCE MANAGEMENT APP IJ29323 EXPORTING LOG SOURCES TO CSV THAT USE AN XPATH WITH LINE BREAKS CAUSES EXTRA LINES TO BE GENERATED WITHIN THE EXPORTED CSV FILE OPEN Workaround
    When exporting Log Sources from the Log Source Management (LSM) app, users can remove the line breaks when entering the data into the LSM app or edit the CSV file to remove them after it is generated by the export.

    Issue
    When exporting Log Sources from the Log Source Management app, if there are Windows Log Sources using XPath that contains line breaks, it causes the exported CSV file to display incorrectly by also adding lines into the CSV file.
    19 November 2020
    User Behavior Analytics (UBA) App IJ29455 USER BEHAVIOR ANALYTICS (UBA) APP VERSIONS PRIOR TO VERSION 3.8 FAIL TO START AFTER AN UPGRADE TO QRADAR 7.4.2 GA CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)

    Workaround
    Administrators can upgrade their UBA app to version 3.8 or later after they complete their QRadar 7.4.2 upgrade.

    Issue
    The User Behavior Analytics for QRadar App (UBA) versions prior to 3.8 fail to load or start after an upgrade to QRadar version 7.4.2 GA.
    12 April 2021
    AUTO UPDATE IJ29298 AUTOUPDATE ERROR IN THE QRADAR USER INTERFACE AFTER CHANGING TO THE NEW CLOUD BASED ADDRESS OPEN Workaround
    This error described is benign and does not cause any problems with the autoupdate download or expected functionality.

    Issue
    After changing the Autoupdate server to the new Cloud based address, the user interface can display a benign error message as described in this technical note.

    Error message:
    Autoupdate settings are updated. However, the system cannot
    connect to the specified web server address, directory. This
    will cause updates to fail. Verify that web server address,
    directory, credentials and the proxy settings are configured
    correctly and the web server is running properly.
    16 November 2020
    ASSETS IJ26166 VULN COUNT IN ASSET LIST VIEW CAN FAIL TO MATCH VULN COUNT IN ASSET DETAILS OR QVM MANAGE VULNS BY ASSET VIEW CLOSED Resolved in
    QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
    QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

    Workaround
    No workaround available.

    APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

    Issue
    The vulnerability count in Asset list view can fail to match the vulnerability count in asset details or in the QVM manage vulnerabilities by asset view. This vulnerability count mismatch can be observed when using the api endpoint /qvm/vuln also. The mismatch occurs when vulnerabilities are no longer present on a second scan after being fixed or a service being disabled. The mismatch can also occur if vulnerability exceptions are configured.
    12 July 2021
    SCAN RESULTS IJ29292 WHEN THE QVM PROCESSOR IS NOT RUNNING ON THE CONSOLE, SCAN START AND STOP EMAILS CONTAIN INCORRECT DATA IN SUBJECT AND BODY OPEN Workaround
    No workaround available.

    APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

    Issue
    When the QVM processor is not running on the console, scan start and scan stop emails contain: '$body.scanProfile.name' instead of the name of the scan profile.
    24 November 2020
    USER INTERFACE IJ28347 THE TOMCAT SERVICE CAN HANG ON STARTUP WHEN CUSTOM AQL PROPERTIES EXIST CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    In some instances the QRadar Tomcat service (required for the User Interface) can hang during service startup due to the occurence of deadlocks when there are custom AQL properties configured in QRadar.
    26 November 2020
    SYSTEM NOTIFICATIONS IJ26223 QRADAR DEPLOY OVERWRITES INDIVIDUALLY CONFIGURED SAR SENTINEL NOTIFICATION TUNING FOR EACH MANAGED HOST WITH CONSOLE'S CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    The QRadar Deploy function overwrites the SAR Sentinel notification configuration tunings for each Managed Host in the deployment with that of the Console. This can cause erroneous SAR Sentinel "system load" notification messages to be generated for some QRadar Managed Hosts.
    26 November 2020
    DSM EDITOR IJ26131 'FAILED TO LOAD DATA' ERROR DISPLAYED IN THE QRADAR DSM EDITOR WINDOW CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install a software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    A 'failed to load data' message can be displayed in the QRadar DSM Editor while performing Event mapping.

    Example steps that can generate this error:
    1. Open the Event mapping tab in DSM Editor for LS type Windows Security Event Log.
    2. Filter for event with ID=1 & category="Microsoft-Windows-Sysmon/Operational".
    3. Override that event with any other event (does not matter which one), and save the changes.
    4. Reload DSM editor and the following error is displayed, "failed to load data".
    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12]
    com.q1labs.frameworks.session.SessionContext: [ERROR] 1 leak(s)
    detected in session context: xxxx-xxxx-xxxx-xxxx-xxxx
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12]
    com.q1labs.frameworks.session.SessionContext: [ERROR]
    java.sql.PreparedStatement leak detected. Object created in
    following code path
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12]
    java.lang.Exception
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    com.q1labs.frameworks.session.BaseWrapper.{init}(BaseWrapper.java)
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    com.q1labs.frameworks.session.PreparedStatementWrapper.{init}(Pr
    eparedStatementWrapper.java:35)
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    com.q1labs.frameworks.session.ConnectionWrapper.prepareStatement
    (ConnectionWrapper.java:262)
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    com.ibm.si.data_ingestion.api.impl.application.ApplicationAPIImp
    l.getMappings(ApplicationAPIImpl.java:262)
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    com.ibm.si.data_ingestion.api.v7_0.application.ApplicationAPI.ge
    tEventMappings(ApplicationAPI.java:175)
    [tomcat.tomcat] 
    [/console/restapi/api/application/data_ingestion/mappings/12]
    org.postgresql.util.PSQLException: The column name lc_name was
    not found in this ResultSet.
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    org.postgresql.jdbc.PgResultSet.findColumn(PgResultSet.java)
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    org.postgresql.jdbc.PgResultSet.getString(PgResultSet.java:2467)
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    com.mchange.v2.c3p0.impl.NewProxyResultSet.getString(NewProxyRes
    ultSet.java:3342)
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    org.apache.openjpa.lib.jdbc.DelegatingResultSet.getString(Delega
    tingResultSet.java:187)
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    com.ibm.si.data_ingestion.api.impl.application.ApplicationAPIImp
    l.getMappings(ApplicationAPIImpl.java:284)
    26 November 2020
    QRADAR NETWORK INSIGHTS IJ26096 WHEN RUNNING QNI IN ADVANCED MODE MESSAGES '...[ERRNO 24] TOO MANY OPEN FILES' ARE WRITTEN TO QRADAR LOGGING CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    When running QRadar Network Insights in Advanced Mode, repeated messages similar to the following can sometimes be observed being written to /var/log/qradar.log:
    TikaServer (6690) - ERROR - Error starting subprocess: [Errno
    24] Too many open files
    TikaServer (6690) - ERROR - Error starting subprocess: [Errno
    24] Too many open files
    26 November 2020
    SEARCH IJ26095 QUICK SEARCH 'TOP IDS/IPS ALERT BY COUNTRY/REGION' GROUPS BY THE NON-EXISTENT COLUMN 'GEOGRAPHIC COUNTRY/REGION' CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    The quick search 'Top IDS/IPS Alert by Country/Region' groups by a non-existent column 'Geographic Country/Region'.

    For example:
    1. Navigate to the Log Activity tab and select Quick Searches.
    2. Load the search "Top IDS/IPS Alert by Country/Region".
      Note that it is grouping by the column "Geographic Country/Region".
    3. Go to Edit Search. Notice that the Group by column is empty.
    4. Search for the column under the "Available Columns".

      Results
      Expected: Column "Geographic Country/Region" is diplayed.
      Actual Result: Column "Geographic Country/Region" is not displayed, instead the columns "Source Geographic Country/Region" and "Destination Geographic Country/Region" are displayed.
    26 November 2020
    QRADAR VULNERABILITY MANAGER IJ26089 QVM SCHEDULED SCANS CAN FAIL TO DISPLAY WHEN THERE ARE A LARGE NUMBER OF SCAN PROFILE CRON SCHEDULES CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available. Administrators must upgrade to resolve this software issue.

    Issue
    QRadar Vulnerability Manager scheduled scans entries can fail to be displayed in the User Interface calendar view when there are a large number (hundreds) of scan profile cron schedules. When this issue is occurring, clicking in the scheduled scans view in the User Interface can generate an error in the QRadar Console's /var/log/qradar.error log when the qvmprocessor is deployed on a separate QRadar managed host. Note: This issue is less likely to occur on systems where there are only a small number of scan profiles. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]
    com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
    while executing the remote method 'getCronScanProfiles'
    {hostname} tomcat[13976]: org.apache.cxf.interceptor.Fault:
    Could not receive Message.
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles] javax.xml.ws.WebServiceException:
    Could not receive Message.
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.jaxws.JaxWsClientProxy.mapException(JaxWsClientPr
    oxy.java:183)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.ja
    va:145)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.j
    ava:56)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende
    rEndingInterceptor.handleMessage(MessageSenderInterceptor.java)
    {hostname} tomcat[13976]: at
    org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:355)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInte
    rceptorChain.java:308)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:355)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.ja
    va:140)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    ... 67 more
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles] Caused by:
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles] java.net.SocketTimeoutException: Read
    timed out
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    java.net.SocketInputStream.socketRead0(Native Method)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    java.net.SocketInputStream.socketRead(SocketInputStream.java)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    java.net.SocketInputStream.read(SocketInputStream.java:182)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    java.net.SocketInputStream.read(SocketInputStream.java:152)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at com.ibm.jsse2.b.a(b.java:297)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at com.ibm.jsse2.b.a(b.java:290)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at com.ibm.jsse2.av.a(av.java:840)
    {hostname} tomcat[13976]: at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    {hostname} tomcat[13976]: at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    {hostname} tomcat[13976]: at
    org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T
    askThread.java:61)
    {hostname} tomcat[13976]: at
    java.lang.Thread.run(Thread.java:818)
    {hostname} tomcat[13976]: Caused by:
    {hostname} tomcat[13976]: java.net.SocketTimeoutException:
    SocketTimeoutException invoking
    https://XXXXXXXXXX:9999/scanProfileService: Read timed out
    {hostname} tomcat[13976]: at
    sun.reflect.GeneratedConstructorAccessor697.newInstance(Unknown
    Source)
    {hostname} tomcat[13976]: at
    sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delega
    tingConstructorAccessorImpl.java:57)
    {hostname} tomcat[13976]: at
    java.lang.reflect.Constructor.newInstance(Constructor.java:437)
    {hostname} tomcat[13976]: at
    org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.ma
    pException(HTTPConduit.java:1402)
    {hostname} tomcat[13976]: at
    org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.cl
    ose(HTTPConduit.java:1386)
    {hostname} tomcat[13976]: at
    org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.j
    ava:56)
    {hostname} tomcat[13976]: at
    org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java)
    {hostname} tomcat[13976]: at
    org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende
    rEndingInterceptor.handleMessage(MessageSenderInterceptor.java)
    {hostname} tomcat[13976]: ... 74 more
    {hostname} tomcat[13976]: Caused by:
    {hostname} tomcat[13976]: java.net.SocketTimeoutException: Read
    timed out
    {hostname} tomcat[13976]: at
    java.net.SocketInputStream.socketRead0(Native Method)
    {hostname} tomcat[13976]: at
    java.net.SocketInputStream.socketRead(SocketInputStream.java:127)
    {hostname} tomcat[13976]: at
    java.net.SocketInputStream.read(SocketInputStream.java:182)
    26 November 2020
    OFFENSES IJ25448 'APPLICATION ERROR' WHEN ATTEMPTING TO CLOSE AN OFFENSE ACCESSED FROM AN EMAIL LINK CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    Navigate manually to the Offense using the QRadar user interface "Offenses" tab.

    Issue
    When attempting to close an Offense from within an email link, an "Application Error" is generated in the QRadar User Interface.

    The Offense opens as expected from within the email link, but the "Application Error" occurs when attempting to close it. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]
    com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1 /- -] [-/- -]An exception occurred
    while processing the request:
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]
    com.ibm.si.content_management.utils.ApplicationErrorStateException
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.sem.ui.action.MaintainProperties.findNextForward(Main
    tainProperties.java:230)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.sem.ui.action.MaintainProperties.updatePropertiesSecu
    re(MaintainProperties.java:80)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.sem.ui.action.MaintainProperties.updateProperties(Mai
    ntainProperties.java:213)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    java.lang.reflect.Method.invoke(Method.java:508)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.struts.actions.DispatchAction.dispatchMethod(Dispatch
    Action.java:280)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.struts.actions.DispatchAction.execute(DispatchAction.
    java:216)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.actions.DispatchAction.execute(DispatchA
    ction.java:64)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.struts.action.RequestProcessor.processActionPerform(R
    equestProcessor.java:484)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.action.RequestProcessor.processActionPer
    form(RequestProcessor.java:101)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.struts.action.RequestProcessor.process(RequestProcess
    or.java:275)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.struts.action.ActionServlet.process(ActionServlet.jav
    a:1482)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.action.ActionServlet.process(ActionServl
    et.java:122)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.struts.action.ActionServlet.doPost(ActionServlet.java)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:231)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.ja
    va:52)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.servlet.AddUserHeaderFilter.doFilter(Add
    UserHeaderFilter.java:86)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.servlet.ThreadNameFilter.doFilter(Thread
    NameFilter.java:53)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.core.ui.filters.StrutsParamFilter.doFilter(StrutsPara
    mFilter.java:41)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.postauthredirect.PostLoginRedirectFilter
    .doFilter(PostLoginRedirectFilter.java:70)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.auth.AuthenticationVerificationFilter.do
    Filter(AuthenticationVerificationFilter.java:304)
    15 September 2020
    ASSETS IJ25823 NO ASSETS FOUND WHEN USING SCAN RESULTS -> OPEN SERVICES -> ASSETS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Perform an asset search on the Asset tab using the "Assets With Open Service" search parameter.

    Issue
    An asset can fail to be found when using Scan Results -> Open Services -> Assets on the Vulnerabilities tab. This occurs when the asset has the service, but has no vulnerabilities.
    26 November 2020
    SEARCH IJ25805 NULLPOINTEREXCEPTION CAN CAUSE ACCUMULATED VALUE TIMESERIES DATA DISCREPANCIES WHEN MANAGED HOSTS ARE ENCRYPTED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Where possible, disable encryption for Managed Hosts.

    Issue
    When encryption is enabled for Managed Hosts, there can be variances in the accumulated value reported by some ADE Rules vs accumulated values shown in the timeseries graph when a Null Pointer Exception occurs.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [accumulator.accumulator] [SE client /127.0.0.1:59638]
    com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [
    NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught in
    thread: SE client /127.0.0.1:59638
    [accumulator.accumulator] [SE client /127.0.0.1:59638]
    java.lang.NullPointerException
    [accumulator.accumulator] [SE client /127.0.0.1:59638]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
    Protocol.java:1227)
    [accumulator.accumulator] [SE client /127.0.0.1:59638]    at
    com.q1labs.frameworks.nio.network.Communicator.read(Communicator
    .java:108)
    [accumulator.accumulator] [SE client /127.0.0.1:59638]    at
    com.q1labs.cve.sentryengine.SentryEngineCommunicator.run(SentryE
    ngineCommunicator.java:50)
    [accumulator.accumulator] [SE client /127.0.0.1:59638]    at
    java.lang.Thread.run(Thread.java:812)
    And
    [accumulator.accumulator] [SE client /127.0.0.1:33012]
    com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught
    in thread: SE client /127.0.0.1:33012
    [accumulator.accumulator] [SE client /127.0.0.1:33012]
    java.lang.NullPointerException
    [accumulator.accumulator] [SE client /127.0.0.1:33012]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
    Protocol.java:1227)
    [accumulator.accumulator] [SE client /127.0.0.1:33012]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.readFromSock
    et(Protocol.java:413)
    [accumulator.accumulator] [SE client /127.0.0.1:33012]    at
    com.q1labs.frameworks.nio.network.Communicator.selectAndRead(Com
    municator.java:134)
    [accumulator.accumulator] [SE client /127.0.0.1:33012]    at
    com.q1labs.frameworks.nio.network.Communicator.read(Communicator
    .java:110)
    [accumulator.accumulator] [SE client /127.0.0.1:33012]    at
    com.q1labs.cve.sentryengine.SentryEngineCommunicator.run(SentryE
    ngineCommunicator.java:50)
    [accumulator.accumulator] [SE client /127.0.0.1:33012]    at
    java.lang.Thread.run(Thread.java:812)
    And
    [accumulator.accumulator] [SE client /127.0.0.1:53604]
    com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught
    in thread: SE client /127.0.0.1:53604
    [accumulator.accumulator] [SE client /127.0.0.1:53604]
    java.lang.NullPointerException
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.disposeBuffe
    r(Protocol.java:1121)
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.decodeObject
    Internal(Protocol.java:291)
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.processProto
    colMessage(Protocol.java:1074)
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
    Protocol.java:1198)
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.readFromSock
    et(Protocol.java:413)
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    com.q1labs.frameworks.nio.network.Communicator.selectAndRead(Com
    municator.java:134)
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    com.q1labs.frameworks.nio.network.Communicator.read(Communicator
    .java:110)
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    com.q1labs.cve.sentryengine.SentryEngineCommunicator.run(SentryE
    ngineCommunicator.java:50)
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    java.lang.Thread.run(Thread.java:812)
    26 November 2020
    OFFENSES IJ25800 OFFENSES CAN BE CLOSED WITH NO APPROPRIATE REASON FOR CLOSE BEING SELECTED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Ensure to select a proper reason from the available drop dwon list options.

    Issue
    Offense Closed Reason can be blank for an offense if a previously used Reason for Close has been removed from the list and a QRadar user clicks OK without making another selection from drop-down.

    When this occurs, the closing reason for the affected offense displays as NULL in Offense reports.
    26 November 2020
    WINCOLLECT IJ24355 WINCOLLECT 7.2.9 PATCH 3 INSTALLATION CAN FAIL UNEXPECTEDLY DUE TO THE MINIMUM UPGRADE VERSION CHECK CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Temporarily rename the .minimum_upgrade_version hidden file that is causing the problem and rerun the WinCollect Installer. After the installation completes, rename the .minimum_upgrade_version hidden file back to the original filename.
    1. SSH to the QRadar Console.
    2. Type the following command:
      mv /etc/qradar/.minimum_upgrade_version
      /etc/qradar/.minimum_upgrade_version_old
    3. Run the WinCollect Installer.
    4. After the installation is complete, run the following command:
      mv /etc/qradar/.minimum_upgrade_version_old
      /etc/qradar/.minimum_upgrade_version

    Issue
    When attempting to install the SFS for WinCollect 7.2.9 P3 on Qradar 7.3.2, an error similar to the following might be observed during the installation process: "You are attempting to upgrade to 2019.14.0. The installed version only supports upgrades to 7.3.3.20191203144110".
    26 November 2020
    QRADAR VULNERABILITY MANAGER IJ22896 'FOUND BY SCAN PROFILE' SEARCH RETURNS NO RESULTS WHEN SCAN PROFILE NAME STARTS OR ENDS WITH SPACE (BLANK) CHARACTERS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    None for existing scan profiles. Do not add leading or trailing spaces when creating a scan profile.

    Issue
    A "Found By Scan Profile" search returns no results when the name of the scan profile starts or ends with space (blank) characters.
    26 November 2020
    UPGRADE IJ26199 LACK OF ADEQUATE FREE SPACE ON /BOOT PARTITION CAN CAUSE QRADAR PATCH FAILURE DURING RPM INSTALL CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    Older QRadar appliance configurations allowed for smaller /boot partititons. As such, when upgrading QRadar, there can sometimes be inadequate free space available in the /boot partition causing the upgrade to fail during rpm file installation.

    This lack of adequate available free space in the /boot partition is not currently identified during the QRadar pretests in Test Mode performed when an upgrade is performed. Messages similar to the following might be visible in the patches.log file for the QRadar installation version attempted (/var/log/setup-7.x.x.xxxxxx):
    [6/9] Install & Upgrade Packages
    Transaction check error:
      installing package kernel-3.XXXXXXXXXX.el7.x86_64 needs 812KB
    on the /boot filesystem
    Error Summary
    -------------
    Disk Requirements:
    At least 1MB more space needed on the /boot filesystem.
    Please Check patches.log
    [INFO](patchmode) error was during install and we can't rollback
    [WARN](patchmode) =============================================
    [WARN](patchmode) [6/9] Install & Upgrade Packages  PROBLEMS!
    Can we roll back?? [6/9] Install & Upgrade Packages ? no
    [WARN](patchmode)
    26 November 2020
    APPLICATION FRAMEWORK IJ23719 SI-QRADARCA CAN RETURN SUCCESSFUL STATUS EVEN WHEN A CERT IS FAILING WITH CERTIFICATE SIGNING FAILED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    Running si-qradarca (i.e. # opt/qradar/ca/bin/si-qradarca) can return:
    "Successfully setup server certificate for service"

    Which conflicts with errors displayed in /var/log/localca.log:
    time="2020-01-23T15:25:16Z" level=error msg="Validating CSR
    /etc/docker/tls/si-docker.csr failed for host X.X.X.X with
    error Certificate signing failed for
    /opt/qradar/ca/certs/from-X.X.X.X/si-docker.csr as no hostname
    is found in deployment for ip address X.X.X.X"
    26 November 2020
    VULNERABILITY SCANNER IJ23838 CREATING A TENABLE SECURITY CENTER SCAN CAN SOMETIMES FAIL WITH 'FAILED TO LOGIN TO TENABLE SECURITY SCANNER' IN QRADAR LOGGING CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available. Administrators must upgrade to resolve this software issue.

    Issue
    Creating a Tenable Security Center scan using correct credentials can sometimes fail. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [vis] [Scanner Manager]
    com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterRES
    TClient: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
    -]IOException caught while executing API call; Error message
    [java.security.NoSuchAlgorithmException: Error constructing
    implementation (algorithm: Default, provider: IBMJSSE2, class:
    com.ibm.jsse2.aj)]
    [vis] [Scanner Manager] com.q1labs.vis.ScannerManager: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Could not initialize
    scanner 'TenableSecurityCenter - Regression': Failed to
    initialize Tenable Security Center module; Error message
    [Failed to login to Tenable Security Center;]
    [vis] [Scanner Manager]
    com.q1labs.vis.exceptions.ScannerInitException: Failed to
    initialize Tenable Security Center module; Error message
    [Failed to login to Tenable Security Center;]
    [vis] [Scanner Manager]    at
    com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterMod
    ule.init(SecurityCenterModule.java:104)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.scanners.base.ScannerModule.init(ScannerModule.ja
    va:310)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.initializeScanner(ScannerManager.j
    ava:482)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.submitFailedStatusIfInitError(Scan
    nerManager.java:298)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.processScanRequest(ScannerManager.
    java:243)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.processScanRequest(ScannerManager.
    java:208)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.messages.VisRequestMessageEnum$1.process(VisReque
    stMessageEnum.java:42)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.run(ScannerManager.java:155)
    [vis] [Scanner Manager]    at
    java.lang.Thread.run(Thread.java:818)
    [vis] [Scanner Manager] Caused by:
    [vis] [Scanner Manager]
    com.q1labs.vis.exceptions.ScannerInitException: Failed to login
    to Tenable Security Center;
    [vis] [Scanner Manager]    at
    com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterMod
    ule.init(SecurityCenterModule.java:99)
    [vis] [Scanner Manager]    ... 8 more
    [vis] [Scanner Manager] com.q1labs.vis.ScannerManager: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable to initialize
    scanner module 61 for scan request 11.
    [vis] [Scanner Manager]
    com.q1labs.vis.exceptions.ScannerInitException: Could not
    initialize scanner 'TenableSecurityCenter - Regression': Failed
    to initialize Tenable Security Center module; Error message
    [Failed to login to Tenable Security Center;]
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.initializeScanner(ScannerManager.j
    ava:491)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.submitFailedStatusIfInitError(Scan
    nerManager.java:298)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.processScanRequest(ScannerManager.
    java:243)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.processScanRequest(ScannerManager.
    java:208)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.messages.VisRequestMessageEnum$1.process(VisReque
    stMessageEnum.java:42)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.run(ScannerManager.java:155)
    [vis] [Scanner Manager]    at
    java.lang.Thread.run(Thread.java:818)
    [vis] [Scanner Manager] Caused by:
    [vis] [Scanner Manager]
    com.q1labs.vis.exceptions.ScannerInitException: Failed to
    initialize Tenable Security Center module; Error message
    [Failed to login to Tenable Security Center;]
    [vis] [Scanner Manager]    at
    com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterMod
    ule.init(SecurityCenterModule.java:104)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.scanners.base.ScannerModule.init(ScannerModule.ja
    va:310)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.initializeScanner(ScannerManager.j
    ava:482)
    [vis] [Scanner Manager]    ... 6 more
    [vis] [Scanner Manager] Caused by:
    [vis] [Scanner Manager]
    com.q1labs.vis.exceptions.ScannerInitException: Failed to login
    to Tenable Security Center;
    [vis] [Scanner Manager]    at
    com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterMod
    ule.init(SecurityCenterModule.java:99)
    [vis] [Scanner Manager]    ... 8 more
    26 November 2020
    HIGH AVAILABILITY (HA) IJ21012 A HIGH AVAILABILITY FAILOVER CAN OCCUR AS MANAGED HOSTS REMOVED FROM DEPLOYMENT ARE NOT UPDATED IN THE PING TEST LIST CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available. Administrators must upgrade to resolve this software issue.

    Issue
    It has been identified that in some instances a High Availablity (HA) failover can occur due to Managed Hosts being removed from the QRadar Deployment, not being removed from the ping test list.
    26 November 2020
    PERFORMANCE IJ23649 SYSTEMSTABMON CAN RESULT IN LARGE NUMBERS OF STUCK 'DF' COMMANDS WHEN A HUNG NFS MOUNT OCCURS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that in some instances a High Availablity (HA) failover can occur due to Managed Hosts being removed from the QRadar Deployment, not being removed from the ping test list.
    26 November 2020
    APP HOST IJ21302 APPS CAN FAIL TO LOAD IN QRADAR DUE TO FAILED CERTIFICATE REPLICATION TO APP HOST CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that the QRadar update-remote-certs.sh script fails to list the proper IP of App Host if the Qradar Console is in a NATed environment when an App Host is not. When this issue is occuring, certificate generation fails to push out as the managed host IP returns an empty result.
    26 November 2020
    DEPLOY CHANGES IJ21234 RHEL KERNEL CRASH CAN OCCUR WHEN IPTABLES RESTARTS DURING QRADAR DEPLOY FUNCTIONS WHERE NAT'D CONNECTIONS EXIST CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that iptables restarts during QRadar Deploy functions and can cause a RHEL kernel crash on systems that have NAT'd connections configured.
    26 November 2020
    CERTIFICATES IJ21198 DER ENCODED CERTIFICATE IS ACCEPTED BY QRADAR BUT THEN DOES NOT WORK AS EXPECTED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Convert the DER encoded certificate to PEM type and retry to install the cert using /opt/qradar/bin/install-ssl-cert.sh.

    Issue
    It has been identified that QRadar install-ssl-cert.sh allows DER encoded certificate files to be copied to QRadar, but QRadar does not work as expected with this format of certificate files.
    26 November 2020
    APPLICATION FRAMEWORK IJ21178 QRADAR APPS CAN FAIL TO LOAD WITH 'ERROR INITIALIZING CORE: FAILED TO LOCK MEMORY: CANNOT ALLOCATE MEMORY' ERROR CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available. Administrators can upgrade to the released software vresion that resolves this issue.

    Issue
    It has been identified that in some instances QRadar Apps can fail to load. Messages similar to the following might be visible when this issue is occuring after attempting to restart vault:
    # systemctl restart vault-qrd
    {hostname} ensure-vault-ready-for-unseal.sh[23036]: Ensuring vault
    is ready to be unsealed...
    {hostname} si-vault[23035]: Error initializing core: Failed to lock
    memory: cannot allocate memory
    {hostname} si-vault[23035]: This usually means that the mlock
    syscall is not available.
    {hostname} si-vault[23035]: Vault uses mlock to prevent memory from
    being swapped to
    {hostname} si-vault[23035]: disk. This requires root privileges as
    well as a machine
    {hostname} si-vault[23035]: that supports mlock. Please enable
    mlock on your system or
    {hostname} systemd[1]: vault-qrd.service: main process exited,
    code=exited, status=1/FAILURE
    {hostname} ensure-vault-ready-for-unseal.sh[23036]: % Total    %
    Received % Xferd  Average Speed   Time    Time     Time  Current
    {hostname} ensure-vault-ready-for-unseal.sh[23036]: Dload  Upload
    Total   Spent    Left  Speed
    {hostname} ensure-vault-ready-for-unseal.sh[23036]: 0     0    0
     0    0     0      0      0 --:--:-- --:--:-- --:--:--
    0curl: (7) Failed to connect to {IP_ADDRESS}: Invalid argument
    26 November 2020
    QRADAR NETWORK INSIGHTS IJ20593 QNI LOG MESSAGES CAN DISPLAY INCORRECT STATISTICS WHEN LOW (BASIC) INSPECTION LEVEL IS SELECTED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available. Administrators can upgrade to the released software vresion that resolves this issue.

    Issue
    It has been identified that QRadar Network Inspection (QNI) can generate system log messages with incorrect statistics when Low (Basic) inspection level is selected.
    26 November 2020
    DISK SPACE IJ17854 /TMP CAN FILL UP WITH NUMEROUS /TMP/TMP.XXXXXXXXXX DIRECTORIES CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available. Administrators can upgrade to the released software vresion that resolves this issue.

    Issue
    It has been identified that the /tmp partition can sometimes fill up with /tmp/tmp.xxxxxxxx directories due to a missing cleanup configuration within QRadar.
    26 November 2020
    OFFENSES IJ19855 OFFENSE WITH A LONG DESCRIPTION SPLITS AUDIT LOG INTO MULTIPLE ROWS CAUSING UNKNOWN SIM GENERIC EVENTS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available. Administrators can upgrade to the released software vresion that resolves this issue.

    Issue
    It has been identified that Offenses with a long offense description can split one audit log message into multiple rows causing Unknown SIM Generic events within QRadar.
    26 November 2020
    SERVICES IJ12278 CONSOLE APPLIANCE CAN EXPERIENCE A KERNEL PANIC CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support to diagnose any Console crash/failure to clearly identify the cause of the issue.

    Support can implement a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that a QRadar Console can experience a kernel panic and crash due to values in:
    /usr/lib/systemd/system/iptables.service
    26 November 2020
    LICENSE IJ06169 FlOW PROCESSOR (1729) APPLIANCES ARE ASSIGNED AN INCORRECT AND EXPIRING LICENSE BY DEFAULT AFTER BEING ADDED INTO A QRADAR DEPLOYMENT CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Email q1pd@us.ibm.com to receive a Flow Processor license update and apply a corrected license to the appropriate 1729 appliance in the System and License Management interface from the Admin tab.

    Issue
    It has been identified that a 1729 appliance added into a QRadar deployment receive an incorrect license. By default, the license expires in 33 days for the appliance, unless replaced.
    26 November 2020
    HIGH AVAILABILITY (HA) IJ04244 RE-ADDING A PREVIOUSLY REMOVED HIGH AVAILABILITY 15XX SECONDARY INTO AN HA PAIR CAN FAIL DURING THE GLUSTERFS CONFIGURATION CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that removing a High Availability (HA) Event Collector (15xx) Secondary appliance and then attempting to re-add it back into an HA pair can sometimes result in the glusterFS failing to be correctly configured. When this issue occurs, the HA join process fails.

    Messages similar to the following might be visible in the qradar_hasync.log file when this issue occurs:
    [INFO] [ha_sync_replication.py] Failed to run command 'start':
    fuse directory "/store/persistent_queueha" is populated, but
    "/store/persistent_queue" is not empty. Please manually migrate
    data from "/store/persistent_queue to
    "/store/persistent_queueha"
    26 November 2020
    MANAGED HOSTS IJ03437 QRADAR COMPONENTS CAN SOMETIMES BE REMOVED WHEN ADDING A NEW MANAGED HOST TO A QRADAR DEPLOYMENT CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that during the process of adding a new Managed Host to a QRadar deployment that QRadar components can sometimes be removed from a deployment.

    For example, Managed Hosts that are in the ADDING or ADD_FAILED_RETRY_CONNECTION state in the managedhost and serverhost tables can cause the qvmprocessor components to be removed during the rewrite of the deployment.xml file after the Admin tab, Actions drop-down, Deploy Full Configuration is performed.
    26 November 2020
    MANAGED HOSTS IJ02463 UNABLE TO ADD A MANAGED HOST TO A DEPLOYMENT IF THE APPLIANCE SERIAL NUMBER ALREADY EXISTS IN THE DEPLOYMENT CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that a Managed Host cannot be added into a QRadar Deployment if the appliance serial number already exisits in the Deployment. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [tomcat.tomcat] [Thread-296]
    com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]unable to add
    managed host: The serial number is already found in the
    deployment.
    [tomcat.tomcat] [Thread-296]
    com.q1labs.restapi_annotations.content.exceptions.endpointExcept
    ions.ServerProcessingException: The serial number is already
    found in the deployment.
    [tomcat.tomcat] [Thread-296]    at
    com.ibm.si.configservices.api.impl.DeploymentAPIImpl.addManagedH
    ost(DeploymentAPIImpl.java:849)
    [tomcat.tomcat] [Thread-296]    at
    com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI$AddH
    ostThread.run(DeploymentAPI.java:979)
    [tomcat.tomcat] [Thread-296]    at
    java.lang.Thread.run(Thread.java:785)
    [tomcat.tomcat] [Thread-296] Caused by:
    [tomcat.tomcat] [Thread-296]
    com.q1labs.configservices.common.ConfigServicesException: The
    serial number is already found in the deployment.
    [tomcat.tomcat] [Thread-296]    at
    com.q1labs.configservices.capabilities.CapabilitiesHandler.addMa
    nagedHost(CapabilitiesHandler.java:1858)
    [tomcat.tomcat] [Thread-296]    at
    com.ibm.si.configservices.api.impl.DeploymentAPIImpl.addManagedH
    ost(DeploymentAPIImpl.java:818
    26 November 2020
    UPGRADE IV90332 APPLYING A PATCH REVISION TO A QRADAR MANAGED HOST IN A DEPLOYMENT PRIOR TO THE CONSOLE IS ALLOWED TO OCCUR CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, or experience this problem, contact support for a possible workaround that might address this issue in some instances.

    Issue
    QRadar's documented patching process steps state that the Console be patched successfully prior to patching any attached Managed Host.

    The patch framework currently allows the install of a QRadar patch revision onto a QRadar Managed Host prior to the Console being patched.

    When this situation occurs, the Managed Host can expereince various states of instability including required processes not starting.
    26 November 2020
    USER ROLES IJ23839 'USER ROLE' PAGE ON THE QRADAR USER INTERFACE CAN BEHAVE DIFFERENTLY DEPENDING ON USER ROLE SELECTED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade or experience this issue, contact support for a possible workaround that might address this issue in some instances.

    Issue
    The QRadar User Roles Admin page can behave differently depending on the first role that is selected when opening the page.

    For example:
    1. Create a user role called AAadmin with Delegated Administration.
    2. Save your changes.
    3. Close the user role interface and reopen it.
    4. Create a second user role called reporttest.
    5. Assign reporttest the Privilege - Distribute Reports via Email
      Note: Maintain Templates and Reports will be selected automatically.
    6. Save and close the screen.
    7. Update user role AAadmin to have Admin - System Administrator privilege.
    8. Save and close the screen.
    9. Navigate back into user roles screen again.
    10. Choose user reporttest.
    11. De-select Reports and all reporting options will be removed.
    12. When Distribute Reports via Email is selected, Maintain Templates and Reports is not.
    26 November 2020
    DATA SYNCHRONIZATION APP IJ29345 SCRIPT REQUIRED FOR A QRADAR DATA SYNCHRONIZATION APP NOTIFICATION MIGHT BE MISSING IN SOME QRADAR PATCH VERSIONS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available.

    APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

    Issue
    It has been identified that an updated script (generate_environment.sh) for the QRadar Data Synchronization App can be missing from some QRadar patch versions.

    The updated generate_environment.sh script alerts if the data sync is on the Destination Site and warns if the process is not started.
    26 November 2020
    REFERENCE DATA IJ28797 REFERENCE DATA API DATA 'ADDS OR UPDATES' INTO REFERENCE SETS CAN BE SLOW OR TIMEOUT CLOSED Resolved in
    QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
    QRadar 7.4.3 (7.4.3.20210517144015)
    Note: This issue was resolved with the release of QRadar 7.4.2, but reopened on 04 March 2021 as the issue could still occur on 7.4.2 Consoles.

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade or experience this issue, contact support for a possible workaround that might address this issue in some instances.

    Issue
    The reference data API can be slow or time out when adding or updating data within QRadar reference sets. This behavior can be observed when using QRadar Apps that use the API for this functionality. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(Nio
    Endpoint.java:1623)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcess
    orBase.java:49)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T
    askThread.java:61)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at java.lang.Thread.run(Thread.java:818)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
    Caused by:
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
    com.q1labs.restapi_annotations.content.exceptions.endpointExcept
    ions.ServerProcessingException: Adding/updating data to Set
    {REFSET NAME} failed
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    com.q1labs.core.api.v3_0.referencedata.ReferenceDataAPI_Sets.add
    DataToSet(ReferenceDataAPI_Sets.java:550)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at sun.reflect.GeneratedMethodAccessor1143.invoke(Unknown
    Source)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at java.lang.reflect.Method.invoke(Method.java:508)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet
    hod(APIRequestHandler.java:1038)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR
    equest(APIRequestHandler.java:406)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       ...
    61 more
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
    Caused by:
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
    org.apache.catalina.connector.ClientAbortException:
    java.io.EOFException
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    org.apache.catalina.connector.InputBuffer.realReadBytes(InputBuf
    fer.java:348)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    org.apache.catalina.connector.InputBuffer.checkByteBufferEof(Inp
    utBuffer.java:663)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    org.apache.catalina.connector.InputBuffer.read(InputBuffer.java:
    370)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    org.apache.catalina.connector.CoyoteInputStream.read(CoyoteInput
    Stream.java:183)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
    10 July 2021
    PROTOCOLS IJ26183 ECS-EC-INGRESS PROCESS CAN SOMETIMES GO OUT OF MEMORY WHEN LOG SOURCES ARE USING THE WINDOWS IIS PROTOCOL OPEN Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    In some instances, the ecs-ec-ingress process (required for event collection) can experience out of memory occurences that are caused by Log Sources using the Windows IIS Protocol when an incorrect .jar file is referenced for use. Messages similar to the following that are referencing a Log Source connecting to an SMB Host might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
    [x.x.x.x][smb://x.x.x.x/LogFiles/]]
    com.q1labs.semsources.sources.smbtail.io.SmbFileWithRetries:
    [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/-
    -][smb://x.x.x.x/LogFiles/W3SVC13] exists(): Failed: Access
    error for file W3SVC13 status = -1073741790 (0xc0000022)
    (0xC0000022)
    15 July 2020
    PROTOCOLS IJ26863 THE USE OF MSRPC AND IIS SIMULTANEOULY MIGHT CAUSE POTENTIAL DEADLOCK THREADS CLOSED Resolved in
    PROTOCOL-WindowsEventRPC-7.3-20201028123850.noarch.rpm
    PROTOCOL-WindowsEventRPC-7.4-20201028123859.noarch.rpm

    Workaround
    A weekly auto update is pending for users with the resolved RPM files. If you need assistance to apply a workaround, contact QRadar Support for a possible workaround that might address this issue.

    Issue
    It has been observed that MSRPC and IIS Log Sources cannot be used simultaneously due to a potential thread deadlock.

    Administrators might be required to disable a protocol until a Microsoft Windows Security Event Log over MSRPC protocol update can be delivered. This might be the result of a jar file.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    "RPCEventLogHandler thread" Id=3378 in BLOCKED on
    lock=com.example.common.NamedRepository@abc
     owned by RPCEventLogHandler thread Id=7388
     at
    com.example.client.Server.dispose(Server.java:350)
     at
    com.example.client.Server.disconnect(Server.java:750)
     at
    com.example.client.Server.disconnect(Server.java:702)
     at
    com.example.client.Mount.doMount(Mount.java:521)
     at
    com.example.client.Mount.doMount(Mount.java:483)
     at
    com.example.client.Mount.doMount(Mount.java:479)
     at
    com.example.client.Mount.{init}(Mount.java:280)
     at com.example.
    client.rpc.SmbTransport.{init}(SmbTransport.java:29)
     at
    com.example.client.rpc.Dcerpc.connect(Dcerpc.java:818)
     at
    com.example.client.rpc.Dcerpc.{init}(Dcerpc.java:445)
     at
    com.example.client.rpc.Winreg.{init}(Winreg.java:130)
     at com.q1
    labs.semsources.sources.windowseventrpc.eventsource.common.Event
    LogWinRegistry.connectRemoteRegistry(EventLogWinRegistry.java:58)
     at com.q1labs.semsources.sources.windowseventrpc.eventsource.
    RPCSession.queryRemoteHostInfo(RPCSession.java:80)
     at com.q1lab
    s.semsources.sources.windowseventrpc.eventsource.RPCSession.{ini
    t}(RPCSession.java:53)
     at com.q1labs.semsources.sources.windows
    eventrpc.eventsource.RPCEventLogHandler.connect(RPCEventLogHandl
    er.java:129)
     at com.q1labs.semsources.sources.windowseventrpc.e
    ventsource.RPCEventLogHandler.run(RPCEventLogHandler.java:372)
    at java.lang.Thread.run(Thread.java:818)
    "RPCEventLogHandler thread" Id=7388 in TIMED_WAITING on
    lock=java.util.concurrent.locks.ReentrantLock$NonfairSync@bxyz
    (running in native)
     owned by RPCEventLogHandler thread Id=3378
     at sun.misc.Unsafe.park(Native Method)
     at java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java)
     at java.util.concurrent.locks.AbstractQueuedSynchronizer.doAcquireNa
    nos(AbstractQueuedSynchronizer.java)
     at java.util.concurren
    t.locks.AbstractQueuedSynchronizer.tryAcquireNanos(AbstractQueue
    dSynchronizer.java:1258)
     at java.util.concurrent.locks.Reentran
    tLock.tryLock(ReentrantLock.java:453)
     at
    com.example.client.Server.tryLock(Server.java:1528)
     at
    com.example.client.Server.waitTryLock(Server.java:1542)
     at
    com.example.client.Server.disconnect(Server.java:739)
     at
    com.example.client.Server.disconnect(Server.java:714)
     at
    com.example.client.Server.checkTimeouts(Server.java:665)
     at
    com.example.client.Server.findOrCreate(Server.java:965)
     -
    locked com.example.common.NamedRepository@a2d539c5
     at
    com.example.client.Mount.doMount(Mount.java:498)
     at
    com.example.client.Mount.doMount(Mount.java:483)
     at
    com.example.client.Mount.doMount(Mount.java:479)
     at
    com.example.client.Mount.{init}(Mount.java:280)
     at com.example.
    client.rpc.SmbTransport.{init}(SmbTransport.java:29)
     at
    com.example.client.rpc.Dcerpc.connect(Dcerpc.java:818)
     at
    com.example.client.rpc.Dcerpc.{init}(Dcerpc.java:445)
     at
    com.example.client.rpc.Lsar.{init}(Lsar.java:118)
     at com.q1labs
    .semsources.sources.windowseventrpc.util.SIDCache.{init}(SIDCach
    e.java:40)
     at com.q1labs.semsources.sources.windowseventrpc.eve
    ntsource.RPCEventLogHandler.connect(RPCEventLogHandler.java:127)
     at com.q1labs.semsources.sources.windowseventrpc.eventsource.R
    PCEventLogHandler.run(RPCEventLogHandler.java:372)
     at
    java.lang.Thread.run(Thread.java:818)
    13 August 2020
    UPGRADE IJ29294 PATCHING A DETACHED 1599 APPLIANCE CAN COMPLETE BUT WITH AN ERROR THAT IS BENIGN OPEN Workaround
    This error message is caused by the /opt/qradar/bin/generate_cert_from_csr.sh attempting to access files if it was part of a QRadar deployment instead of detached. The error is therefore benign, and can be safely ignored.

    Issue
    Patching a detached 1599 appliance type to QRadar 7.4.1 FP2 can complete with an error similar to the following:
    Patch Report for xxx.xxx.xxx.xxx, appliance type: 1599
    hostname :  patch test succeeded.
    Error running 209: /media/updates/scripts/QRADAR-2072.install
    --mode mainpatch
    hostname :  patch successful with errors.

    Messages similar to the following might be visible in the /var/log/setup-7.4.1.xxxxxx/patches.log file when this issue occurs:
    Nov 10 14:48:29 2020: Nov 10 14:48:29
    2020:[DEBUG](-i-patchmode) Running script
    /media/updates/scripts/QRADAR-2072
    .install --mode mainpatch
    Nov 10 14:48:30 2020: [QRADAR-2072] [mainpatch:Run]
    /opt/qradar/bin/generate_cert_from_csr.sh
    cat: /opt/qradar/conf/host.token: No such file or directory
    Exception in thread "main"
    java.lang.ArrayIndexOutOfBoundsException: Array index out of
    range: 1
            at com.ibm.si.mks.Util.main(Util.java:352)
    grep:
    /store/configservices/deployed/globalconfig/deployment.xml: No
    such file or directory
    Nov 10 14:48:30 2020: Nov 10 14:48:30
    2020:[DEBUG](-i-patchmode) Error running 209:
    /media/updates/scripts/QRADAR-
    2072.install --mode mainpatch; Got error code of 1.
    Nov 10 14:48:30 2020: Nov 10 14:48:30
    2020:[ERROR](-i-patchmode) Error running 209:
    /media/updates/scripts/QRADAR-
    2072.install --mode mainpatch
    16 November 2020
    API / RULES IJ25486 INCORRECT SYSTEM RULE NAME CAN BE RETURNED FROM AN API QUERY AFTER THE RULE HAS BEEN RENAMED AND TOMCAT HAS BEEN RESTARTED CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    Use the QRadar user interface to perform the required search. This issue appears to only affect API searches.

    Issue
    Ariel query via API that makes use of rulename function returns incorrect name for system rules where the name has been changed AND tomcat has been restarted. For example:
    1. User modifies the name of a system rule.
    2. Via the QRadar API, execute an AQL query that returns rulename(creeventlist) as a column.
    3. The data returned shows the updated rule name.

      Results
      After a restart of the tomcat service and the above steps are repeated, the data returned from the API call shows the original name of the system rule, despite the fact that this was modified to a new name.
    16 November 2020
    CONTENT MANAGEMENT TOOL (CMT) IJ27031 CONTENT MANAGEMENT TOOL IMPORT DEOPTIMIZES CUSTOM PROPERTIES REFERENCED IN A SEARCH FILTER TEST, REDUCING RULE PERFORMANCE CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Workaround
    No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue.

    Issue
    When using the Content Management Tool (CMT) to import a deoptimized property where the property already exists and is optimized, QRadar checks to see if there is anything on the system which needs it to be optimized, and if so, does not update it as it would negatively impact rule processing performance.

    This check works for some rule tests, but does not work if the custom property is referenced in a search filter test or AQL test. The CMT allows the property to be deoptimized despite there being an active rule using it.

    This can introduce performance issues for affected rules when this issue occurs.
    16 November 2020
    RULES IJ27238 OFFENSE RULE SNMP TRAP RESPONSE FOR 'TOP 5 TARGETS' ONLY DISPLAYS 1 IP ADDRESS (THE TOP TARGET) INSTEAD OF TOP 5 CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)

    No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue.

    Issue
    When using the Content Management Tool (CMT) to import a deoptimized property where the property already exists and is optimized, QRadar checks to see if there is anything on the system which needs it to be optimized, and if so, does not update it as it would negatively impact rule processing performance.

    This check works for some rule tests, but does not work if the custom property is referenced in a search filter test or AQL test. The CMT allows the property to be deoptimized despite there being an active rule using it.

    This can introduce performance issues for affected rules when this issue occurs.
    16 November 2020
    SERVICES IJ28223 ECS-EC-INGRESS SERVICE (EVENT COLLECTION) CAN HANG WITH A "TOO MANY OPEN FILES (ACCEPT FAILED)" WRITTEN TO QRADAR LOGGING CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    Complete a restart of the ecs-ec-ingress service.

    Issue
    The ecs-ec-ingress service (event collection) can sometimes hang and stop processing events with a "java.net.SocketException: Too many open files (Accept failed)" message written to the QRadar logs.

    To confirm this issue, type the following command:
    journalctl -u ecs-ec-ingress


    If you are experiencing this issue, "Too many open files" errors are displayed after you use the journamctl command:
    ecs-ec-ingress[21929]: WARNING: RMI TCP Accept-7787: accept
    loop for ServerSocket[addr=0.0.0.0/0.0.0.0,localport=7787] throws
    ecs-ec-ingress[21929]: java.net.SocketException: Too many open files (Accept failed)
    ecs-ec-ingress[21929]: at
    java.net.ServerSocket.implAccept(ServerSocket.java:623)
    ecs-ec-ingress[21929]: at
    java.net.ServerSocket.accept(ServerSocket.java:582)
    ecs-ec-ingress[21929]: at
    sun.rmi.transport.tcp.TCPTransport$AcceptLoop.executeAcceptLoop(TCPTransport.java:417)
    ecs-ec-ingress[21929]: at
    sun.rmi.transport.tcp.TCPTransport$AcceptLoop.run(TCPTransport.java:389)
    ecs-ec-ingress[21929]: at java.lang.Thread.run(Thread.java:818)
    21 May 2021
    INSTALLATION IJ27831 'FAILED TO MODIFY RX AND TX VALUE FOR ETH0' WHEN INSTALLING QRADAR ON A KVM THAT IS USING VIRTIO_NET DRIVER CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    1. Using the vi command, edit the /sbin/ifup-local file.
    2. Change the vale of ETHTOOL_ENABLED=1 to ETHTOOL_ENABLED=0.

    Your file should match the code snippet provided in this ifup-local example:
    if [[ "${DEVICE}" =~ ^bond.* ]]; then
           ETHTOOL_ENABLED=0
    else
           ethtool -g "${DEVICE}" 2&>1 > /dev/null
           if [ "$?" -ne 1 ] ; then
                   ETHTOOL_ENABLED=0
           else
                    ETHTOOL_ENABLED=1
           fi
    fi
    
    Change to:
    if [[ "${DEVICE}" =~ ^bond.* ]]; then
           ETHTOOL_ENABLED=0
    else
           ethtool -g "${DEVICE}" 2&>1 > /dev/null
           if [ "$?" -ne 1 ] ; then
                   ETHTOOL_ENABLED=0
           else
                    ETHTOOL_ENABLED=0
           fi
    fi


    Issue
    During the Network Information setup page of a QRadar installation, a message similar to "failed to modify rx and tx value for eth0" can sometimes be observed. This occurs when QRadar is installed on a KVM with the Virtio_Net driver and the ring buffer settings are attempted to be applied by the install, but fail.

    Attempting to manually configure the ring buffer settings with the ifup-local command fails with a similar error message. On this type of KVM installation, the QRadar installation should not be attempting to apply ring buffer settings. On this type of KVM installation, the QRadar installation should not be attempting to apply ring buffer settings for network interfaces.

    To verify if the Virtio_Net driver is in use, the following can be run from a command line:
    ethtool -i eth0 | grep -i driver
    The following output indicates the virtio_net driver is installed:
    driver:virtio_net
    16 November 2020
    RULE RESPONSE IJ27086 'THIS INFORMATION SHOULD CONTRIBUTE TO THE NAME OF THE ASSOCIATED OFFENSE' RULE RESPONSE NOT WORKING AS EXPECTED CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    Where possible, change option 5 in the example to use "This information should set or replace the name of the associated offense(s)" configured within in the Rule Response.

    Issue
    When selecting 'This information should contribute to the name of the associated offense(s)' in a Rule Reponse for an offense generated by a rule testing the building block 'when the event(s) have not been detected by one or more of these log sources for this many seconds', the description of the offense is not set to the event description.

    For example:
    1. Create a new rule that tests this building block: "when the event(s) have not been detectedby one or more of these log sources for this many seconds".
    2. In the rule response, check the "Dispatch New Event" box.
    3. Give the event a descriptive name.
    4. In the section that appears after checking this box, check "Ensure the dispatched event is part of an offense" under "Event Details".
    5. Under "Offense Naming", check "This information should contribute to the name of the associated offense(s)".
    6. Wait for the rule to be triggered and observe that the Description field of the offense generated is not set to the name of the event that was specified, but is instead "Log source 'xxxx' has stopped emitting events".
    16 November 2020
    ASSETS IJ24031 QRADAR ASSET CLEANUP PROCESS CAN FAIL AND GENERATE A PSQLEXCEPTION WHEN ATTEMPTING TO RUN CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Workaround
    No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue.

    Issue
    When the QRadar Asset Cleanup attempts to run, it can sometimes fail with a PSQL Exception generated in QRadar logging. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [assetprofiler.assetprofiler] [AssetCleanupThread]
    com.q1labs.assetprofile.cleanup.AssetCleanupWorker: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Following message
    suppressed 633 times in 300000 milliseconds
    [assetprofiler.assetprofiler] [AssetCleanupThread]
    com.q1labs.assetprofile.cleanup.AssetCleanupWorker: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/-
    -]AssetCleanupWorker.run(): Unable to cleanup asset. Skipping
    to next...
    [assetprofiler.assetprofiler] [AssetCleanupThread]
    com.q1labs.assetprofile.cleanup.AssetCleanupException:
    org.postgresql.util.PSQLException: This statement has been
    closed.
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    com.q1labs.assetprofile.cleanup.AssetCleanupWorker.createCleanup
    Updates(AssetCleanupWorker.java:614)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    com.q1labs.assetprofile.cleanup.AssetCleanupWorker.cleanupAssetC
    omponents(AssetCleanupWorker.java:172)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    com.q1labs.assetprofile.cleanup.AssetCleanupWorker.cleanAsset(As
    setCleanupWorker.java:405)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    com.q1labs.assetprofile.cleanup.AssetCleanupWorker.walkAssetMode
    lAndClean(AssetCleanupWorker.java:260)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    com.q1labs.assetprofile.cleanup.AssetCleanupWorker.run(AssetClea
    nupWorker.java:99)
    [assetprofiler.assetprofiler] [AssetCleanupThread] Caused by:
    [assetprofiler.assetprofiler] [AssetCleanupThread]
    org.postgresql.util.PSQLException: This statement has been
    closed.
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.postgresql.jdbc2.AbstractJdbc2Statement.checkClosed(Abstract
    Jdbc2Statement.java:2637)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.postgresql.jdbc2.AbstractJdbc2Statement.getResultSet(Abstrac
    tJdbc2Statement.java:830)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.getResultSet(
    NewProxyPreparedStatement.java:1408)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.getResul
    tSet(DelegatingPreparedStatement.java:202)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.getResul
    tSet(DelegatingPreparedStatement.java:200)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.apache.openjpa.jdbc.sql.PostgresDictionary$PostgresPreparedS
    tatement.executeQuery(PostgresDictionary.java:1026)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ
    uery(DelegatingPreparedStatement.java:265)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedSt
    atement.executeQuery(JDBCStoreManager.java:1774)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ
    uery(DelegatingPreparedStatement.java:265)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ
    uery(DelegatingPreparedStatement.java:255)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    com.q1labs.assetprofile.cleanup.AssetCleanupWorker.createCleanup
    Updates(AssetCleanupWorker.java:568)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    ... 4 more
    16 November 2020
    REPORTS IJ25351 ATTACHMENTS IN REPORT MAIL CAN BE CORRUPTED AFTER A QRADAR PATCH HAS BEEN APPLIED CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    Use a short report name. As an example, for Japanese locale, using a report name of less than 10 characters fixed the issue. This issue may also occur when using languages with UTF-8 multibyte characters.

    Issue
    Mail attachments from QRadar Reports can be corrupted after smtp jar files have been upgraded within a QRadar patch (7.3.3 Fix Pack 2 or later).

    For example: The Mail attachment is split into filename*0= and filename*1=.
    16 November 2020
    QRADAR NETWORK INSIGHTS IJ22720 QRADAR NETWORK INSIGHTS (QNI) PERFORMANCE DEGRADATION CAUSED BY YAHOO MAIL INSPECTOR COMPONENT CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    If experiencing QNI performance degradation, contact Support for assistance with a system thread dump examination to determine if this issue is the cause.

    Issue
    When using the Yahoo Mail inspector component (libymailinsp.so), QNI decapper processes can be working as expected and then begin to drop packets leading to flows stopping.

    QNI cannot process flow traffic as expected while the decapper service is in this thread bound condition.
    16 November 2020
    OFFENSE MANAGER IJ24634 QRADAR VERSIONS 7.3.2 OR LATER DO NOT INCLUDE THE "REPLY-TO:" FIELD WITHIN GENERATED NOTIFICATION EMAILS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue.

    Issue
    Notification emails no longer include the "Reply-To:" field in email headers. QRadar versions pre-7.3.2 are not affected. Example of pre-7.3.2 QRadar:
    From: "QRADAR@localhost.localdomain"
    {QRADAR@localhost.localdomain}
    Reply-To: "root@localhost" {root@localhost.test.com}
    To: "root@localhost" {root@localhost.test.com}
    Subject: Offense #1
    MIME-Version: 1.0
    Content-Type: text/plain; charset=UTF-8
    Content-Transfer-Encoding: 7bit
    16 November 2020
    ROUTING RULES IJ27022 LARGE AMOUNTS OF REVERSE DNS LOOKUPS CAN BE GENERATED WHEN OFFLINE ROUTING RULES ARE CONFIGURED IN QRADAR CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 or 7.3.3 Fix Pack 6 to resolve this issue.

    Issue
    When offline routing rules have been configured within QRadar (Admin -> System Configuration -> Routing Rules), large amounts of reverse DNS lookups can be generated. This can cause issues in some customer environments with their DNS server load.

    The issue described only occurs when forwarding "normalized' data, not raw payloads.
    16 November 2020
    FLOWS IJ28601 DEFAULT NETFLOW FLOW SOURCE DOES NOT WORK ON NEWLY ADDED FLOW PROC AND GENERATES 'NO FLOW SOURCE DEFINED' ERROR IN LOGGING CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)

    Workaround
    Performing a remove and re-add of the flow processor appliance from the QRadar Deployment corrects this issue. For more information, see steps 3 and 5 from the documentation.

    Issue
    The default netflow is not working as expected on a newly added Flow Processor. During the initial add process, the FLOWSOURCE_LIST under nva.qflow.qflow*.conf is not populated, causing qflow to not work as expected and no flows are received. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext] [Thread-1803]
    com.q1labs.hostcontext.processmonitor.ProcessManager: [INFO]
    [NOT:0000006000][172.18.142.131/- -] [-/- -]Starting process
    qflow.qflow102
    [QRADAR] [23524] qflow: [INFO] Reading in application
    signatures from file: /opt/qradar/conf/signatures.xml
    [QRADAR] [23524] qflow: [INFO] Application Signatures
    successfully read in from file: /opt/qradar/conf/signatures.xml
    [QRADAR] [23524] qflow: [INFO] Application mapper loading
    /opt/qradar/conf/user_application_mapping.conf
    [QRADAR] [23524] qflow: [INFO] Flow Buffer Size = 100000
    [QRADAR] [23524] qflow: [INFO] Connecting to
    172.18.142.131:32010
    [QRADAR] [23524] qflow: [INFO] Initializing qflow: 23524
    [QRADAR] [23524] qflow: [INFO] Packet Source Multi threading:
    disabled
    [QRADAR] [23524] qflow: [INFO] The Flow Governor flow limit is
    set to: 176508 based on DEPLOYMENT_FLOW_LIMIT: 1500000,
    HARDWARE_FLOW_LIMIT: 176508 and QF_GOVERNOR (user flow limit): 0
    [QRADAR] [23524] qflow: [INFO] Flow De-Duplication: enabled
    [QRADAR] [23524] qflow: [INFO] TLVFlowFields: parse and
    processing of /opt/qradar/conf/flowFieldsDataType-conf.xml
    completed successfully
    [QRADAR] [23524] qflow: [INFO] Initializing Flow Aggregator
    [QRADAR] [23524] qflow: [INFO] The host.token file is encrypted
    on disk, decrypting for use.
    [QRADAR] [23524] qflow: [INFO] Initializing Packet Aggregator
    [QRADAR] [23524] qflow: [INFO] Flow debug log level set to 0
    [QRADAR] [23524] qflow: [ERROR] No flow sources defined -
    sleeping until signal
    16 November 2020
    LOG SOURCES IJ29030 LOG SOURCES DELETED FROM WITHIN LOG SOURCE GROUPS CAN STILL APPEAR IN THE QRADAR USER INTERFACE OPEN Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    When a Log Source (that is assigned to a Log Source group) is deleted, that Log Source can sometimes continue to be displayed in the Log Source group. For example:
    1. Admin > Log Source groups > Have a Log Source group (Test LSG).
    2. Create a Log Source using the Log Source Management app (Test1) assign (Test1 to TEST LSG).
    3. Create a Log Source using the QRadar legacy User Interface (Test2) assign (Test2 to TEST LSG).
    4. Deploy Changes.
    5. Delete the Log Sources (Test1 and Test2) from Log Source Management app.
    6. Open Log Source groups and check the "Test LSG" Result: Test1 and Test2 are still displayed in the group.
    03 November 2020
    MANAGED HOST IJ29041 REMAP (COMPONENT ID) OPTION CAN FAIL TO BE DISPLAYED DURING ADD HOST FUNCTION OPEN Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    When adding a Managed Host to a QRadar Deployment, if the deployment model contains a connection where the target/source ID is invalid (a component with that ID does not exist in deployment.xml) the remap host model does not pop-up in the User Interface.

    When this issue occurs, it prevents the ability to perform the remap of component IDs on the Managed Host being added. The Managed Host add function completes, but an error is written to /var/log/qradar.error stating 'unable to add managed host' similar to the following:
    [tomcat.tomcat] [Thread-140205]
    com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI:
    [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -] unable to add
    managed host: Unable to marshal deployment to staging while
    adding conection: Connection source contains an invalid
    component id 102
    03 November 2020
    CUSTOM EVENT PROPERTIES IJ29043 LARGE AMOUNT OF COLON " : " SYMBOLS GENERATED DURING JSON PARSING FOR WINDOWS EVENT LOG IN CUSTOM EVENT PROPERTIES CLOSED Resolved in
    QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)

    Workaround
    No workaround available.

    APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums: https://ibm.biz/qradarforums

    Issue
    When attempting to use the JSON parser in Custom Event Properties to parse Windows Event Logs, a large amount of colon " : " symbols are generated and incorrect parser results are output. For example:
    1. Navigate to Admin tab, and open Custom Event Properties.
    2. Click Add in title bar.
    3. Have a test payload, enter it into Test Field.
    4. In Property Expression Definition section, Extraction using JSON key path.
    5. In JSON keypath field, enter /"event_data"
    6. In test field, large amounts of colon " : " symbols are generated and highlighted, and not ALL event_data elements are parsed
    7. Continue updating JSON keypath field, enter /"event_data"/"CommandLine"
    8. Cannot obtain the CommandLine output.
    12 July 2021
    SECURITY PROFILES IJ29042 USERS CREATED USING LDAP USER ATTRIBUTES CAN HAVE NO ADMIN ROLE SECURITY PROFILES FOR ADMIN ROLES CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)

    Workaround
    Configure the LDAP server so that users that have an Admin role get a Admin Security Profile.

    Issue
    Users created via LDAP User attributes can have Non Admin security profiles for Admin Roles.

    If accounts are configured via the User Interface, and a user has an Admin Role, they have to have Admin Security Profile. For example:
    1. Have two Admin Roles and two security profiles.
    2. Have an LDAP server and setup LDAP User Attributes making the User Role Attribute return Admin.
    3. Have the Security Profile Attribute return a Security Profile that is not Admin.
    4. Log in and have a User created with a User Role of Admin but not a Security Profile of Admin.

      Result
      When attempting to change that User in the Qradar User Interface: You can only select Admin for the security profile or if a new user is created with an Admin role they can only have Admin as the Security Profile.
    24 May 2021
    SECURITY BULLETIN CVE-2019-13232 UNZIP AS USED BY IBM QRADAR SIEM IS VULNERABLE TO DENIAL OF SERVICE CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4

    Issue
    Info-ZIP UnZip is vulnerable to a denial of service, caused by mishandling the overlapping of files inside a ZIP container. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause resource consumption. CVSS Base score: 3.3
    13 October 2020
    SECURITY BULLETIN CVE-2018-1313 APACHE DERBY AS USED BY IBM QRADAR SIEM IS VULNERABLE TO IMPROPER INPUT VALIDATION CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4

    Issue
    Apache Derby could allow a remote attacker to bypass security restrictions, caused by improper validation of network packets received. By sending a specially-crafted network packet, an attacker could exploit this vulnerability to boot a database whose location and contents are under the user's control. CVSS Base score: 7.5
    13 October 2020
    RULES IJ28759 RULE RESPONSE EMAILS CONTAINING CUSTOM EVENT PROPERTIES DISPLAY THOSE PROPERTIES AS "N/A" IN THE RULE RESPONSE/td> CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 Intern Fix 1 (7.4.1.20201018191117)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

    Issue
    Rule responses that use email templates containing Custom Event Properties do not populate the properties correctly in the response.

    When this issue occurs, those properties display as "N/A" in the response.
    26 November 2020
    SERVICES / ADD HOST IJ25854 "SOFTWARE INSTALL" QRADAR EVENT COLLECTOR OR DATANODE CAN FAIL TO START REQUIRED SERVICES AFTER ADDED TO DEPLOYMENT OPEN Workaround
    Perform a full replication on the affected Managed Host from a command line prompt:
    1. Log in to the QRadar Console as the root user.
    2. Open an SSH session to the Event Collector or Data Node appliance.
    3. Type the following command to force a full replication:
      /opt/qradar/bin/replication.pl -full

      Results
      Wait for the replication to complete. If you experience errors when this command is run or want assistance verifying this issue, contact QRadar Support
    Issue
    Required services on a "software install" Event Collector or DataNode fail to start after they are added to the QRadar deployment.
    27 June 2020
    OFFENSES IJ25797 NULLPOINTEREXCEPTION WRITTEN TO QRADAR LOGGING WHEN VIEWING EVENTS ASSOCIATED TO AN OFFENSE CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    No workaround available, this issue requires a software release to resolve.

    Issue
    A Null Pointer Exception is written to Qradar logging when attempting to view Events associated with Offense. To replicate this issue:
    1. Log in to QRadar.
    2. Click the Offenses tab.
    3. Select All Offenses.
    4. Double click on an offense to view the offense details.
    5. From the Last 10 offenses section, click the Events button.

      Results
      An NullPointerException error is displayed in the QRadar logs.

    Messages similar to the following might then be visible in /var/log/qradar.log:
    [tomcat.tomcat] [ArielQueryManager]
    com.q1labs.ariel.ui.bean.EventSearchDelegate: [ERROR] [127.0.0.1/- -] 
    [-/- -]Error processingoffenseId parameter for offense EQ 1
    [tomcat.tomcat] [ArielQueryManager]
    java.lang.NullPointerException
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.IUIArielSearchDelegate$OffenseProcessor
    .addOffenseSearchCriteria(IUIArielSearchDelegate.java:106)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.EventSearchDelegate.prepareQuery(EventS
    earchDelegate.java:265)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.
    java:965)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.
    java:790)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.
    java:746)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.
    java:740)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.QueryHandleSerializer.deserialize(Query
    HandleSerializer.java:191)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.QueryHandleSerializer.deserialize(Query
    HandleSerializer.java:34)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.google.gson.internal.bind.TreeTypeAdapter.read(TreeTypeAdapter.java:69)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.google.gson.Gson.fromJson(Gson.java:887)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.google.gson.Gson.fromJson(Gson.java:852)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.google.gson.Gson.fromJson(Gson.java:801)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.EventSearchDelegate.deserialize(EventSe
    archDelegate.java:433)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.core.dao.ariel.ArielQueryHandle.getQueryHandle(ArielQ
    ueryHandle.java:158)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.ArielQueryManager.run(ArielQueryManager.java:594)
    27 June 2020
    SECURITY BULLETIN CVE-2020-13934
    CVE-2019-17566
    CVE-2019-4378
    CVE-2020-1945
    CVE-2020-0543
    CVE-2020-0548
    CVE-2020-0549
    CVE-2010-4710
    CVE-2020-5408
    CVE-2019-13990
    CVE-2020-13935
    CVE-2019-10241
    CVE-2019-10247
    CVE-2020-11022
    CVE-2020-11023
    CVE-2018-15494
    CVE-2020-5398
    180875
    IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4
    Issue
    The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools.
    07 October 2020
    SECURITY BULLETIN CVE-2020-4280 IBM QRADAR SIEM IS VULNERABLE TO DESERIALIZATION OF UNTRUSTED DATA CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4
    Issue
    IBM QRadar could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker could exploit this vulnerability to execute arbitrary commands on the system. CVSS Base Score: 6.3
    07 October 2020
    SECURITY BULLETIN CVE-2018-12545
    CVE-2017-9735
    CVE-2017-7658
    CVE-2017-7656
    CVE-2017-7657
    CVE-2019-10241
    CVE-2019-10247
    CVE-2018-12536
    CVE-2019-0222
    CVE-2020-1941
    CVE-2018-8006
    CVE-2018-11775
    CVE-2017-15709
    CVE-2015-7559
    CVE-2019-12423
    CVE-2019-17573
    CVE-2019-12419
    CVE-2020-1954
    CVE-2019-12406
    IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4
    Issue
    The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools.
    07 October 2020
    SECURITY BULLETIN CVE-2019-4545 IBM QRADAR SIEM IS VULNERABLE TO KDC SPOOFING CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4
    Issue
    IBM QRadar SIEM when configured to use Active Directory Authentication may be susceptible to spoofing attacks. CVSS Base Score: 7.5
    07 October 2020
    SECURITY BULLETIN CVE-2018-8009
    CVE-2018-15494
    CVE-2020-9489
    CVE-2020-11023
    CVE-2020-11022
    IBM QRADAR INCIDENT FORENSICS IS VULNERABLE TO USING COMPONENT WITH KNOWN VULNERABILITIES CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Affected versions
    • IBM QRadar Incident Forensics 7.4.0 to 7.4.1 GA
    • IBM QRadar Incident Forensics 7.3.0 to 7.3.3 Patch 4
    Issue
    The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools.
    07 October 2020
    DATA OBFUSCATION IJ26220 DATA DEOBFUSCATION KEYS CAN FAIL TO WORK AS EXPECTED IN SOME QRADAR DOMAIN ENVIRONMENTS CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 4 (7.3.3.20200629201233)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    No workaround available.

    Issue
    Data deobfuscation fails when using the correct deobfuscation key for events that are tagged to an Event Collector domain where the Event Collector is connected to an Event Processor. The data deobfuscation keys created can sometimes fail with a message similar to "Deobfuscation fail". Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1 (2367)
    /console/do/obfuscation/obfuscationdecryption]
    com.q1labs.obfuscation.ui.action.ObfuscationDecryptionAction:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
    -]qradar.obfuscation.ui.obfuscationdecryption.error.CORRESPONDIN
    G_DECRYPTION_KEY_FOUND_IN_SESSION_BUT_DECRYPTION_FAIL,
    javax.crypto.BadPaddingException: decryption fail.
    javax.crypto.BadPaddingException: Given final block not
    properly padded
    17 July 2020
    SEARCH IJ25350 SAVED SEARCHES CAN GENERATE AN APPLICATION ERROR WHEN A CUSTOM EVENT PROPERTY USES A RESERVED AQL KEY NAME CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Delete the Custom Event Property as disabling the property does not resolve the search errors.

    Issue
    When a custom event property is named using a reserved AQL name in QRadar, such as 'searchName', the user interface can generate an Application Error in the user interface when the search run.

    Note: This issue can be reproduced with the following steps, but it is not recommended as creating the custom property value as described can cause searches from running as documented in the error logs.
    1. Log in to the Console as an administrator.
    2. Click the Admin tab.
    3. Click the Custom Event Properties icon.
    4. Click Add.
    5. In the New Property field, type searchName
    6. Click the Log Activity tab.
    7. From the Quick Search menu, select any saved search.

      Results
      Expected result: Load saved search successfully.
      Actual result: "Application Error" is displayed.
    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch] Caused by:
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch] java.lang.RuntimeException:
    Error processing criteria searchName
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.cve.utils.CriteriaBuilder.getCriteria(CriteriaBuilder
    .java:1517)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.cve.utils.CriteriaBuilder.getQueryParams(CriteriaBuil
    der.java:386)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:927)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    ... 81 more
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch] Caused by:
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]
    java.lang.IllegalArgumentException: Operation Event is not
    valid. Should be one of [EQ, LT, LE, GT, GE, NEQ]
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.cve.utils.CriteriaBuilder.updateCriteria_Expression(C
    riteriaBuilder.java:1047)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.cve.utils.CriteriaBuilder.updateCriteria(CriteriaBuil
    der.java:1316)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.cve.utils.CriteriaBuilder.getCriteria(CriteriaBuilder
    .java:1424)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    ... 83 more
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]
    org.apache.jsp.qradar.jsp.ArielSearch_jsp: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Could not forward to
    exception page, possibly an included JSP?
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]
    com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
    while executing the remote method 'getGlobalViewDetails'
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails] java.lang.RuntimeException:
    java.lang.RuntimeException: Error processing criteria searchName
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:1007)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:790)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    com.q1labs.ariel.ui.UIArielServices.getGlobalViewID(UIArielServi
    ces.java:12530)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    com.q1labs.ariel.ui.UIArielServices.getGlobalViewDetails(UIAriel
    Services.java:12253)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    12 June 2020
    UPGRADE IJ22566 QRADAR PATCHING CAN FAIL AND ROLLBACK ON BLANK TABLES IN A QVM FUSION DATABASE CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    If you are unable to upgrade, contact Support for a possible workaround that might address this issue in some instances.

    Issue
    The QRadar patching process can fail and rollback when there are unexpected blank tables within the QRadar Vulnerability Manager (QVM) fusion database. Messages similar to the following might be visible during the patch process and also within the most recent /var/log/setup-7.3.3.xxxxxxxxx/patches.log
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG]
    ip={host_ipaddress}
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] starting
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] Found 0 patch
    report files.
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG]
    Patch Report for 172.16.77.26, appliance type: 1202
    {hostname}: patch test succeeded.
    1 SQL script errors were detected; Error applying script [3/3]
    '/media/updates/opt/qvm/db/sql/functions/all_functions.sql' for
    Test_fusionvm database.; details:
    WARNING: SET TRANSACTION can only be used in transaction blocks
    ERROR: insert or update on table "toolsuitecomponents" violates
    foreign key constraint
    "fk_toolsuitecomponents_toolsuite_l7protocolcodes"
    DETAIL: Key (l7protocolcode)=(18) is not present in table
    "toolsuite_l7protocolcodes".
    CONTEXT: SQL statement "INSERT INTO ToolSuiteComponents VALUES
    (10001,5,'netbios -
    ports','/bin/netbios/netbios_ports.pl','1.0',TRUE,TRUE,18,'','',
    1,5,10000,2,10,2)"
    PL/pgSQL function enable_netbios_ports() line 4 at SQL statement
    {hostname} : patch rolled back.
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] pr=
    Patch Report for , appliance type: 1202
    {hostname} : patch test succeeded.
    1 SQL script errors were detected; Error applying script [3/3]
    '/media/updates/opt/qvm/db/sql/functions/all_functions.sql' for
    Test_fusionvm database.; details:
    WARNING: SET TRANSACTION can only be used in transaction blocks
    ERROR: insert or update on table "toolsuitecomponents" violates
    foreign key constraint
    "fk_toolsuitecomponents_toolsuite_l7protocolcodes"
    DETAIL: Key (l7protocolcode)=(18) is not present in table
    "toolsuite_l7protocolcodes".
    CONTEXT: SQL statement "INSERT INTO ToolSuiteComponents VALUES
    (10001,5,'netbios -
    ports','/bin/netbios/netbios_ports.pl','1.0',TRUE,TRUE,18,'','',
    1,5,10000,2,10,2)"
    PL/pgSQL function enable_netbios_ports() line 4 at SQL statement
    {hostname} : patch rolled back.
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] non console;
    interactive end.
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] complete
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] finishing up
    and restarting services.
    Mon Dec 2 11:57:21 AST 2019: ./patchInstaller.pl -patchfile
    /storetmp/2019140_QRadar_patchupdate-2019.14.0.20191031163225.sf
    s -p ./superpatches.manifest.xml completed with result 1
    05 February 2020
    SECURITY BULLETIN CVE-2019-0201 APACHE ZOOKEEPER AS USED BY IBM QRADAR SIEM IS VULNERABLE TO INFORMATION DISCLOSURE CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Affected versions
    • IBM QRadar SIEM 7.4.1 General Availability (GA)
    • IBM QRadar Risk Manager 7.4.1 General Availability (GA)
    • IBM QRadar Vulnerability Manager 7.4.1 General Availability (GA)
    • IBM QRadar Incident Forensics 7.4.1 General Availability (GA)
    • IBM QRadar Network Insights 7.4.1 General Availability (GA)

    Issue
    Apache ZooKeeper could allow a remote attacker to obtain sensitive information, caused by the failure to check permissions by the getACL() command. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 7.5
    21 September 2020
    OFFENSES IJ27346 OFFENSE API CALLS CAN CAUSE A HOSTCONTEXT TXSENTRY TO OCCUR AS NO LIMIT IS APPLIED TO THE NUMBER OF FIELDS TO BE RETURNED CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue reported by users with QRadar 7.4.1 (GA) General Availability installed.

    Issue
    The hostcontext process can experience a TxSentry (process is killed when taking too long to complete) that is caused by the Offense API not having limits set on the number of fields that it can return.

    This behavior can be observed during the usage of some QRadar apps that use Offense API calls (eg. Incident Overview app). Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext]
    [baa9069a-d7b2-48bf-ab9b-32962f1f8055/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][X.X.X.X/- -] [-/- -] Lock acquired on host
    X.X.X.X: rel=offense_device_link_pkey age=638 granted=t
    mode=AccessShareLock query='SELECT DISTINCT (CASE WHEN
    offense_properties.user'
    [hostcontext.hostcontext]
    [baa9069a-d7b2-48bf-ab9b-32962f1f8055/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][X.X.X.X/- -] [-/- -] Lock acquired on host
    X.X.X.X: rel=sensordevicetype age=638 granted=t
    mode=AccessShareLock query='SELECT DISTINCT (CASE WHEN
    offense_properties.user'
    [hostcontext.hostcontext]
    [baa9069a-d7b2-48bf-ab9b-32962f1f8055/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][X.X.X.X/- -] [-/- -] Lock acquired on host
    X.X.X.X: rel=sensordevice_eccomponentid_idx age=638 granted=t
    mode=AccessShareLock query='SELECT DISTINCT (CASE WHEN
    offense_properties.user'
    31 August 2020
    QRADAR NETWORK INSIGHTS IJ26718 QRADAR NETWORK INSIGHTS (QNI) CAN INTERMITTENTLY SLOW OR STOP SENDING FLOWS WHEN QNI IS CONFIGURED TO USE DTLS FOR ITS COMMUNICATION PROTOCOL CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Restarting the qflow process or QNI corrects this behavior.

    Issue
    In QRadar 7.4.1GA, QRadar Network Insights (QNI) flow sources that are configured to use DTLS for their communication protocol, can slow to only a few flows per minute (FPM) rate or stop entirely when sending flows into QRadar qflow. This behavior has been observed to occur after a few minutes or sometimes after several hours of proper function.
    21 May 2021
    HIGH AVAILABILITY (HA) IJ18179 LOG COLLECTION ON A HIGH AVAILABILITY SECONDARY CAN FAIL TO OCCUR AFTER INITIAL FAILOVER DUE TO MISSING JAR FILES CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    1. Click the Admin tab.
    2. From the Advanced menu, select Deploy Full Configuration.
    3. Wait for the full deploy to complete.
    4. Select Advanced, and click Restart Event Collection Services.
    Issue
    It has been identified that some required jar files are not copied to opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs on a High Availability (HA) secondary appliance until a Deploy Full Configuration is performed after the HA secondary becomes active.
    18 October 2019
    HISTORICAL CORRELATION IJ26306 EVENT/FLOW WINDOW IS BLANK FOR HISTORICAL CORRELATION OFFENSES AND VIEWING 'LAST 10 EVENTS/FLOWS' GENERATES ERROR CLOSED Resolved in
    QRadar 7.4.3 (7.4.3.20210517144015)
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)

    Workaround
    No workaround available. This issue was reopend as the error was reported again after users by users at QRadar 7.4.2 and 7.4.1 Fix Pack 2 and closed with the release of QRadar 7.4.2 Fix Pack 3.

    Issue
    While attempting to view Events or Flows associated with a Historical Correlation Offense, the Event/Flow List window displays a blank page.

    When attempting to view the "Last 10 Events/Flows" for a Historical Correlation Offense, a message similar to the following is generated:
    An error occurred while fetching the Events for this offense
    or
    An Error occurred while fetching the Flows for this offense

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    tomcat[44128]: Caused by:
    tomcat[44128]: java.lang.NoSuchMethodError:
    com/ibm/si/core/offensemapper/OffenseMapperFactory.getOffenseMap
    perType(ILjava/lang/String;Ljava/lang/String;)Lcom/ibm/si/core/o
    ffensemapper/OffenseMapperType; (loaded from file:
    /opt/qradar/webapps/console/WEB-INF/lib/q1labs_core.jar by
    PluginClassLoader
    tomcat[44128]: context: console
    tomcat[44128]: delegate: false
    tomcat[44128]: ---------- Parent Classloader:
    tomcat[44128]: java.net.URLClassLoader@17b2c16d
    tomcat[44128]: ) called from class
    com.ibm.si.hc.HistoricalCorrelationProcessor (loaded from
    file:/opt/qradar/webapps/console/WEB-INF/lib/q1labs_hc.jar by
    PluginClassLoader
    tomcat[44128]: context: console
    tomcat[44128]: delegate: false
    tomcat[44128]: ---------- Parent Classloader:
    tomcat[44128]: java.net.URLClassLoader@17b2c16d
    tomcat[44128]: ).
    tomcat[44128]: at
    com.ibm.si.hc.HistoricalCorrelationProcessor.transformQueryParam
    s(HistoricalCorrelationProcessor.java:2538)
    12 April 2021
    REPORTS IJ26071 CSV REPORTS CAN FAIL TO GENERATE WHEN THERE IS NO ACCUMULATED DATA CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Use the .pdf report output for reports. The PDF option allows the report to be created and no error to be generated in the QRadar logs. Administrators who require CSV reports can install QRadar 7.4.1 Fix Pack 1. This issue was reported by users at QRadar 7.3.2 Patch 6.

    Issue
    When a report is configured for .csv output and that report has no accumulated data, the report fails to generate and an error is logged to QRadar logging.

    Messages similar to the folllowing might be visible in /var/log/qradar.log when this issue occurs:
    [report_runner] [main] com.q1labs.reporting.ReportRunner:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error
    initializing ReportRunner
    [report_runner] [main] java.lang.Throwable:
    java.lang.RuntimeException: REPORT
    [MONTHLY#^#e028752#$#c64ac148-b504-4918-9fe3-76a4fba6c7f6#^#1583
    161424583]: Failed to run using template
    [e028752#$#c64ac148-b504-4918-9fe3-76a4fba6c7f6.xml]
    [report_runner] [main]    at
    com.q1labs.reporting.ReportRunner.main(ReportRunner.java:300)
    [report_runner] [main] Caused by:
    [report_runner] [main] java.lang.RuntimeException: REPORT
    [MONTHLY#^#e028752#$#c64ac148-b504-4918-9fe3-76a4fba6c7f6#^#1583
    161424583]: Failed to run using template
    [e028752#$#c64ac148-b504-4918-9fe3-76a4fba6c7f6.xml]
    [report_runner] [main]    at
    com.q1labs.reporting.Report.process(Report.java:623)
    [report_runner] [main]    at
    com.q1labs.reporting.ReportRunner.main(ReportRunner.java:246)
    [report_runner] [main] Caused by:
    [report_runner] [main] java.lang.RuntimeException: REPORTING
    CSV builder: More than on table header found. This is invalid
    for single table report
    [report_runner] [main]    at
    com.q1labs.reporting.csv.ReportCSVBuilder.buildColumnRecord(Repo
    rtCSVBuilder.java:100)
    [report_runner] [main]    at
    com.q1labs.reporting.csv.ReportCSVBuilder.buildCsvFile(ReportCSV
    Builder.java:177)
    [report_runner] [main]    at
    com.q1labs.reporting.Report.process(Report.java:520)
    [report_runner] [main]    ... 1 more
    14 July 2020
    SYSTEM NOTIFICATIONS IJ22900 NOTIFICATION TABLE CONTAINS DUPLICATE ROWS FOR THE SAME EVENT CAUSING DISCREPANCY IN NOTIFICATION DATA DISPLAYED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue.

    Issue
    When opening a Notification for, “An invalid protocol source configuration may be stopping event collection.” there is an incorrect number of events displayed that does not match the number of notifications.

    For example, the Notification displays (6 events), but when clicking on “view all” there are only 3 events.
    09 October 2020
    QRADAR VULNERABILITY MANAGER / EXPORT IJ25880 AN EXCEPTION IS THROWN WHEN ATTEMPTING AN EXPORT FROM THE SCAN RESULTS VULNERABILITIES LIST CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve issues when exporting scan results from the Vulnerabilities tab. This issue was reported by users at QRadar Vulnerability Manager 7.4.0 (GA) General Availability and later.

    Issue
    An Export error pop up exception is generated when attempting to export the list of vulerabilities from the Scan Results user interface. For example:
    1. Log in to the QRadar user interface.
    2. click the Vulnerabilities tab.
    3. Select Scan Results and highlight the vulnerabilities to export.
    4. Select one of the following options:
      • Actions > Export to CSV
      • Actions > Export to XML

      Results
      The error exception popup is generated in the user interface:
      There was a problem completing your export. Please try again later.

      Optionally, administrators can review the logs to determine if a NoSuchMethodException is generated in the logs:
      java.lang.NoSuchMethodException:
      com.sun.proxy.$Proxy182.getVulnerabilities(java.lang.String,
      java.lang.String, int, int, java.lang.String, java.lang.String,
      int, int, java.lang.String) at
      java.lang.Class.newNoSuchMethodException(Class.java:562) at
      java.lang.Class.throwExceptionOrReturnNull(Class.java:1195) at
      java.lang.Class.getMethodHelper(Class.java:1259) at
      java.lang.Class.getMethod(Class.java:1187) at
      com.q1labs.core.ui.coreservices.export.ExportJobProcessor.export
      VulnerabilityTabJDBCSearchFusionVMQuery(ExportJobProcessor.java:
      703) at
      com.q1labs.core.ui.coreservices.export.ExportJobProcessor.run(Ex
      portJobProcessor.java:196)
    27 June 2020
    LOG ACTIVITY IJ26129 EVENTS COPIED FROM ONE QRADAR DEPLOYMENT TO ANOTHER CANNOT BE OPENED IF THE COMPONENT ID DOES NOT EXIST IN THE NEW ONE CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve issues when copying event data between appliances. This issue was reported by users at QRadar 7.4.0 Fix Pack 1 and later.

    Issue
    When events are copied from one QRadar deployment to another and the component id associated to those events does not exist within the data on the new QRadar deployment, those events cannot be opened.

    An "Application Error" is generated in the QRadar User Interface when these affected events are attempted to be opened.

    Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    {timetstamp}18:14:55.738727 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]
    com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
    while processing the request:
    {timetstamp}18:14:55.739787 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]
    java.lang.NullPointerException
    18:14:55.739968 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]    at
    com.q1labs.events.ui.bean.EventForm.copyFromDAO(EventForm.java:919)
    {timetstamp}18:14:55.739968 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.ui.UIArielServices.getRecordBean(UIArielService
    s.java:5873)
    {timetstamp}18:14:55.739968 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.ui.action.ArielDetails.viewDetails(ArielDetails
    .java:36)
    {timetstamp}18:14:55.739968 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]    at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    {timetstamp}18:14:55.739968 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]    at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
    {timetstamp}18:14:55.740992 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    {timetstamp}18:14:55.740992 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]    at
    java.lang.reflect.Method.invoke(Method.java:508)
    15 July 2020
    QRADAR NETWORK INSIGHTS / UPGRADE IJ22448 PATCH OF A QNI APPLIANCE CAN FAIL WHEN THE NAPATECH SERVICE FAILS TO START CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve Napatech service issues related to software upgrades. This issue might be experienced by users at QRadar Network Insights 7.3.2 (GA) General Availability or later.

    Issue
    QRadar patching fails on a QNI appliance that has a failed Napatech card and/or the required napatech3 service is not able to be started.
    09 October 2020
    QFLOW IJ25317 QFLOW MEMORY USAGE CAN CONTINUALLY GROW AS ADDITIONAL UNIQUE TEMPLATES ARE USED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue might be experienced by users with memory issues related to QFlow with QRadar 7.3.2 Fix Pack 7 or later installed.

    Issue
    The QRadar qflow process currently does not flush any of its templates from memory when they have been inactive for a period of time.

    As more unique templates are used by the qflow process (eg. QNI/third party exporter restarts cause a "new" template to be stored in QFlow memory), the memory used by qflow continually grows.
    12 June 2020
    LICENSING IJ23772 AVERAGE EPS REPORTED FOR A MANAGED HOST CAN REPORT ZERO (0) DUE TO NULL VALUES LISTED IN A GLOBAL VIEW (GV) CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue might be experienced by users with memory issues related to QFlow with QRadar 7.3.2 Fix Pack 7 or later installed.

    Issue
    The Average EPS in the table License_pool_allocation for some Managed Hosts is not updated due to a NullPointerException that occurs in a Global View (GV).

    When this occurs, the Average EPS for affected Managed Hosts can display as zero (0) EPS.
    19 September 2020
    REPORTS IJ10609 "NO DATA FOR CHART" IN TIMESERIES REPORT WHEN 'TIME' VARIABLE IS THE HORIZONTAL AXIS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    No workaround available.

    Issue
    It has been identified that timeseries reports with the Time variable configured for the X-Axis display "No data for Chart". For example, to replcate this issue:
    1. Click the Reports tab and create a weekly report.
    2. In the Chart Type, select Events/Logs.
    3. In the Container Details, select a pre-configured aggregated search (timeseries).
    4. Under Additional Details, select:
      • Graph Type: Bar
      • Limit Events/Logs to Top: 5
      • Horizontal (X) Axis: Time
      • Vertical (Y) Axis: Count
      • Timeline Interval: 1 day
    5. Save the report.
    6. Verify the data is being accumulated for the search.

      Results
      When the report runs as scheduled, it is generated with the "No Data for Chart" in the container message. The report is successfully generated when the user specifies any other variable in the Horizontal (X) axis instead of the "Time" variable.
    09 October 2020
    TELNET FLOW INSPECTOR IJ18004 QRADAR NETWORK INSIGHTS (QNI) TELNET INSPECTOR CAN INCORRECTLY CLASSIFY SOME LDAP FLOW TRAFFIC AS TELNET TRAFFIC CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue reported by users with QRadar 7.4.1 (GA) General Availability installed.

    Issue
    It has been identified that in some instances, the QRadar Network Insights (QNI) Telnet Inspector can incorrectly classify LDAP flow traffic as Telnet traffic. When this occurs, false positives can sometimes occur within rule functionality.
    09 October 2020
    DEPLOY CHANGES IJ25798 DEPLOY FUNCTION CAN FAIL DUE TO AN INCONSISTENT INDEX FROM THE CONSOLE VS MANAGED HOSTS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue reported by users with QRadar 7.4.1 (GA) General Availability installed.

    Issue
    A QRadar deploy function can fail when there is inconsistency in an index (reference_data_element_data1) from what is on the Console vs what is on a Managed Host.

    Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication:
    psql:/store/replication/tx0000000000000302764.sql:220939:
    ERROR:  index row size 2928 exceeds maximum 2712 for index
    "reference_data_element_data1"
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: HINT:  Values larger than 1/3 of a buffer page
    cannot be indexed.
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: Consider a function index of an MD5 hash of the
    value, or use full text indexing.
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: CONTEXT:  SQL statement "INSERT INTO
    public.reference_data_element SELECT * FROM
    rep.public_reference_data_element"
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: PL/pgSQL function
    replicate_restore_dump(text,text) line 24 at EXECUTE
    {hostname}-primary replication[197954]: Could not apply
    /store/replication/tx0000000000000302764.sql.
    27 June 2020
    LICENSE IJ13317