page-brochureware.php

QRADAR APARS 101

QRadar information related to known issues, important alerts and problem resolutions.

What are APARs?

QRadar uses Authorized Program Analysis Reports (APARs) to track issues reported by users. These problem reports include the status of the issue for the end user, either as an ONGOING or CLOSED problem. This page is intended to help users locate known issues who have not yet subscribed to IBM My Notifications or to view alerts on APARs that QRadar Support feels are important.

Searching the APAR table

The QRadar Support team created this QRadar APARs 101 page to make APARs more searchable for users and administrators. The search field in the table below allows you to search for specific versions or keywords. Administrators who want to filter by a specific version can use a combination of keywords or use the version buttons and sort by keyword using the Search bar.


Last update: 13 May 2021: Added Rules and dual stack networks IJ32591, Log Source Management App 7.0 IJ32519, HA iSCSI IJ32089, Custom Properties IJ32104, Microsoft Windows IJ32103, Index Management IJ32111.
Component Number Description Status More information Date
ROUTING RULES / FORWARDED EVENTS IJ29718 EVENTS CAN BE DROPPED WHEN A DROPPED CONNECTION FAILED TO RECONNECT USING ONLINE FORWARDING WITH ‘TCP’ OR ‘TCP OVER SSL’ CLOSED Resolution
The development team is unable to reproduce this issue. If you contain to experience errors with forwarded events or routing rules Contact QRadar Support.

Workaround
No workaround available. APARs identified with no workaround require a software update to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
When using online forwarding with TCP or TCP over SSL, if a connection issue occurs, it can result in online forwarding not reconnecting to the configured Destination successfully. Events are not forwarded to the Destination until the forwarding rule is disabled and re-enabled to establish a proper connection.
02 February 2021
RULES IJ32591 RULES CAN BE INCORRECTLY GENERATED IN DEPLOYMENTS WHERE DUAL STACK IS CONFIGURED AND A QRADAR PATCH HAS BEEN APPLIED OPEN Workaround
Contact QRadar Support for a possible workaround that might address this issue.

Issue
Iptables and ip6tables rules can be incorrectly generated in QRadar deployments where dual stack is configured. Appliances with dual stack (IPv4 and IPv6) are configured so iptables and ip6tables are disabled and iptables_update.pl script is symlinked to /bin/true.

When patching to a QRadar version where the hostcontext rpm is updated, this configuration is reverted and iptables is unexpectedly re-enabled.
10 May 2021
QRADAR NETWORK INSIGHTS IJ32209 RULES CAN BE INCORRECTLY GENERATED IN DEPLOYMENTS WHERE DUAL STACK IS CONFIGURED AND A QRADAR PATCH HAS BEEN APPLIED OPEN Workaround
Contact QRadar Support for a possible workaround that might address this issue.

Issue
The Incident Results window populates from a forensics database table that is not purged even when cases are deleted through Case Management.

All entries on all pages must have a Solr request sent to determine the document count for the page which can sometimes cause the Incident Results window to take longer than expected to load.
29 April 2021
QRADAR NETWORK INSIGHTS IJ32062 QRADAR NETWORK INSIGHTS CANNOT ADD HOST TO THE DEPLOYMENT WHEN THE CONSOLE FAILS TO OPEN AN SFTP CHANNEL OPEN Workaround
  1. Using an SSH session to the QNI host, edit the following file located in /etc/ssh/sshd_config using a tool such as vi to un-comment the following line:
    Subsystem sftp /usr/libexec/openssh/sftp-server
  2. On the QNI host, restart hte sshd using the command:
    systemctl restart sshd
  3. Add the QNI host to the deployment again.

Issue
QRadar Network Insights (QNI) hosts can fail to be added to a QRadar deployment due to the console failing to open an SFTP channel.

These instances have been identified as being caused by changes made in sshd_config during previous QRadar upgrades of the QNI host.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext] [a393ce8b-13c3-4a89-a9af-45b902ce90f4/SequentialEventDispatcher]
com.q1labs.core.shared.cli.ssh.SshException: Failed to open an sftp channel
29 April 2021
LOG SOURCE MANAGEMENT APP IJ32519 ALERT BOX ‘ERRORFETCHINGCERTIFICATEDATATITLE’ POP UP WHEN USING LOG SOURCE MANAGEMENT APP (LSM) V7.0.0 OPEN Workaround
Close the Alert if it appears. The error message is benign and Log Source Management app continues to function as expected after the error message is closed.

Issue
The Log Source Management app (LSM) v7.0.0 can display an alert box similar to the following:
ERRORFETCHINGCERTIFICATEDATATITLE is an API error that can be closed if displayed and does not impact LSM app functionality.
This message is generated when an API call returns null and is not handled properly by the Log Source Management app.
12 May 2021
UPGRADE IJ32160 PATCH PRE-TEST CAN FAIL WITH ‘[ERROR] THERE ARE X BACKUPS IN PROGRESS. PLEASE WAIT FOR THEM TO COMPLETE…’ OPEN Workaround
Follow these steps from an SSH session to the QRadar Console to update all backups marked “DELETING” to be ‘FAILED’:
  1. Stop hostcontext and tomcat:
    systemctl stop hostcontext
    systemctl stop tomcat
  2. Run the following sql:
    psql -U qradar -c "update backup set status = 'FAILED' where status = 'DELETING';"
  3. Restart tomcat and hostcontext
    systemctl start tomcat
    systemctl start hostcontext
  4. Retry the patch pre-test process
Issue
The QRadar patch pre-test can fail with a message displayed similar to the following when the QRadar database has many backup records in status ‘DELETING’: [ERROR] There are X backups in progress. Please wait for them to complete or cancel via UI before restarting patch
16 April 2021
LOG ACTIVITY IJ32112 “Q1CERTIFICATEEXCEPTION: CHECKCERTIFICATEPINNING FAILED” ERROR MESSAGES IN LOG ACTIVITY AS SIM GENERIC EVENTS OPEN Workaround
Contact QRadar Support for a possible workaround that might address this issue.

Issue
“Q1CertificateException: checkCertificatePinning failed” error messages can sometimes be observed in Log Activity as Sim Generic events.

Individual lines of the stack trace can be sent into the QRadar pipeline and when this occurs they are being parsed as Unknown SIM Generic events or in some instances as Stored events under a newly created Log Source.

This error message is caused by the certificate being retrieved from the Log Source location that is not matching any of the stored certificates on the QRadar system.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
Caused by: com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed.
at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkCertificatesTrusted(Q1X509TrustManager.java:411)
at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.validate(CertificateValidator.java:110)
at com.ibm.jsse2.D.s(D.java:286)
at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.checkCertificatePinning(CertificateValidator.java:547)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
... 25 more
at com.ibm.jsse2.av.a(av.java:788)
at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkServerTrusted(Q1X509TrustManager.java:307)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1352)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1327)
at com.ibm.jsse2.av.a(av.java:637)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at com.ibm.jsse2.E.a(E.java:145)
at java.lang.Thread.run(Thread.java:822)
at com.ibm.jsse2.E.a(E.java:479)
at com.q1labs.core.shared.jsonrpc.RPC.executeMethodWithTimeout(RPC.java:215)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:319)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:191)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
at com.q1labs.hostcontext.configuration.ConfigChangeObserver$ConfigChangeObserverTask.run(ConfigChangeObserver.java:662)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:72)
at com.ibm.jsse2.E.a(E.java:585)
at com.ibm.jsse2.D.a(D.java:251)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
at com.q1labs.hostcontext.configuration.ConfigChangeObserver$CheckDeployRequestTimer.timeExpired(ConfigChangeObserver.java:401)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:1)
at com.q1labs.hostcontext.configuration.ConfigChangeObserver$CheckDeployRequestTimer.getActionRequest(ConfigChangeObserver.java:426)
at com.ibm.jsse2.av.startHandshake(av.java:1020)
at com.ibm.jsse2.D.a(D.java:121)
at com.ibm.jsse2.k.a(k.java:43)
at com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java:359)
at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:70)
at com.ibm.jsse2.av.a(av.java:722)
at com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java:544)
at com.ibm.jsse2.D.a(D.java:572)
at com.ibm.jsse2.av.i(av.java:45)
at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkCertificatesTrusted(Q1X509TrustManager.java:411)
at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.checkCertificatePinning(CertificateValidator.java:547)
at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.validate(CertificateValidator.java:110)
Caused by: com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed.
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:191)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
at com.ibm.jsse2.E.a(E.java:145)
... 25 more
14 April 2021
HIGH AVAILABILITY (HA) IJ32089 HIGH AVAILABILITY FAILOVER DOES NOT WORK AS EXPECTED WHEN ISCSI AND MUTIPATH IS CONFIGURED OPEN Workaround
Refer to the IBM Security QRadar Offboard Storage Guide for supported offboard storage configurations.

Issue
High Availability (HA) failovers do not work as expected when ISCSI is configured with multipath. The ha_setup.sh allows the multipath configuration to succeed, but HA failovers do not work as a bad symlink is created.
29 April 2021
QRADAR NETWORK INSIGHTS IJ32165 MISCELLANEOUS FLOWS CAN BE GENERATED BY QRADAR NETWORK INSIGHTS WITH PAYLOADS SIMILAR TO “IBM(158)=HTTP;IBM(159)=1.0” OPEN Workaround
  1. If no custom NetFlow v9 or IPFIX integration with third party sources, along with custom flow properties to extract fields out of the payload, then it is recommend to disable Payload mode altogether. This can be done via the System Settings dialog and selecting only “TLV” mode.
  2. If Payload mode is required, then edit the /opt/qradar/conf/IPFIXFields.conf to add the additional fields shown in the payload field that are to be hidden.
    Note: The 0 should be included in the payload column of that file so it is not included in the payload. For example, the protocol name field can be hidden with the following line:
    "2,158,PROTOCOL_NAME,0")

Issue
QRadar Network Insights can generate miscellaneous flows that include payloads that display similar to:
"Apr 5, 2021, 4:04:54PM","false","Web.Web.Misc","Best Effort","6","false","0:0:0:0:0:0:0:0",
"0","4","IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;
IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;
IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;
IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;","Web","18448","IBM(158)=HTTP;
IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;
IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;
IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;
IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;","Apr 5,2021, 4:02:50 PM","Best Effort","L2L",
"Web.HTTPWeb","61176","S,P,A","9999"
30 April 2021
CUSTOM PROPERTIES IJ32104 AN EXCEPTION GENERATED BY THE AUTOMATIC PROPERTY DISCOVERY ENGINE CAN CAUSE EVENTS TO BE DROPPED FOR LOG SOURCES OPEN Workaround
Contact QRadar Support for a possible workaround that might address this issue.

Issue
Property Autodetection can stop working if the threshold for bad properties is reached on a Managed Host as disablePropertyDiscoveryProfile can try to update the DB and fail as it is a read-only transaction. When this issue occurs, events can fail to be received into QRadar Log Sources.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ec.ecs-ec] [Property Discovery Engine Thread]
com.q1labs.frameworks.core.ThreadExceptionHandler: 
[ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -]
Exception was uncaught in thread: Property Discovery Engine Thread
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] com.q1labs.frameworks.
exceptions.FrameworksRuntimeException: Problem occurred committing transaction
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.q1labs.frameworks.
session.SessionContext.commitTransaction(SessionContext.java:1079)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.q1labs.frameworks.
session.SessionContext.commitTransaction(SessionContext.java:1005)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters. 
property.cache.PropertyDiscoveryThreshold.disableProperty
DiscoveryProfile(PropertyDiscoveryThreshold.java:159)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters.property.
cache.PropertyDiscoveryThreshold.incrementThreshold(PropertyDiscoveryThreshold.java:92)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters.
property.parser.PropertyParser.handleResults(PropertyParser.java:56)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters.
property.parser.PropertyParserJSON.processEvent(PropertyParserJSON.java:54)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters.
property.PropertyDiscoveryEngine$PropertyDiscoveryEngineThread.run
(PropertyDiscoveryEngine.java:222)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] 
Caused by:
<openjpa-2.4.3-r422266:1833086 fatal store error>
org.apache.openjpa.persistence.RollbackException: The transaction has been rolled back. 
See the nested exceptions for details on the errors that occurred. 
[ecs-ec.ecs-ec] [Property
Discovery Engine Thread] FailedObject: com.q1labs.core.dao.qidmap.PropertyDiscoveryProfile-51
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
persistence.EntityManagerImpl.commit(EntityManagerImpl.java:595)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.q1labs.frameworks.
session.SessionContext.commitTransaction(SessionContext.java:1039)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] ... 6 more
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] 
Caused by: <openjpa-2.4.3-r422266:1833086 fatal general error>
org.apache.openjpa.persistence.PersistenceException: The
transaction has been rolled back. See the nested exceptions for
details on the errors that occurred.
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] FailedObject: 
com.q1labs.core.dao.qidmap.PropertyDiscoveryProfile-51
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
kernel.BrokerImpl.newFlushException(BrokerImpl.java:2374)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
kernel.BrokerImpl.flush(BrokerImpl.java:2211)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
kernel.BrokerImpl.flushSafe(BrokerImpl.java:2103)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
kernel.BrokerImpl.beforeCompletion(BrokerImpl.java:2021)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
kernel.LocalManagedRuntime.commit(LocalManagedRuntime.java:81)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
kernel.BrokerImpl.commit(BrokerImpl.java:1526)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
kernel.DelegatingBroker.commit(DelegatingBroker.java:932)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
persistence.EntityManagerImpl.commit(EntityManagerImpl.java:571)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] ... 7 more
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] 
Caused by: 
<openjpa-2.4.3-r422266:1833086 fatal general error>
org.apache.openjpa.persistence.PersistenceException: ERROR: cannot execute UPDATE 
in a read-only transaction {prepstmnt -722393899 UPDATE property_discovery_profile 
SET active = ? WHERE id = ?} 
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] FailedObject: com.q1labs.core.
dao.qidmap.PropertyDiscoveryProfile-51
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
sql.DBDictionary.narrow(DBDictionary.java:5003)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
sql.DBDictionary.newStoreException(DBDictionary.java:4963)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
sql.SQLExceptions.getStore(SQLExceptions.java:133)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
sql.SQLExceptions.getStore(SQLExceptions.java:75)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.PreparedStatementManagerImpl.flushAndUpdate(PreparedStatementManagerImpl.java:144)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.BatchingPreparedStatementManagerImpl.flushAndUpdate(BatchingPreparedStatementManagerImpl.java:79)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.PreparedStatementManagerImpl.flushInternal(PreparedStatementManagerImpl.java:100)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.PreparedStatementManagerImpl.flush(PreparedStatementManagerImpl.java:88)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.ConstraintUpdateManager.flush(ConstraintUpdateManager.java:550)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.ConstraintUpdateManager.flush(ConstraintUpdateManager.java:107)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.BatchingConstraintUpdateManager.flush(BatchingConstraintUpdateManager.java:59)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.AbstractUpdateManager.flush(AbstractUpdateManager.java:104)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.AbstractUpdateManager.flush(AbstractUpdateManager.java:77)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.JDBCStoreManager.flush(JDBCStoreManager.java:731)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
kernel.DelegatingStoreManager.flush(DelegatingStoreManager.java:131)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] ... 14 more
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] Caused by:
org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: cannot execute UPDATE in a read-only 
transaction {prepstmnt -722393899 UPDATE property_discovery_profile SET active = ? WHERE id = ?} 

[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.java:218)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.java:194)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
LoggingConnectionDecorator.access$1000(LoggingConnectionDecorator.java:58)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
LoggingConnectionDecorator$LoggingConnection$LoggingPreparedStatement.executeUpdate
(LoggingConnectionDecorator.java:1133)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
DelegatingPreparedStatement.executeUpdate(DelegatingPreparedStatement.java:275)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
DelegatingPreparedStatement.executeUpdate(DelegatingPreparedStatement.java:275)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.JDBCStoreManager$CancelPreparedStatement.executeUpdate(JDBCStoreManager.java:1791)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.PreparedStatementManagerImpl.executeUpdate(PreparedStatementManagerImpl.java:268)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
kernel.PreparedStatementManagerImpl.flushAndUpdate(PreparedStatementManagerImpl.java:119)
[ecs-ec.ecs-ec] [Property Discovery Engine Thread] ... 24 more
29 April 2021
SEARCH IJ32428 UNABLE TO DELETE SAVED SEARCHES OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
When attempting to delete saved searches, the search can load as expected but then there is no option to delete it as the window with “confirm deletion” button does not appear.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [admin@127.0.0.1(4474) 
/console/do/ariel/arielSearch] java.lang.ArrayIndexOutOfBoundsException
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at com.q1labs.cve.utils.CustomColumnDefinition.fromString(CustomColumnDefinition.java:386)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchForm.java:1391)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchForm.java:1296)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at com.q1labs.ariel.ui.bean.ArielSearchForm.getOrderBy(ArielSearchForm.java:246)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.jsp.qradar.jsp.ArielSearch_jsp._jspService(ArielSearch_jsp.java:415)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at com.q1labs.uiframeworks.jsp.HttpJspBase.service(HttpJspBase.java:148)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:713)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch]
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:462)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:387)
[tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:315)
01 May 2021
AUTHENTICATION IJ32108 THE USER INTERFACE ADMIN PASSWORD CAN FAIL TO BE SET CORRECTLY WHEN A REBOOT OCCURS DURING SYSTEM BUILD OPEN Workaround
Set the User Interface admin password using the command line interface (CLI) script using these instructions:
QRadar: Changing the admin account password from the UI or CLI

Issue
When a QRadar system is being built and a reboot occurs during the install configuration, the User Interface admin password can sometimes fail to be set correctly.
01 May 2021
LOG SOURCE MANAGEMENT APP IJ32240 LOG SOURCE MANAGEMENT APP DOES NOT ALLOW THE PORT FIELD TO BE LEFT BLANK WHEN USING SOME JDBC PROTCOL CONFIGURATIONS OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
In the DSM Guide documentation on configuring parameters for the JDBC protocol, it states that “if a database instance is used with the MSDE database type, you must leave the Port field blank”. This is also displayed in the LSM app under a “show more” button.

However the LSM app does not allow you to leave the Port field blank and considers this field to be a “required field”.
01 May 2021
DSM EDITOR IJ32103 WINDOWS SECURITY LOG EVENTS CAN FAIL TO BE PARSED COMPLETLY BY THE DSM EDITOR WHILE WORKING AS EXPECTED IN LOG ACTIVITY OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
Microsoft Windows Security Events Logs (with AWS Kinesis) can fail to be parsed correctly in the DSM Editor while being parsed correctly in the Log Activity tab of the QRadar User Interface.

For example: EventID in the DSM Editor not displaying as expected, but parses fine in the Log Activity tab.
Tip: To view a larger version of the image, right-click and open the image in a new tab.
01 May 2021
INDEX MANAGEMENT IJ32111 QUICK FILTER PROPERTY IN ADMIN > INDEX MANAGEMENT DISPLAYS AS “% OF SERACHES USING PROPERTY” AND HITS/MISSES STAY AT 0 OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
When looking at ‘Quick Filter’ property under Admin > Index Management, sometimes ‘% of Searches Using Property’ is displayed along with hits/misses always as ” 0 ” even after many searches have been run during a selected timeframe.
01 May 2021
PROTOCOLS IJ27028 LOG SOURCES CONFIGURED TO USE THE GOOGLE G SUITE ACTIVITY REPORTS RESTAPI PROTOCOL CAN BE MISSING SOME EVENTS OPEN Workaround
No workaround available. APARs identified with no workaround might require a protocol update to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
Log Sources that are configured to use the Google G Suite Activity Reports REST API Protocol can be missing events. There have been multiple reasons identifed as being the cause for this issue.

  1. When multiple pages are returned in the response, the oldest time is set for the event marker, which instead should be the latest time.
  2. When delays occur at the vendor, the query based on real-time can experience missing events.
15 August 2020
LOG SOURCE MANAGEMENT APP IJ32222 REPETITIVE /VAR/LOG/AUDIT.LOG MESSAGES BEING WRITTEN AFTER A FAILED PROTOCOL TEST USING LOG SOURCE MANAGEMENT (LSM) APP OPEN Workaround
Performing an ecs-ec-ingress service restart corrects this issue until another failed protocol test is performed as above.
  1. Log in to QRadar as an Administrator.
  2. Click the Admin tab.
  3. On the Advanced menu, click Restart Event Collection Services.
    Note: Restarting the Event Collection Service interrupts event collection momentarily on all appliances while the service restarts.

    Results
    After the Event Collection Service (ecs-ec-ingress) restarts, the repetative log messages are not written in /var/log/audit.log.

Issue
Using the Log Source Management app to perform a protocol test can fail and sometimes causes repeating API messages similar to the following to be written every 5 seconds to /var/log/audit.log:
Apr 12 17:31:52 ::ffff:127.0.0.1 configservices@ipaddress (6604)
/console/restapi/api/system/task_management/tasks | [Action]
[RestAPI] [APISuccess] [configservices]
[1b76e3ae-d28f-4c1e-9b47-86940f613bea] [SECURE] |
ContextPath=/console | Headers=[Version: 6.0][host:
ipaddress][accept: text/html, image/gif, image/jpeg, *; q=.2,
*/*; q=.2][user-agent: Java/1.8.0_261] | Method=POST |
PathInfo=/system/task_management/tasks | Protocol=HTTP/1.1 | Que
ryString=message_local_info=%7B%7D&created=1618245112104&task_cl
ass=com.q1labs.semsources.sources.base.testing.ProtocolTestTask&
task_state=INITIALIZING&status_uuid=d6fe4a4d-6ed7-4deb-8533-66de
50bb2ede&created_by=admin&host_id=53&task_name_local_info=%7B%7D
&delete_task_id=0&progress=0&maximum=0&modified=1618245112105&ta
sk_type=ProtocolTestTask&app_id=ecs-ec-ingress&minimum=0&retenti
on=2_HOURS | RemoteAddr=ipaddress | RemotePort=47952
Apr 12 17:31:52 ::ffff:127.0.0.1 configservices@ipaddress (6604)
/console/restapi/api/system/task_management/tasks | [Action]
[TaskManagement] [TaskAdded] StatusId=158 HostId=53
ApplicationId=ecs-ec-ingress CreatedBy=admin
TaskType=ProtocolTestTask
Apr 12 17:31:52 ::ffff:127.0.0.1 configservices@ipaddress (6606)
/console/restapi/api/system/task_management/internal_tasks/158
| [Action] [RestAPI] [APISuccess] [configservices]
[94ab9727-29f1-48d8-92e3-5e505ca3938e] [SECURE] |
ContextPath=/console | Headers=[Version: 6.0][host:
ipaddress][accept: text/html, image/gif, image/jpeg, *; q=.2,
*/*; q=.2][user-agent: Java/1.8.0_261] | Method=POST |
PathInfo=/system/task_management/internal_tasks/158 |
Protocol=HTTP/1.1 | QueryString=message_local_info=%7B%7D&create
d=1618245112104&task_class=com.q1labs.semsources.sources.base.te
sting.ProtocolTestTask&status_uuid=d6fe4a4d-6ed7-4deb-8533-66de5
0bb2ede&created_by=admin&host_id=53&task_name_local_info=%7B%7D&
delete_task_id=0&progress=0&maximum=0&modified=1618245112622&is_
cancel_requested=false&task_type=ProtocolTestTask&app_id=ecs-ec-
ingress&minimum=0&retention=2_HOURS | RemoteAddr=ipaddress |
RemotePort=47956
29 April 2021
DATA NODE IJ32123 SEARCHES ON INDEXED FIELDS CAN BE SLOWER THAN EXPECTED AFTER ADDING A DATA NODE INTO THE QRADAR DEPLOYMENT OPEN Workaround
Contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
Searches that are performed on indexed fields can be slower than expected to complete after a Data Node is added to a QRadar Deployment. This issue can be caused by a race condition during multi-source re-balancing that results in hourly folder(s) to be merged from different sources.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ariel.ariel_query_server] [ariel_client/127.0.0.1:45750]
com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Checking destination folder /store/ariel/events/records/2021/1/18/17 from source 104
[ariel.ariel_query_server] [ariel_client/127.0.0.1:45750] com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Data folder /store/ariel/events/records/2021/1/18/17 does not exist. Requested from source 104
[ariel.ariel_query_server][ariel_client /127.0.0.1:45750] com.ibm.si.ariel.dcs.databalancing.DestinationData: 
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -] 
Path:/store/ariel/events/records/ibmTemp~events104/store/ariel/events/records/store/ariel/events/records/2021/1/18/17 does not exist
[ariel.ariel_query_server] [ariel_client/127.0.0.1:45750] com.ibm.si.ariel.dcs.databalancing.DestinationData: [INFO] 
[NOT:0000006000][127.0.0.1/- -] [-/- -] Path:/store/ariel/events/records/ibmTemp~events8/store/ariel/events/records/store/ariel/events/records/2021/1/18/17 does not exist
[ariel.ariel_query_server] [ariel_client/127.0.0.1:45750]
com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Destination data accepted from source 104
[ariel.ariel_query_server][ariel_client /127.0.0.1:35228]
com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Checking destination folder /store/ariel/events/records/2021/1/18/17 from source 8
[ariel.ariel_query_server] [ariel_client/127.0.0.1:35228] com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Data folder /store/ariel/events/records/2021/1/18/17 does not exist. Requested from source 8
[ariel.ariel_query_server] [ariel_client /127.0.0.1:35228]
com.ibm.si.ariel.dcs.databalancing.DestinationData: 
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -] Path:/store/ariel/events/records/ibmTemp~events104/store/ariel/events/records/store/ariel/events/records/2021/1/18/17 does not exist
[ariel.ariel_query_server] [ariel_client /127.0.0.1:35228]
com.ibm.si.ariel.dcs.databalancing.DestinationData:  [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -] 
Path:/store/ariel/events/records/ibmTemp~events8/store/ariel/events/records/store/ariel/events/records/2021/1/18/17 does not exist
[ariel.ariel_query_server] [ariel_client/127.0.0.1:35228] com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Destination data accepted from source 8
29 April 2021
SECURITY BULLETIN CVE-2020-4993 IBM QRADAR SIEM IS VULNERABLE TO PATH TRAVERSAL CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
IBM QRadar SIEM when decompressing or verifying signature of zip files processes data in a way that may be vulnerable to path traversal attacks. CVSS Base score: 4.9
04 May 2021
SECURITY BULLETIN CVE-2015-5237
CVE-2019-17195
CVE-2012-6708
CVE-2015-9251
CVE-2020-11022
CVE-2020-11023
CVE-2011-4969
CVE-2017-18640
CVE-2020-15250
IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
  • CVE-2015-5237: Google Protocol Buffers could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in MessageLite::SerializeToString. A remote attacker could exploit this vulnerability to execute arbitrary code on the vulnerable system or cause a denial of service. CVSS Base score: 6.3
  • CVE-2019-17195: Connect2id Nimbus JOSE+JWT is vulnerable to a denial of service, caused by the throwing of various uncaught exceptions while parsing a JWT. An attacker could exploit this vulnerability to crash the application or obtain sensitive information. CVSS Base score: 6.5
  • CVE-2012-6708: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery(strInput) function. A remote attacker could exploit this vulnerability using the to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. CVSS Base score: 6.1
  • CVE-2015-9251: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. CVSS Base score: 6.1
  • CVE-2020-11022: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. CVSS Base score: 6.1
  • CVE-2020-11023: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. CVSS Base score: 6.1
  • CVE-2011-4969: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when handling the “location.hash” property. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. CVSS Base score: 4.3
  • CVE-2017-18640: SnakeYAML is vulnerable to a denial of service, caused by an entity expansion in Alias feature during a load operation. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
  • CVE-2020-15250: JUnit4 could allow a local attacker to obtain sensitive information, caused by a flaw in test rule TemporaryFolder. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 4
04 May 2021
SECURITY BULLETIN CVE-2020-4929 IBM QRADAR SIEM IS VULNERABLE TO CROSS SITE SCRIPTING (XSS) CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
IBM QRadar SIEM is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 5.4
04 May 2021
SECURITY BULLETIN CVE-2020-4979 IBM QRADAR SIEM IS VULNERABLE TO INSECURE INTER-DEPLOYMENT COMMUNICATION CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
IBM QRadar SIEM is vulnerable to insecure inter-deployment communication. An attacker that is able to comprimise or spoof traffic between hosts may be able to execute arbitrary commands. CVSS Base score: 7.5
04 May 2021
SECURITY BULLETIN CVE-2020-4883 IBM QRADAR SIEM IS VULNERABLE TO CROSS DOMAIN INFORMATION DISCLOSURE CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
IBM QRadar SIEM could disclose sensitive information about other domains which could be used in further attacks against the system. CVSS Base score: 4.3
04 May 2021
SECURITY BULLETIN CVE-2020-13943 APACHE TOMCAT AS USED BY IBM QRADAR SIEM IS VULNERABLE TO INFORMATION DISCLOSURE CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by a flaw when HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to see the responses for unexpected resources, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3
04 May 2021
SECURITY BULLETIN CVE-2021-20397 IBM QRADAR SIEM IS VULNERABLE TO CROSS SITE SCRIPTING (XSS) CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
IBM QRadar is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 6.1
04 May 2021
SECURITY BULLETIN CVE-2021-20401
CVE-2020-4932
IBM QRADAR SIEM CONTAINS HARD-CODED CREDENTIALS CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
  • CVE-2020-4932: IBM QRadar contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. CVSS Base score: 6.2
  • CVE-2021-20401: IBM QRadar contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. CVSS Base score: 5.9
04 May 2021
SECURITY BULLETIN CVE-2020-5013 IBM QRADAR SIEM MAY BE VULNERABLE TO A XML EXTERNAL ENTITY INJECTION ATTACK (XXE) CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Affected versions
  • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
  • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
Issue
IBM QRadar SIEM may vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. CVSS Base score: 7.1
04 May 2021
WINCOLLECT IJ29851 WINCOLLECT 7.3.0 P1 AGENTS FAIL TO UPDATE OR GET CONFIGURATION UPDATES IN NAT’D ENVIRONMENTS CLOSED Resolved in
WinCollect 7.3.1 (Build 16) (7.3.1.16)

Workaround
If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
WinCollect 7.3.0 P1 Agents can fail to receive configuration updates or are unable to be updated due to connection timeouts occuring in NAT’d environments.

Messages similar to the following might be visible when this issue occurs:
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24]
com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors.ConnectionEstablishmentVersion2Processor: 
[ERROR] [NOT:0000003000][<IP Address >/- -] [-/- -]Agent XXXXXXX2069(127.0.0.1) caught exception
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] java.net.ConnectException: Connection timed out (Connection timed out)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:236)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:218)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:374)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.Socket.connect(Socket.java:682)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.jsse2.av.connect(av.java:453)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.jsse2.au.connect(au.java:98)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.NetworkClient.doConnect(NetworkClient.java:192)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.http.HttpClient.openServer(HttpClient.java:494)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.http.HttpClient.openServer(HttpClient.java:589)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.c.<init>(c.java:56)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.c.a(c.java:222)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.d.getNewHttpClient(d.java:25)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.protocol.http.HttpURLConnection.plainConnect0 (HttpURLConnection.java:1206)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.protocol.http.HttpURLConnection.plainConnect (HttpURL Connection.java:1068)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:78)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0 (HttpURLConnection.java:1582)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.protocol.http.HttpURLConnection.getInputStream (HttpURLConnection.java:1510)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:40)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors. ConnectionEstablishmentVersion2Processor.onReceiveConnectionEstablishmentRequest (ConnectionEstablishmentVersion2Processor.java:235)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.q1labs.sem.semsources.wincollectconfigserver. WinCollectConfigHandler.run(WinCollectConfigHandler.java:121)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1160)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.lang.Thread.run(Thread.java:818)
14 December 2020
WINCOLLECT IJ27033 WINCOLLECT CAN ASSIGN INCORRECT IP ADDRESSES FOR WINDOWS COMPUTERS DUE TO DNS LOOKUP REFRESH CLOSED Resolved in
WinCollect 7.3.1 (Build 16) (7.3.1.16)

Workaround
No workaround available. Administrators must upgrade to a version where this issue is resolved.

Issue
WinCollect can assign incorrect IP addresses for Windows Computers due to issues with DNS Lookup refreshing. The ‘OriginatingComputer=ipaddress’ being written into the event by WinCollect can be incorrect.
18 August 2020
WINCOLLECT IJ26354 WINCOLLECT AGENT ‘STATUS’ CONTINUES TO DISPLAY ‘RUNNING’ AFTER NOT RECEIVING HEARTBEAT FOR AN EXTENDED PERIOD OF TIME CLOSED Resolved in
WinCollect 7.3.1 (Build 16) (7.3.1.16)

Workaround
No workaround available. Administrators must upgrade to a version where this issue is resolved.

Issue
The WinCollect agent “Status” displayed in the QRadar User Interface can continue to display “Running” and fail to update appropriately when QRadar has not received a heartbeat message for an extended period of time from the agent.
31 July 2020
WINCOLLECT IJ27800 WINCOLLECT INSTALLER CANNOT PROPERLY USE A CERTIFICATE THAT IS GREATER THAN 2000 CHARACTERS IN LENGTH CLOSED Resolved in
WinCollect 7.3.0 Fix Pack 1 (Build 41) (7.3.0.41)

Workaround
If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
When a certificate greater than 2000 characters in length is pasted into the certificate field of the destination configuration page of the WinCollect installer, the certificate is cut to 2000 characters and successfully installs, but TLS communication fails.
28 October 2020
WINCOLLECT IJ26949 WHEN WINCOLLECT 7.3.0 IS INSTALLED AND CONFIGURED FOR USE ON AN ENCRYPTED MANAGED HOST, AGENT/LOG SOURCE COMMUNICATION FAILS CLOSED Resolved in
WinCollect 7.3.0 Fix Pack 1 (Build 41) (7.3.0.41)

Workaround
If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
When WinCollect is configured for use on an encrypted Managed Host in a QRadar environment, the installation of WinCollect version 7.3.0 introduces communication problems between QRadar and the WinCollect Agents. Adding new WinCollect Agent/Log Sources into QRadar fails due to the failure in communication preventing Agent registration.

Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
com.q1labs.frameworks.crypto.trustmanager.extended.Q1X509FullTru
stManager: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
-]Server Not Trusted No subject alternative names matching IP address 127.0.0.1 found
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
com.q1labs.sem.semsources.wincollectconfigserver.requestprocesso
rs.ConnectionEstablishmentVersion2Processor: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Agent Agent-name(127.0.0.1) caught exception --
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException:
java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.k.a(k.java:37)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.a(av.java:422)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.D.a(D.java:70)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.D.a(D.java:164)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.E.a(E.java:249)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.E.a(E.java:731)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.D.r(D.java:486)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.D.a(D.java:244)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.a(av.java:608)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.i(av.java:282)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.a(av.java:1009)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.startHandshake(av.java:778)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:239)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:60)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0 
(HttpURLConnection.java:1582)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at sun.net.www.protocol.http.HttpURLConnection.getInputStream 
(HttpURLConnection.java:1510)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:40)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors. 
ConnectionEstablishmentVersion2Processor.onReceiveConnectionEstablishmentRequest(ConnectionEstablishmentVersion2Processor.jav a:234)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfigHandler 
.run(WinCollectConfigHandler.java:153)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1160)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at java.lang.Thread.run(Thread.java:818)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
Caused by: java.security.cert.CertificateException:
java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
at com.q1labs.frameworks.crypto.trustmanager.extended.Q1X509FullTrustManager. 
checkServerTrusted(Q1X509FullTrustManager.java:382)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.E.a(E.java:438)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
... 18 more
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.util.b.b(b.java:42)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.util.b.a(b.java:96)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.aD.a(aD.java:183)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.aD.a(aD.java:49)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
at com.ibm.jsse2.aD.a(aD.java:191)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.aD.checkServerTrusted(aD.java:34)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.q1labs.frameworks.crypto.trustmanager.extended. 
Q1X509FullTrustManager.  checkServerTrusted(Q1X509FullTrustManager.java:377)
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
... 19 more
24 April 2021
WINCOLLECT IJ27857 WINDOWS 10 HOSTS UPDATED TO BUILD 2004 CAN RESET EVENTRECORDID VALUES TO 1 CAUSING WINCOLLECT ISSUES CLOSED Resolved in
WinCollect 7.3.0 Fix Pack 1 (Build 41) (7.3.0.41)

Workaround
If you are unable to upgrade to a version where this issue is resolved, administrators can apply the following workaround:
  1. Log in to the Windows host with the WinCollect agent.
  2. Stop the WinCollect service.
  3. Navigate to C:\ProgramData\WinCollect\Data\PersistenceManager.
  4. Delete all files in the PersistenceManager directory.
  5. Start the WinCollect service.

Issue
WinCollect agents installed on Microsoft Windows 10 hosts upgraded to build 2004 can experience an issue where the WinCollect agent stops sending events to QRadar. The issue was reported after administrators completed updates of Windows 10 from build 1909 to 2004.

WinCollect agents track event collection with the EventRecordID value in the Event Viewer for each event type in C:\ProgramData\WinCollect\Data\PersistenceManager. The PersistenceManager directory includes a file for each event log type with a cursor entry, which indicates the next event in the Event Viewer WinCollect needs to parse and send. When Windows updates to Windows 10 build 2004, the operating system resets the EventRecordID values to 1 in the Event Viewer for all event log types. A reset in the EventRecordID results in WinCollect agents not sending events until the EventRecordID in the Event Viewer matches the last polled Cursor value in the WinCollect agent.

This APAR is intended to alert administrators of this operating systems change in Windows 10 Feature Build 2004. All WinCollect agents at all versions are affected by the EventRecordID reset issue in Windows 10 build 2004. Administrators who plan to update the Windows 10 systems tofeature build 2004 ought to alert their teams to this EventRecordID reset issue.
28 October 2020
WINCOLLECT IJ32255 WINCOLLECT 7.3.0 P1 (7.3.0-41) AGENTS THAT ARE NOT INSTALLED ON DRIVE C:\ OF THE WINDOWS COMPUTER CAN STOP SENDING EVENTS OPEN Workaround
On the affected Microsoft Windows computer:
  1. Copy \IBM\WinCollect\config\AgentConfig.xml to \IBM\WinCollect.
  2. Install WinCollect 7.3.0 P1 (7.3.0-41).
  3. After the install has successfully completed, copy AgentConfig.xml from \IBM\WinCollect\ to \IBM\WinCollect\config
  4. Restart the WinCollect service.

Issue
On Microsoft Windows computers where the WinCollect agents are installed to a drive other than C:\, an upgrade to WinCollect 7.3.0 P1 (7.3.0-41) can cause the destination and log source information to be removed from the AgentConfig.xml file and the WinCollect agent stops sending events.

Microsoft Windows computers where the WinCollect agent was installed to the C:\ drive are not affected.
03 May 2021
ADAPTER / QRADAR RISK MANAGER IJ28428 “SHOW VLANS” CISCO IOS ADAPTER COMMAND DOES NOT RETURN RESULTS DUE TO THE EXPECTED COMMAND “SHOW VLAN” OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
“show vlans” command for Cisco IOS Adapter fails to return output as the command on that appliance (C2900 series) is “show vlan”. (No ‘s’ on the end).

The adapter is expected to work for both command variations. Example of output with “show vlans” :
2020-05-06 20:55:50 [ZipTie::SSH] [SENDING]
2020-05-06 20:55:50 [ZipTie::SSH] show vlans
2020-05-06 20:55:50 [ZipTie::SSH]
----------------------------------------------------------------
2020-05-06 20:55:50 [ZipTie::SSH]
----------------------------------------------------------------
2020-05-06 20:55:50 [ZipTie::SSH] [WAITING 300 SECOND(S) FOR]
2020-05-06 20:55:50 [ZipTie::SSH] hostname[#>]\s*$|--More--\s*$
2020-05-06 20:55:50 [ZipTie::SSH]
----------------------------------------------------------------
2020-05-06 20:55:50 [ZipTie::SSH]
----------------------------------------------------------------
2020-05-06 20:55:50 [ZipTie::SSH] [RESPONSE]
2020-05-06 20:55:50 [ZipTie::SSH]show vlans
2020-05-06 20:55:50 [ZipTie::SSH] Command authorization failed.
2020-05-06 20:55:50 [ZipTie::SSH]
2020-05-06 20:55:50 [ZipTie::SSH] hostname#
14 December 2020
ADAPTER / QRADAR RISK MANAGER IJ28512 JUNIPER JUNOS DEVICE BACKUP FAILURE WHEN ACL REFERENCES A PREFIXLIST WHICH DOES NOT CONTAIN A LIST OF IP ADDRESSES OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
Administrators might notice that a Juniper JunOS device might fail to backup when an access control list references a prefix list which does not contain a list of IP addresses or CIDRs.

Look for similar messages in /var/log/qradar.log:
[tomcat-rm.tomcat-rm] [Adapter Backup Job]
com.q1labs.simulator.jobs.DeviceAdapterBackupJob: [ERROR]
[NOT:0000003000][9.175.220.190/- -] [-/- -]java.lang.Exception:
Don't know how to nbits yet at /usr/share/ziptie-server/adapters
/ziptie.adapters.juniper.junos_2020.04.08143009/scripts/ZipTie/Adapters/Juniper/JUNOS/Parsers.pm line 1637.
 at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java:157)
 at org.ziptie.server.dispatcher.Operation.execute(Operation.java:100)
 at org.ziptie.server.dispatcher.OperationExecutor$JobThread.runJob(OperationExecutor.java:686)
 at org.ziptie.server.dispatcher.OperationExecutor$JobThread.run(OperationExecutor.java:563)
Caused by: javax.xml.ws.soap.SOAPFaultException: Don't know how to nbits yet at /usr/share/ziptie-server/adapters/
ziptie.adapters.juniper.junos_2020.04.08143009/scripts/ZipTie/Adapters/Juniper/JUNOS/Parsers.pm line 1637.
 at com.sun.xml.ws.fault.SOAPFault.getProtocolException(SOAP11Fault.java:188)
 at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:116)
 at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
 at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
 at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
 at com.sun.proxy.$Proxy95.backup(Unknown Source)
 at org.ziptie.server.job.backup.BackupTask.performTask(BackupTask.java:74)
 at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java:142)
05 October 2020
ADAPTER / QRADAR RISK MANAGER IJ28901 INCORRECT DISPLAY OF ‘ANY’ IN DESTINATION SERVICE COLUMN FOR ACCESS CONTROL LIST RULE AFTER CISCO IOS DEVICE BACKUP OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
The Configuration Monitor -> Rules screen can incorrectly display a value of “any” in the Destination Service(s) column instead of the actual destination port for an extended access control list rule after Cisco IOS device backup is performed.
27 October 2020
ADAPTER / QRADAR RISK MANAGER IJ29954 PERFROMING A DISCOVERY FROM A CISCO FIREPOWER MANAGEMENT CENTER CAN FAIL OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
Discovery from Cisco Firepower Management Center (FMC) fails when the user is not automatically placed in expert mode when logging to retrieve the list of network devices.

The adapter currently ensures that export mode is gained when backing a discovered device, but not when discovering devices from the FMC.
12 January 2021
ADAPTER / QRADAR RISK MANAGER IJ30906 CHECK POINT HTTPS DEVICE ADAPTER FAILS TO BACKUP DUE TO INCORRECT IP ADDRESS OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
A Check Point HTTPS device adapter backup fails when the IP address of the device’s interface is the same as the IP address of the Check Point security management server from which it was discovered and not the main IP address of the device.

When this issue occurs, the adapter backup log contains a message similar to the following:
Check this device was not discovered from the multi-domain server IP.
12 January 2021
ADAPTER / QRADAR RISK MANAGER IJ31098 A PAN-OS DEVICE BACKUP FAILS WHEN A STATIC ROUTE REFERENCES A NETWORK GROUP INSTEAD OF AN IP ADDRESS OPEN Workaround
Ensure to configure the static route on the device to use an IP address instead of a network group.

Issue
A PAN-OS device backup will fail when a static route references a network group rather than an IP address.

When this isue occurs, the logs contain a message similar to the following:
ERROR: Backup failed for device (device name) at IP (IP address) with adapter type ZipTie::Adapters::PaloAlto::PANOS.
[Failed to process device routing]
27 February 2021
BOX RESTAPI PROTOCOL IJ28431 LOG SOURCES USING THE BOX RESTAPI PROTOCOL CAN STOP RECEIVING EVENTS WHEN THE EVENT QUEUE FILLS OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
Log Sources configured to use the Box RestAPI can stop receiving events when the event queue fills.

Messages similar to the follwoing might be visible in /var/log/qradar.log when this issue is occurs:
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
com.q1labs.semsources.sources.boxrestapi.api.BoxRESTAPIInstance:
[ERROR] [NOT:0000003000][EP IP] [-/- -]Unable to query for content. Terminating query thread for for Box API
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
java.util.IllegalFormatConversionException: d != java.lang.Double
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at java.util.Formatter$FormatSpecifier.failConversion(Formatter.java:4313)
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at java.util.Formatter$FormatSpecifier.printInteger(Formatter.java:2804)
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at java.util.Formatter$FormatSpecifier.print(Formatter.java:2758)
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at java.util.Formatter.format(Formatter.java:2531)
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at java.util.Formatter.format(Formatter.java:2466)
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at java.lang.String.format(String.java:4174)
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at com.q1labs.frameworks.logging.Logger.warn(Logger.java:805)
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at com.q1labs.semsources.sources.boxrestapi.BoxRESTAPIProvider.onRe
ceiveMessage(BoxRESTAPIProvider.java:235)
[ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
at com.q1labs.semsources.sources.boxrestapi.api.BoxAPIQuery.queryCo
ntent(BoxAPIQuery.java:237)
12 October 2020
HIGH AVAILABILITY (HA) IJ30674 A HIGH AVAILABILITY (HA) FAILOVER CAN OCCUR DUE TO A FAILURE WITH THE MOUNT MONITOR CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
In instances where the QRadar mount monitor fails, an unexpected High Availability (HA) failover can occur.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
hostname-primary HA System Monitor: [ERROR]
/store/docker-data/engine/VMware-42-26-70-33-66-fb-61-4c-f2-27-d
e-b4-88-91-98-b9/devicemapper/mn
t/88bbfc361142fe836845842fca3082f18c8962501a795252de51d81d224a8f
48-init is not mounted properly with read write permition
127.0.0.1 [ha_manager.ha_manager] [IPCWorkerThread]
com.q1labs.ha.manager.ipc.IPCWorkerThread: [INFO]
[NOT:0000006000][127.0.0.1/- -] [-/- -]IPC service "sensor" = "1.0"
hostname-primary HA System Monitor: Mount point check failed
127.0.0.1 [ha_manager.ha_manager] [HAManager]
com.q1labs.ha.manager.StateMachine: [WARN][NOT:0000004000][127.0.0.1/- -] [-/- -]
The "mount_status" sensor key is down, and is in position to cause failover. 
It is both enabled for failover, and has  satisfied any time restrictions. 
Requesting switch to OFFLINE/MOUNT_MONITOR state (SMD001061/59903)
127.0.0.1 [ha_manager.ha_manager] [HAManager]com.q1labs.ha.manager.HAManager: [INFO]
[NOT:0000006000][127.0.0.1/- -] [-/- -]Starting OFFLINE/MOUNT_MONITOR state
26 February 2021
QRADAR VULNERABILITY MANAGER IJ31842 RUNNING API QUERIES AGAINST QVM SCANNERS CAN TIMEOUT AND FAIL WITH A RESPONSE CODE 500 CLOSED Resolved in
QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

Workaround
Performing a hostcontext restart on the QRadar console can temporarily (for approximately 30 minutes) correct this issue.

Note: Restarting hostcontext causes an interruption to some QRadar functionality. For more information, see: Hostcontext service and the impact of a service restart.

Issue
Attempting to run API queries against QRadar Vulnerability Manager (QVM) scanners can become unresponsive, timeout and fail with a response code of 500.

For example:
curl -S -X GET -u -H 'Version: 12.1' -H 'Accept:
application/json' 'https:///api/scanner/profiles'
{
"http_response": {
"code": 500,
"message": "Unexpected internal server error"
},
"code": 12,
"description": "",
"details": {},
"message": "Endpoint invocation returned an unexpected error"
05 June 2020
SERVICES IJ32110 THE QRADAR PIPELINE CAN STOP RECEIVING ALL EVENTS DUE TO A STRINGOUTOUFBOUNDSEXCEPTION OCCURRING OPEN Workaround
Perform a restart of the ecs-ingress service:
  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab > Advanced > Restart Event Collection Services.

    Results
    Restarting ecs-ec-ingress interrupts event collection in QRadar. If another similar payload that causes this issue is processed by QRadar, the issue can occur again.

Issue
In some instances, the QRadar pipeline can stop receiving all events when a stringoutofbounds exception occurs.

Changes made in fix releases for APAR IJ28752 corrected the issue if the payload is cut off before the end of the full forwarded message (“Message forwarded from”), but the fix releases do not fix the issue if it gets cut off immediately after that part.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]
java.lang.StringIndexOutOfBoundsException: String index out of range: 43
[ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at 
java.lang.String.substring(String.java:2682)
[ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at 
com.q1labs.sem.types.SyslogSourcePayload.parseLine(SyslogSourcePayload.java:196)
[ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at 
com.q1labs.sem.types.SyslogSourcePayload.getSourceName(SyslogSourcePayload.java:159)
[ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at 
com.q1labs.sem.types.SourcePayloadBase.put(SourcePayloadBase.java:331)
[ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at 
com.q1labs.sem.types.SyslogSourcePayload.put(SyslogSourcePayload.java:412)
22 April 2021
SALESFORCE REST API PROTOCOL IJ32090 LOG SOURCES CONFIGURED TO USE THE SALESFORCE PROTOCOL CAN GO INTO ERROR STATE DUE TO PROTOCOL PARSING ISSUE OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
Log Sources configured to use the Salesforce Protocol can go into Error status with error message “Event size is different from the schema size” due to a parsing issue with received events containing complex format that contains JSON object as part of the “URL” field.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
com.q1labs.semsources.sources.salesforcerestapi.eventformatter.
EventFormatterException: Event size is different from the schema size, schema '....' payload '...'
at com.q1labs.semsources.sourc
es.salesforcerestapi.SalesforceRESTAPIProvider.processEventLogFi
le(SalesforceRESTAPIProvider.java:550)
at com.q1labs.semsources.
sources.salesforcerestapi.eventformatter.EventLogFileFormatter.f
ormatEventLogFile(EventLogFileFormatter.java:181)
at com.q1labs.
semsources.sources.salesforcerestapi.SalesforceRESTAPIProvider.p
rocessEventLogFileAPIResults(SalesforceRESTAPIProvider.java:509)
at com.q1labs.semsources.sources.salesforcerestapi.SalesforceRE
STAPIProvider.getEvents(SalesforceRESTAPIProvider.java:407)
at com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAPI
Provider.execute(SalesforceRESTAPIProvider.java:357)
at com.q1labs.semsources.sources.base.SourceProvider.run(SourceProvider.java:195)
22 April 2021
DATA GATEWAY APPLIANCE IJ32138 RESPONSIVENESS OF DATA GATEWAYS CAN BE SLOWER THAN EXPECTED WHEN /STORE IS LOW ON FREE SPACE OPEN Workaround
No workaround available. IBM DevOps support for QRadar On Cloud is working on implementing an automated solution to address this issue.

APARs identified with no workaround typically require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
Data Gateway responsiveness can be slower than expected when the /store partition on the Data Gateway is low on available free space.

This can cause various QRadar performance related issues with the processes that require communication between the QRadar on Cloud Console and Data Gateways.
22 April 2021
CENTRIFY REDROCK RESTAPI PROTOCOL IJ30101 LOG SOURCES USING CENTRIFYREDROCKRESTAPI PROTOCOL CAN STOP RECEIVING EVENTS WHEN UNABLE TO OBTAIN A THREAD CONNECTION OPEN Workaround
Performing a manual stop/start of the affected log source should allow the connection to occur correctly.

APARs identified with no workaround typically require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
Log Sources configured to use the CentrifyRedrockRESTAPI can stop collecting logs and not automatically recover a proper connection on it’s own when an active thread connection cannot be obtained by the Protocol.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[Centrify Redrock REST API Provider Protocol Provider Thread:
class com.q1labs.semsources.sources.centrifyredrockrestapi.CentrifyRed
RockRESTAPIProvider54] com.q1labs.semsources.sources.centrifyredrockrestapi.CentrifyRed
RockRESTAPIProvider: [ERROR] [NOT:0000003000][127.0.0.1/- -]
[-/- -] Unable to find any active query threads.
06 January 2021
QRADAR PULSE APP IJ26452 ORDER OF RETURNED AQL RESULTS DISPLAYED CAN VARY WHEN USING THE QRADAR PULSE APP CLOSED Resolved in
QRadar Pulse App v2.2.6.

Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
When using an AQL query within the Pulse App, and a parameter is changed, both searches (refresh time and parameter update) run at the same time.

Both results get displayed one after the other and so the result that finishes running last is the one is displayed. This only occurs for AQL queries as these are the only data sources that support parameters.
26 April 2021
LOG SOURCE MANAGEMENT APP IJ20697 UNABLE TO SAVE CHANGES TO WINCOLLECT LOG SOURCES WHEN USING THE LOG SOURCE MANAGEMENT APP CLOSED Resolved in
QRadar Log Source Management app v7.0.0.

Workaround
Edit the WinCollect Log Source(s) using the legacy log source user interface. From the Admin tab, click the Log Sources icon.

Issue
It has been identified that in some instances, when editing a WinCollect log source using the Log Source Managment (LSM) app, clicking the Save button does nothing and no error is displayed.
27 April 2021
QRADAR NETWORK INSIGHTS (QNI) IJ29129 RULE ‘QNI: FILE EXTENSION/CONTENT TYPE VERIFICATION’ FROM QNI CONTENT PACK V1.51 PARSES FILE EXTENSION INCORECTLY CLOSED Resolved in
QRadar Network Insights Content pack V1.5.2.

Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

Issue
False positive rule results can be experienced due to the rule “QNI: File Extension/Content Type Verification” from QNI Content Pack v1.5.1.

Files with names containing more than one dot(.) are handled incorrectly by the rule.

For example:
  1. Have a flow with filename “jquery-1.8.3.js” and content type = “application/javascript”.
  2. The rule uses an AQL filter test:
    when the flow matches
    strpos("file name",'.') >= 0 
    and not REFERENCESETCONTAINS('QNI : File Extension / Content Type Verification Exclusions', LOWER(SUBSTRING("file
    name",STRPOS("file name",'.'),STRLEN("file name")))) 
    and not REFERENCEMAPSETCONTAINS('QNI-Extension-ContentType-Pairs',LOWER(
    SUBSTRING("file name",STRPOS("file name",'.'),STRLEN("file
    name"))),"content type")

    Results
    The STRPOS(“file name”,’.’) returns the first dot position, which captures .8.3.js instead of .js in above example and so the combination cannot be found in reference map.
27 April 2021
DOCUMENTATION IJ29297 INSTALL OF QRADAR MARKETPLACE IMAGES FAIL WITH ‘PANIC:RUNTIME ERROR: INDEX OUT OF RANGE’ WHEN MORE THAN TWO DNS ENTRIES EXIST CLOSED Resolved in
QRadar documentation was updated in the following chapters: Workaround
Ensure only a maximum of two DNS entries exist in /etc/resolve.conf prior to the setup of a QRadar marketplace image installation.

Issue
The installation of QRadar marketplace images fail when more than two DNS entries are present in /etc/resolve.conf. The error message generated at the file of installtion failure is similar to:
panic: runtime error: index out of range.
27 April 2021
MANAGED HOSTS IJ26182 QRADAR DATABASE REPLICATION REBUILD FUNCTION CAN SOMETIMES FAIL DUE TO A MISSING SQL FILE REFERENCE CLOSED Resolved in
QRadar 7.4.1 (7.4.1.20200716115107)

Workaround
If you are unable to upgrade to resolve this issue, contact QRadar Support for a possible workaround.

Issue
The QRadar database replication rebuild function to Managed Hosts can fail due to the sql script db_update_235970.add_backup_build_version.sql being omitted from the /opt/qradar/conf/templates/installation_ordering.txt file.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext] [Thread-70] ComponentOutput: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication:
psql:/store/replication/tx0000000000000241053.sql:14325693:
ERROR: extra data after last expected column
[hostcontext.hostcontext] [Thread-70] ComponentOutput: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication:
CONTEXT:  COPY backup, line 1
27 April 2021
ADVANCED SEARCH (AQL) IJ27235 THE ‘REFERENCESETCONTAINS’ AQL FUNCTION DOES NOT SEARCH INDEX FILES FOR QRADAR ON CLOUD CLOSED Resolved in
QRadar on Cloud 7.4.1 Fix Pack 2 Interim Fix 1.

Workaround
Where possible, use the search functionality in the QRadar User Interface to perform the required searches.

Issue
AQL queries using referencesetcontains() lookups fail to search against index files when searching against indexed properties, only data files are searched.

Performing the same searches using the QRadar User Interface works as expected.

Messages similar to the following might be observed in /var/log/qradar.log when this issue occurs while performing related searches:
ariel_client /127.0.0.1:47392 | [Action] [Search]
[SearchExecuted] query starts,
description="User:admin,Source:UI,Params:Id:ab137002-2aed-4433-9
5d4-baaf53d399f2, DB:, Time:<20-08-07,08:00:00 to
20-08-07,12:00:00>, progress details 100, data snapshot size
40, Criteria=,
MappingFactory=com.q1labs.core.types.event.mapping.NormalizedEve
ntMappingFactory@4ee, retentionTime=86400000,
prio=NORMAL,AQL:select 1 from events where
REFERENCESETCONTAINS('HM_TestSet',"File Hash") start
'2020-08-07 08:00' stop '2020-08-07 12:00'"
ariel_query_1:ab137002-2aed-4433-95d4-baaf53d399f2 | [Action]
[Search] [SearchCompleted] query finished, status=COMPLETED,
stat details="Id:ab137002-2aed-4433-95d4-baaf53d399f2,
FileStats [dataFileCount=480, compressedDataFileCount=0,
indexFileCount=0, dataTotalSize=34790213,
compressedDataTotalSize=0, indexTotalSize=0, progress=100.0%,
totalResult=0, totalResultDataSize=24, searchTime=2476ms]",
concurrent queries="1"

Administrators should not that this issue does not generate an error, instead data from the search does not hit the indexes as expected as the query lists: indexFileCount=0
27 April 2021
QRADAR WORKFLOW ANALYST APP IJ22582 CHANGING THE DISPLAY (GROUP BY) OF AN EXISTING SEARCH CAN RETURN INACCURATE RESULTS UNTIL ‘UPDATE’ BUTTON SELECTED CLOSED Resolved in
QRadar Analyst Workflow App v1.9.16.

Workaround
Click the Update button to see the correct search results after grouping by a specific category.

Issue
After executing a Search using filters and a “Results Limit”, if the “Display” field is changed to a “group by” (“Low Level Category” for example), some search results are not returned until the Update button is selected/clicked.
27 April 2021
QRADAR WORKFLOW ANALYST APP IJ17196 ADVANCED SEARCH (AQL) RETURNS ERROR ‘REQUEST-URL TOO LARGE’ CLOSED Resolved in
QRadar Analyst Workflow App v1.9.16.

Workaround
Click the Update button to see the correct search results after grouping by a specific category.

Issue
It has been identified that an Advanced Search (AQL) can return a message after executing the following that is similar to:
Request-URI Too Large


Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
org.antlr.v4.runtime.Parser: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Parse error:  and
(INCIDR('127.0.0.1/23', IP_source_...
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
com.q1labs.ariel.ql.parser.AQLParserException: Unrecognized
context (Line: 1, Position: 130): " and (INCIDR('127.0.0.1/23',
IP_source_..."
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
com.q1labs.ariel.ql.parser.ParserBase.parseStatement(ParserBase.java:488)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
com.q1labs.ariel.ql.parser.Parser.processRequest(Parser.java:102)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java:93)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClient.java:361)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java:306)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:134)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
utor.java:1157)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
cutor.java:627)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
at java.lang.Thread.run(Thread.java:798)
27 April 2021
QRADAR WORKFLOW ANALYST APP IJ28494 QRADAR USERS WITHOUT “VIEW CUSTOM RULES” AND “MAINTAIN CUSTOM RULES” ACCESS CAN STILL SEE FULL LIST OF CUSTOM RULES UNDER LOG CLOSED Resolved in
QRadar Analyst Workflow App v1.9.16.

Workaround
No workaround available. Administrators must upgrade the application to resolve this issue.

Issue
QRadar users can access custom rules even when their access has not been granted to ‘View Custom Rules’ and ‘Maintain Custom Rules’ while searching in Log Activity.

To recreate this issue:
  1. Log in to QRadar as an administrator.
  2. Click the Admin tab.
  3. Click User Roles.
  4. Create a new user role without the View Custom Rules and Maintain Custom Rules permission.
  5. Click the Users icon.
  6. Assign the user role to the new user.
  7. Log in to QRadar as the new user.
  8. Click the Log Activity tab.
  9. Click Search > New Search.
  10. Click Search parameters > Parameter Custom rule [Indexed].

    Results
    Verify both Rule Group and Rules are visible by the user who should not have access.
27 April 2021
QRADAR WORKFLOW ANALYST APP IJ24469 ADVANCED SEARCH (AQL) RESULT ‘CLIENT EXCEPTION OCCURRED WHILE HANDLING THE SERVER RESPONSE’ WHEN USING \U CLOSED Resolved in
QRadar Analyst Workflow App v1.9.16. Workaround
Where possible: Using Wildcard character ‘_’ (Matches any single character) in the AQL so that it can avoid Unicode escapes, match any single character(include backslash) followed by u.

Issue
When the AQL search contains backslash u (\u) character, the Log Activity Advanced Search (AQL) user interface returns the error:
client exception occurred while handling the server response

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [Token: ArcherBridge@127.0.0.1 (8425)
/console/do/core/;jsessionid=99572ED7939336B1E986C7D45BE43B70]
org.apache.struts.action.RequestProcessor: [ERROR] Invalid path
/core/ was requested
27 April 2021
DEPOLYMENT IJ26156 DUPLICATE DEPLOYMENT ARROWS CAN BE VISIBLE IN THE ‘VIEW DEPLOYMENT’ WINDOW WHEN A MANAGED HOST ID IS 128 OR HIGHER CLOSED Reason
Closed as Permanent restriction. This issue is only graphical and doesn’t affect event collection. Closing as won’t fix. Workaround
No workaround available.

Issue
A Managed Host id of 128 or greated can cause duplicate deployment arrows to be visible in the “View Deployment” window of the QRadar User Interface.

Note: This issue is only graphical and does not affect event collection.
27 April 2021
NETWORK IJ04296 CONFIGURING THE 169.154 CIDR FOR QRADAR APPLIANCE INTERFACES CAN CAUSE QRADAR APPS (DOCKER) TO FAIL CLOSED Reason
Closed as Permanent restriction. This issue will not be fixed. Workaround
Contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
Configuring QRadar Appliance interfaces to use IPs within the 169.154 CIDR causes QRadar Apps to fail when there is a conflict with the Docker IPs that are used from within that CIDR.
27 April 2021
UPGRADE IJ28895 HOSTCONTEXT SERVICE FAILS TO START AFTER PATCHING OR UPGRADE FROM 7.3.X TO 7.4.X CLOSED Resolved in
This fix is available in the weekly auto update starting on 09 March 2021. Administrators who manually update RPM can download and install the following file from IBM Fix Central: DSM-RadwareDefensePro-7.3-20210218181623.noarch.rpm

Workaround
  1. Contact QRadar Support before patching or upgrading from 7.3.x to 7.4.x to apply a workaround in advance that prevents this issue from occurring.
  2. If you have already patched or upgraded from 7.3.x to 7.4.x, and are experiencing this issue, contact QRadar Support for a possible workaround that might address this issue in some instances.

A technical note is available with more information for administrators on APAR IJ28895.

Issue
After patching or upgrading from QRadar 7.3.x to 7.4.x, the hostcontext service can fail to start on the QRadar Console. This issue has been determined to be caused by a QRadar Autoupdate bundle installation, specifically with the guava-28.0-jre.jar file that is installed as part of the QRadar patch/upgrade process. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[main] java.lang.NoClassDefFoundError: com.google.common.cache.CacheBuilder
[main] at com.q1labs.core.dao.qidmap.SensorProtocolConfigParameters.<clinit>(SensorProtocolConfigParameters.java:37)
[main] at sun.misc.Unsafe.ensureClassInitialized(Native Method)
[main] at sun.reflect.UnsafeFieldAccessorFactory.newFieldAccessor(UnsafeFi
eldAccessorFactory.java:55)
[main] at sun.reflect.ReflectionFactory.newFieldAccessor(ReflectionFactory.java:154)
[main] at java.lang.reflect.Field.acquireFieldAccessor(Field.java:1103)
[main] at java.lang.reflect.Field.getFieldAccessor(Field.java:1079)
[main] at java.lang.reflect.Field.set(Field.java:774)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.checkNameConstant(FrameworksNaming.java:412)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.loadClasses(FrameworksNaming.java:323)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(FrameworksNaming.java:171)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.loadClasses(FrameworksNaming.java:270)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(FrameworksNaming.java:171)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(FrameworksNaming.java:105)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.(FrameworksNaming.java:86)
[main] at com.q1labs.frameworks.core.FrameworksContext.initServices(FrameworksContext.java:620)
[main] at com.q1labs.frameworks.core.FrameworksContext.initFrameworks(FrameworksContext.java:257)
[main] at com.q1labs.qvm.workflow.FrameworksJsvcBootstrapper.init(FrameworksJsvcBootstrapper.java:135)
[main] at com.q1labs.qvm.workflow.FrameworksJsvcBootstrapper.main(FrameworksJsvcBootstrapper.java:243)
[main] Caused by:
[main] java.lang.ClassNotFoundException:
com.google.common.cache.CacheBuilder
[main] at java.net.URLClassLoader.findClass(URLClassLoader.java:610)
[main] at java.lang.ClassLoader.loadClassHelper(ClassLoader.java:943)
[main] at java.lang.ClassLoader.loadClass(ClassLoader.java:888)
[main] at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
[main] at java.lang.ClassLoader.loadClass(ClassLoader.java:871)
[main] ... 18 more
28 April 2021
VULNERABILITY SCANNER IJ31088 QRADAR CAN SOMETIMES CONTINUE TO ATTEMPT TO DOWNLOAD A CERT FOR A SCANNER THAT HAS BEEN REMOVED CLOSED Reason
Closed as Permanent restriction. We have identified this issue as a permanent restriction for this integration. A fix for this issue will not be provided. Workaround
  1. From an SSH session to the QRadar Console.
  2. Optional. Open an SSH session to the Managed Host that runs the scan.
  3. Navigate to the directory that contains the certificate_catalogue.txt.
  4. Remove the bad scanner record, then save the file.
  5. From the Admin tab, click Deploy Changes.

    Results
    After the deploy changes completes, the cert should no longer attempt to be downloaded from the QRadar Managed Host.

Issue
QRadar can sometimes try to download a VA Scanner certificate even if scanner configuration was removed from QRadar. This is due to a cached value written in a temporary file. System Notifications similar to the following might be visible in /var/log/qradar.log when this issue occurs:
generateNotification: An attempt to download the server
certificate for [IP ADDRESS:443] to
[/opt/qradar/conf/trusted_certificates/IP_443.crt] has failed
28 April 2021
TLS SYSLOG PROTOCOL IJ25789 TLS SYSLOG LOG SOURCE CAN FAIL TO WORK AFTER USING INCORRECT PRIVATE KEY AT SETUP EVEN AFTER IT HAS BEEN CORRECTED CLOSED Reason
Closed as Permanent restriction. We have identified this issue as a permanent restriction for this integration. A fix for this issue will not be provided. Workaround
  1. Rename the certificate to any new name.
  2. Disable/enable the log source.


  3. Results
    The log source should then work and retrieve events as expected.

Issue
A TLS Syslog Log Source can fail to ingest events when initially configured with an incorrect private key even after the private key has been corrected.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]
com.q1labs.semsources.sources.tlssyslog.TLSSecurityManager:
[ERROR] Error adding key to TLS keystore.
[ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]
java.security.spec.InvalidKeySpecException: Inappropriate key
specification: PrivateKeyInfo parsing error.
[ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
com.ibm.crypto.provider.RSAKeyFactory.engineGeneratePrivate(Unknown Source)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
java.security.KeyFactory.generatePrivate(KeyFactory.java:383)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
com.q1labs.semsources.sources.tlssyslog.TLSSecurityManager.addKe
yToKeyStore(TLSSecurityManager.java:408)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
com.q1labs.semsources.sources.tlssyslog.TLSSyslogProvider.setupS
erverKeyStore(TLSSyslogProvider.java:487)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
com.q1labs.semsources.sources.tlssyslog.TLSSyslogProvider.preExe
cuteConfigure(TLSSyslogProvider.java:94)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv
ider.java:181)
28 April 2021
PROTOCOL IJ29518 SMBTAILPROTOCOL LOG SOURCES CAN FUNCTION NORMALLY BUT DISPLAY IN ‘ERROR’ STATE WHEN A JNQEXCEPTION OCCURS CLOSED Resolved in
This fix is dependent upon the QRadar version and is available in the following RPMs on IBM Fix Central:

Version 7.3.x:
  • PROTOCOL-SmbTailProtocol-7.3-20210329122540.noarch.rpm
  • PROTOCOL-WindowsDHCPProtocol-7.3-20210315133009.noarch.rpm
  • PROTOCOL-WindowsExchangeProtocol-7.3-20210315133009.noarch.rpm
  • PROTOCOL-WindowsIISProtocol-7.3-20210315133009.noarch.rpm
  • PROTOCOL-OracleDatabaseListener-7.3-20210315133009.noarch.rpm
  • PROTOCOL-WindowsEventRPC-7.3-20210315133009.noarch.rpm

  • Version 7.4.x:
  • PROTOCOL-SmbTailProtocol-7.4-20210329122529.noarch.rpm

  • Workaround
    No workaround available. Administators must install the RPM files where this issue is resolved from IBM Fix Central. These files are NOT included through QRadar Auto Updates.

    Issue
    Log Sources using the SMBTail Protocol display in an error state when a jNQ exception is thrown, but the Log Source continues to function as expected. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
    [127.0.0.1][smb://127.0.0.1/dhcplog/]]
    com.q1labs.semsources.sources.smbtail.io.jnq.JNQException:
    Unable to create/open - j50.log status = -1073741757
    (0xc0000043) (0xC0000043)
    [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
    [127.0.0.1][smb://127.0.0.1/dhcplog/]]
    com.q1labs.semsources.sources.windowsdhcp.WindowsDHCPTailProvide
    r: [ERROR] [NOT:0000003000][IP ADDRESS/- -] [-/-
    -]TailingException: Unable to create/open - examplename.log status =
    -1073741757 (0xc0000043) (0xC0000043)
    28 April 2021
    PROTOCOL IJ26183 ECS-EC-INGRESS PROCESS CAN SOMETIMES GO OUT OF MEMORY WHEN LOG SOURCES ARE USING THE WINDOWS IIS PROTOCOL CLOSED Resolved in
    This fix is available in the following RPMs on IBM Fix Central:
  • PROTOCOL-SmbTailProtocol-7.3-20201007124637.noarch.rpm
  • PROTOCOL-SmbTailProtocol-7.4-20201007123631.noarch.rpm
  • PROTOCOL-WindowsEventRPC-7.3-20210315133009.noarch.rpm
  • PROTOCOL-WindowsEventRPC-7.4-20210113131122.noarch.rpm

  • The PROTOCOL-SmbTailProtocol release is also available in the weekly auto update for 25 April 2021 (Build 1619381033). The PROTOCOL-WindowsEventRPC RPM release is not included in automatic updates. Administrators must download and install the latest version of the Microsoft Windows Security Event Log over MSRPC RPM file on the Console using the YUM command.

    Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    In some instances, the ecs-ec-ingress process (required for event collection) can experience out of memory occurences that are caused by Log Sources using the Windows IIS Protocol when an incorrect .jar file is referenced for use. Messages similar to the following that are referencing a Log Source connecting to an SMB Host might be visible in /var/log/qradar.log when this issue is occuring:
    [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
    [x.x.x.x][smb://x.x.x.x/LogFiles/]]
    com.q1labs.semsources.sources.smbtail.io.SmbFileWithRetries:
    [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/-
    -][smb://x.x.x.x/LogFiles/W3SVC13] exists(): Failed: Access
    error for file W3SVC13 status = -1073741790 (0xc0000022)
    (0xC0000022)
    28 April 2021
    PROTOCOL IJ28166 LOG SOURCES CONFIGURED TO USE THE WINDOWS EVENT LOG RPC PROTOCOL CAN GO INTO ERROR STATE DISPLAYING ‘INTERNAL ERROR’ CLOSED Resolved in
    This fix is available in the following RPMs on IBM Fix Central:
  • PROTOCOL-SmbTailProtocol-7.3-20201007124637.noarch.rpm
  • PROTOCOL-SmbTailProtocol-7.4-20201007123631.noarch.rpm
  • PROTOCOL-WindowsEventRPC-7.3-20210315133009.noarch.rpm
  • PROTOCOL-WindowsEventRPC-7.4-20210113131122.noarch.rpm

  • The PROTOCOL-SmbTailProtocol release is also available in the weekly auto update for 25 April 2021 (Build 1619381033). The PROTOCOL-WindowsEventRPC RPM release is not included in automatic updates. Administrators must download and install the latest version of the Microsoft Windows Security Event Log over MSRPC RPM file on the Console using the YUM command.

    Workaround
    No workaround available as this issue is closed as a vendor solution. Administrator must install the RPMs listed to resolve this issue or update to the latest version of the SMB Tail Protocol and Microsoft Windows Security Event Log over MSRPC protocol, if a newer version exist.

    Issue
    Some log source that are configured to use the Windows Event Log RPC Protocol can go into “Error” state with an “Internal Error”.

    These instances have been identified as being caused when the jNQ jar file is required for use by the Protocol.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]] java.lang.ArrayIndexOutOfBoundsException
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    jcifs.util.Encdec.dec_uint32le(Encdec.java:90)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    ndr.NdrBuffer.dec_ndr_long(NdrBuffer.java:135)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    ndr.NetworkDataRepresentation.readUnsignedLong(NetworkDataRepres
    entation.java:64)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    com.q1labs.semsources.sources.windowseventrpc.ndr.util.NetworkDa
    taRepresentationAdapter.readUnsignedLong(NetworkDataRepresentationAdapter.java:34)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]] java.lang.NullPointerException
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    com.visuality.nq.client.rpc.Dcerpc.close(Dcerpc.java:901)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    com.q1labs.semsources.sources.windowseventrpc.eventsource.common
    .EventLogWinRegistry.disconnectRemoteRegistry(EventLogWinRegistry.java:245)
    27 April 2021
    QRADAR NETWORK INSIGHTS IJ30955 PERFORMING A FORENSICS RECOVERY CAN APPEAR TO SUCCEED WHEN THE TASK FAILED SILENTLY AND NEVER STARTED OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    Attempting to perform a Forensics Recovery can appear to succeed but the job never starts and there are no results in the Incident Recovery Grid when a user has over 25 characters. In these instances, messages in the logs indicate a postgres error if either of the username or submitter fields are greater than 25 characters.

    Example of error log written in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [HttpServletRequest-3016-Idle]
    com.ibm.qradar.wfObjects.wfDBConnect: [ERROR] Database error:
         SQLException: ERROR: value too long for type character
    varying(25)
     SQLState: 22001
     VendorError: 0
    06 March 2021
    REPORTS IJ30954 AFTER REFRESHING PAGE AFTER CHANGES ARE MADE FOR SHARING REPORTING GROUPS THE CHANGES DO NOT APPEAR TO HAVE BEEN SAVED OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    An issue has been identified in the Reports > Managed Groups > ‘Share with Users Matching the following criteria’ interface where sharing a report does not appear to save as expected.

    If a user shares a report group with specific user role and security profile, then clicks the refresh option the change does not appear to save. This is misleading to users as the report is saved succesfully and shared with the selected user, but does not display as shared correctly. If a recipient of the shared report logs in, they can see the shared reports as (Shared)Report name.
    05 March 2021
    HIGH AVAILABILITY (HA) IJ30664 HIGH AVAILABILITY (HA) JOIN FAILS DUE TO INCORRECT SIZE OF /STORE AND /TRANSIENT PARTITION IN NON-CONSOLE BUILD OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    In some instances, the /store partition on a High Availability (HA) Primary appliance can be larger and /transient partition smaller than expected on a software installation build of a non console QRadar appliance.

    When this occurs, the HA join process fails due to the incorrect and mismatched partition sizing between the Primary and Secondary appliances.

    The /var/log/setup-xxx/qradar_partsetup.log file displays similar messages as the following when this issue occurs:
    Wed Jul 31 03:31:24 +03 2019 [lvm_resize.sh] [InitLog] Log file
    set to /var/log/setup-7.3.2.20190410024210/qradar_partsetup.log
    Wed Jul 31 03:31:24 +03 2019 [lvm_resize.sh] [getopts]
    Pre-check argument passed
    Wed Jul 31 03:31:29 +03 2019 [lvm_resize.sh] [InitLog] Log file
    set to /var/log/setup-7.3.2.20190410024210/qradar_partsetup.log
    Wed Jul 31 03:31:29 +03 2019 [lvm_resize.sh] ERROR: Failed to
    unmount /store 
    06 March 2021
    DATA DEOBFUSCATION IJ30950 DATA DEOBFUSCATION DOES NOT WORK AS EXPECTED AFTER REASSIGNING A LOG SOURCE TO A DIFFERENT DOMAIN UNTIL PERFORMING FULL DEPLOY OPEN Workaround
    Perform a Deploy Full Configuration from the User Interface after moving a Log Source to a Log Source Group that is part of a different domain:
    1. Log in to the Console as an administrator.
    2. Click the Admin tab.
    3. Select Advanced > Deploy Full Configuration.
      For more information, see QRadar: What is the difference between ‘Deploy Changes’ and a ‘Deploy Full Configuration’?

      Issue
      When a Log Source is reassigned to a different Log Source group and that Log Source group is part of a different domain, data deobfuscation doesn’t work as expected with the new domain’s data obfuscation profile key.

      Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
      [tomcat.tomcat] [admin@127.0.0.1 (3282)
      /console/do/obfuscation/obfuscationdecryption]
      com.q1labs.obfuscation.ui.action.ObfuscationDecryptionAction:
      [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
      -]qradar.obfuscation.ui.obfuscationdecryption.error.CORRESPONDIN
      G_DECRYPTION_KEY_FOUND_IN_SESSION_BUT_DECRYPTION_FAIL,
      javax.crypto.BadPaddingException: decryption fail.
      javax.crypto.BadPaddingException: Given final block not
      properly padded
      [tomcat.tomcat] [admin@127.0.0.1 (3282)
      /console/do/obfuscation/obfuscationdecryption]
      com.q1labs.obfuscation.ui.action.ObfuscationDecryptionAction:
      [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]decryption fail
    06 March 2021
    ACCUMULATOR IJ31082 ‘ACCUMULATOR FALLING BEHIND’ NOTIFICATIONS AFTER DEFAULT GLOBAL VIEWS FOR EVENT RATE AND FLOW RATE HAVE BEEN RECREATED OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    QRadar environments where the default Global Views for Event Rate (EPS) and Flow Rate (FPS) have been deleted and then recreated can experience Accumulator Falling Behind notifications during search processes.

    This is due to the addition of a locale which occurs in these instances that uses “contains” for its algorithm which is considerably slower for searches.
    05 March 2021
    VULNERABILITY SCANNER IJ31109 TENABLE SCAN TASK CAN HANG AND NOT COMPLETE SUCCESSFULLY DUE TO A NULL KEY OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    Tenable IO is inserting a null key/element into spillOverCache, which causes the scan task to hang until it fails to complete successfully. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [vis] [Tenable.io-454-worker]
    com.q1labs.vis.exceptions.ScannerTaskException: This cache
    cannot accept null elements or null keys
    [vis] [Tenable.io-454-worker] at
    com.q1labs.vis.scanners.tenable.io.IOModule.scan(IOModule.java:187)
    [vis] [Tenable.io-454-worker] at
    com.q1labs.vis.scanners.base.ScannerModule.run(ScannerModule.jav
    a:221)
    05 March 2021
    DOMAINS AND TENANTS IJ31107 TENENTQUEUEDEVENTTHROTTLEFILTER DOES NOT PERFORM AS EXPECTED WITH A LOW EPS LIMIT AND CAN CAUSE DROPPED EVENTS OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    The TenantQueuedEventThrottleFilter does not perform as expected with a low EPS limit and can cause dropped events. As a result, it can be observed for a low tenant EPS limit configuration that the limit cannot be attained without dropping events.

    For example:
    1. Have a tenant and assign them a tenant EPS limit of 100.
    2. Have a low EPS of traffic for that tenant (example ~100EPS)

      Results
      Log Activity displays only “Receiving an average of 63 results per second” or something similar.
    06 March 2021
    PROTOCOLS IJ31086 LOG SOURCES USING RABBITMQ CAN SOMETIMES FAIL TO CONNECT AS EXPECTED DUE TO ROGUE CONNECTIONS CREATED OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    RabbitMQ can sometimes create new connections before the old one is removed. When this occurs, it can result in having multiple rogue connections on CiscoAMP causing events to not be received into QRadar.
    06 March 2021
    UPGRADE IJ31095 QRADAR PATCHING TO VERSION 7.4.1 OR NEWER CAN FAIL ON MANAGED HOSTS WITH ”ERROR: COULD NOT CREATE UNIQUE INDEX…” OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    Patching to QRadar 7.4.1 or newer can fail on Managed Hosts due to an index that causes an SQL to fail on duplicate data. Messages similar to the following might be visible during patching when this issue occurs:
    2 SQL script errors were detected; Error applying script [26/32]
    '/media/updates/opt/qradar/conf/templates/db_update_250323.ref_s
    et_import1.sql' for Test_qradar database.; details:
    WARNING:  SET TRANSACTION can only be used in transaction blocks
    NOTICE:  index "reference_data_element_unique_rdata1" does not
    exist, skipping
    ERROR:  could not create unique index
    "reference_data_element_unique_rdata1"
    DETAIL:  Key (md5((rdk_id::text || '_'::text) ||
    data))=(af781b7cdfc258bf8698f03aa207f885) is duplicated.Error
    applying script [29/32]
    '/media/updates/opt/qradar/conf/templates/db_update_248240.ref_s
    et_import1.sql' for Test_qradar database.; details:
    WARNING:  SET TRANSACTION can only be used in transaction blocks
    NOTICE:  index "reference_data_element_unique_rdata1" does not
    exist, skipping
    ERROR:  could not create unique index
    "reference_data_element_unique_rdata1"
    DETAIL:  Key (md5((rdk_id::text || '_'::text) ||
    data))=(af781b7cdfc258bf8698f03aa207f885) is duplicated.
    <hostname> :  patch rolled back.
    05 March 2021
    UPGRADE IJ31096 QRADAR MANAGED HOST PATCH COMPLETES SUCCESSFULLY BUT WITH ERRORS RUNNING “/MEDIA/UPDATES/SCRIPTS/QRADAR-2072.INSTALL” OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    QRadar Managed Hosts (MH) can patch successfully but with errors when the tomcat process on the Console appliance is unavailable during MH patching. A messages similar to the following can be displayed when this occurs:
    (hostname)-primary : patch test succeeded.
    (hostname)-secondary : patch test succeeded.
    Error running 143: /media/updates/scripts/QRADAR-2072.install
    --mode mainpatch


    In /var/log/setup-xxxxx/patches.log messages similar to the following can also be observed when this issue occurs:
    Feb 22 04:31:18 2021: Feb 22 04:31:18
    2021:[DEBUG](-ni-patchmode) Running script
    /media/updates/scripts/QRADAR-2072.install --mode mainpatch
    Feb 22 04:31:18 2021: [QRADAR-2072] [mainpatch:Run]
    /opt/qradar/bin/generate_cert_from_csr.sh
    parse error: Invalid numeric literal at line 1, column 8
    Feb 22 04:33:22 2021: Feb 22 04:33:22
    2021:[DEBUG](-ni-patchmode) Error running 73:
    /media/updates/scripts/QRADAR-2072.install --mode mainpatch;
    Got error code of 1.
    Feb 22 04:33:22 2021: Feb 22 04:33:22
    2021:[ERROR](-ni-patchmode) Error running 73:
    /media/updates/scripts/QRADAR-2072.install --mode mainpatch
    05 March 2021
    PROTOCOLS IJ31102 LOG SOURCES CONFIGURED TO USE THE IBMSIMJDBC PROTOCOL CAN FAIL TO WORK AS EXPECTED DUE TO A JAR DEPENDENCY OPEN Workaround
    In the following path: /opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/IBMSIMJDBC/
    1. Make a copy of mssql-jdbc-7.2.0.jar.
    2. Name it mssql-IBMSIMJDBC-7.2.0.jar.

    Issue
    Log Sources configured to use the IBM Security Identity Manager Protocol can stop working with a ‘NoClassDefFoundError’ due to a jar dependency.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-25]
    com.eventgnosis.ecs: [ERROR] [NOT:0000003000][127.0.0.1/- -]
    [-/- -]Error attempting to load
    (device):ecs-ec-ingress/EC_Ingress/Q1_I BMSIMJDBCEventSource
    Error : java.lang.NoClassDefFoundError:
    com.microsoft.sqlserver.jdbc.SQLServerException
    05 March 2021
    LICENSE IJ07953 ‘FAILED TO GET EPS FPM ALLOCATION VALUES’ IN LOG ACTIVITY TAB OR ‘FAILED TO LOAD DATA’ IN LICENSE POOL MANAGEMENT CLOSED Resolved in
    QRadar 7.3.2 (7.3.2.20190201201121)
    QRadar 7.3.1 Fix Pack 7 (7.3.1.20181123182336)

    Workaround
    Administrators can upgrade to a release where this issue is resolved. For more information, review the following resources:
    Issue
    It has been identified in instances where manual database changes have been made to license_key and serverhosts table that the license pool management page sometimes does not load and displays error “Failed to load data”. The message “Failed to Get EPS FPM allocation values” can also be observed in the Log Activity tab when this issue is occurring.

    Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool] Caused by:
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]
    com.q1labs.restapi_annotations.content.exceptions.endpointExcept
    ions.ServerProcessingException: Failed to retrieve the deployed
    license pool
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.ibm.si.configservices.api.impl.license_pool.LicensePoolGetIm
    pl.buildPool(LicensePoolGetImpl.java:42)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.ibm.si.configservices.api.impl.license_pool.LicensePoolGetIm
    pl.getLicensePool(LicensePoolGetImpl.java:18)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.q1labs.configservices.api.v8_0.license_pool.LicensePoolAPI.g
    etDeployedLicensePool(LicensePoolAPI.java:70)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    java.lang.reflect.Method.invoke(Method.java:508)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet
    hod(APIRequestHandler.java:1031)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR
    equest(APIRequestHandler.java:399)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool] ... 46 more
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool] Caused by:
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]
    java.lang.NullPointerException
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.q1labs.core.shared.license.LicenseKeyManager.getHostType(Lic
    enseKeyManager.java:4305)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.q1labs.core.shared.license.LicensePoolAllocationManager.getT
    otalCapacities(LicensePoolAllocationManager.java:652)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.q1labs.core.shared.license.LicensePoolAllocationManager.getT
    otalCapacities(LicensePoolAllocationManager.java:629)
    [tomcat.tomcat] [admin@127.0.0.1 (2795)
    /console/restapi/api/config/deployment/license_pool]    at
    com.ibm.si.configservices.api.impl.license_pool.LicensePoolGetIm
    pl.buildPool(LicensePoolGetImpl.java:33)
    26 February 2019
    QRADAR ON CLOUD IJ32040 QRADAR ON CLOUD USER INTERFACE CAN EXPERIENCE UNPOPULATED LIST BOXES OR ONES ONLY DISPLAYING AN “X” OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Some QRadar On Cloud instances on Akamai can experience User Interface (UI) display issues such as unpopulated list boxes or list boxes with only “X” being displayed. This UI display behavior can be intermittent.

    This behavior has been identified as being caused by downloads of CSS resources, such as dojo.css, failing authentication and getting redirected to login.ibm.com. As these static resource downloads do not handle the HTTP 302 redirection, the CSS is not downloaded and the UI is incomplete.
    16 April 2021
    PROTOCOL IJ32029 LOG SOURCES CONFIGURED TO USE THE VMWARE PROTOCOL CAN STOP WORKING AFTER INSTALLING UPDATED PROTOCOL VERSION OPEN Workaround
    The workaround is QRadar version dependent. Note: Restarting the ecs-ec-ingress service stops event collection. For more information, see: Impact of restarting QRadar services.

    For QRadar 7.4.x:
    1. Remove the file /opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/dom4j.jar.
    2. To restart the ecs-ec-ingress service, select Admin > Advanced > Restart Event Collection Service.

    For QRadar 7.3.x:
    1. Remove the file /opt/ibm/si/services/ecs-ec-ingress/current/bin/dom4j-1.3.jar.
    2. To restart the ecs-ec-ingress service, select Admin > Advanced > Restart Event Collection Service.

    Issue
    Log Sources configured to use the VMware protocol can stop working and display “Invalid Credentials when initializing EMCVmWareProtocol” after installing a new EMCVmware protocol rpm manually or via the AutoUpdate feature in QRadar.

    Affected RPM versions:
    • PROTOCOL-EMCVMWareProtocol-7.3-20200916171440.noarch.rpm
    • PROTOCOL-EMCVMWareProtocol-7.4-20200916171516.noarch.rpm

    Run the following command to identify the currently installed rpm version from an SSH session to the QRadar Console for verification of this identified issue:
    rpm -qa | grep -i emcvmwareprotocol


    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] 
    Caused by: 
    java.rmi.RemoteException: VI SDK invoke
    exception:java.rmi.RemoteException: VI SDK invoke
    exception:org.dom4j.DocumentException:
    org.dom4j.DocumentFactory incompatible with
    org.dom4j.DocumentFactory
    [ecs-ec-ingress.ecs-ec-ingress]
    [Thread-246] at com.vmware.vim25.ws.WSClient.invoke(Unknown
    Source)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at
    com.vmware.vim25.ws.VimStub.retrieveServiceContent(Unknown
    Source)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at
    com.vmware.vim25.mo.ServiceInstance.<init>(Unknown
    Source)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at
    com.vmware.vim25.mo.ServiceInstance.<init>(Unknown
    Source)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at com.q1la
    bs.semsources.sources.vmware.api.VmApi.init(VmApi.java:90)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] ... 4
    more
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-246]
    com.q1labs.semsources.sources.vmware.EMCVmWareProtocol: [DEBUG]
    EMC Vm Ware Protocol Provider 'class
    com.q1labs.semsources.sources.vmware.VmWareAPIProvider6'
    changed state from STARTING to STOPPED.
    16 April 2021
    UPGRADE IJ31972 RESIDUAL JDBC PROTOCOL JAR FILES ARE LEFT BEHIND WHEN UPGRADING FROM QRADAR 7.3.X TO 7.4.X OPEN Workaround
    The residual .jar files from the 7.3.x JDBC protocol can be ignored.

    Issue
    When patching from QRadar 7.3.x to QRadar 7.4.x there are residual JDBC Protocol .jar files that are left behind from the older protocol version. These residual .jar files are benign and can be safely ignored.
    16 April 2021
    ADVANCED SEARCH (AQL) IJ31912 DATA CONTAINED WITHIN “< >” FROM PAYLOADS IS MISSING IN CSV EXPORT FROM AN AQL ADVANCED SEARCH CONTAINING A GROUP BY OPEN Workaround
    Where possible, perform the AQL search without the GROUP BY condition.

    Issue
    When performing an AQL search with a GROUP BY condition, and exporting the visible columns to a CSV file, any priority headers contained in the event payloads (e.g. “<13>”) are missing in the .csv export file. For example:
    1. QRadar user interface, select Log Activity > Quick Filter > Advanced Search.
    2. Search for events with GROUP BY condition where the results contains the “< >” symbols.
    3. Select Actions > Export to CSV > Visible Columns.
    4. Save and open the file.

      Result
      From the output csv columns, the strings contained by the “< >” symbols are missing.
    16 April 2021
    PROTOCOL IJ31913 JDBC TIMEOUT VALUE CONFIGURED FOR ORACLE LOG SOURCES IS SET AT 1 MINUTE VS 5 MINUTES FOR MSDB LOG SOURCES OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    The JDBC timeout value used for Oracle Log Sources is set at 1 minute, but when JDBC is used for MSDB Log Sources it is set at 5 minutes. This can cause Oracle Log Sources to go into a failed state earlier than expected.

    Messages similar to the following might be visible in /var/log/qradar.log when the timeout occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [*Oracle*//LxxxxxA@ipaddress
    Protocol Provider Thread: class
    com.q1labs.semsources.sources.jdbc.JdbcEventConnector5530]
    com.q1labs.semsources.sources.jdbc.JdbcEventConnector: [WARN]
    [NOT:0000004000][ipaddress/- -] [-/- -]IO Error: Socket read
    timed out on Oracle//LxxxxxA@ipaddress
    16 April 2021
    MANAGED HOST / ADD HOST IJ32092 ADMIN USER WITH NO LOCALE CONFIGURED IS UNABLE TO ADD A MANAGED HOST TO THE QRADAR DEPLOYMENT OPEN Workaround
    1. Set the locale to English using the following command from an SSH session to the QRadar Console:
      psql -U qradar -c "update
      user_settings set locale='en',use_browser_locale = 'f' where
      security_id = (select security_id from security_descriptors
      where label = 'admin');"
    2. To restart hostcontext, type:
      systemctl restart hostcontext
    3. Restart tomcat, type:
      systemctl restart tomcat
    4. Attempt to add the managed host to the deployment again.


    5. Issue
      The Add Host process fails with a message similar to “Cannot connect to the host. Check password and IP” for an admin user with no QRadar locale configured.

      Messages similar to the following might be visible in /var.log/qradar.log when this issue occurs:
      [tomcat.tomcat] [Thread-503]
      com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI:
      [ERROR] [NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]unable to add
      managed host: null
      [tomcat.tomcat] [Thread-503] com.q1labs.resta
      pi_annotations.content.exceptions.endpointExceptions.ServerProcessingException
      [tomcat.tomcat] [Thread-503] at com.ibm.si.config
      services.api.impl.DeploymentAPIImpl.addManagedHost(DeploymentAPIImpl.java:924)
      [tomcat.tomcat] [Thread-503] at com.ibm.si.config
      services.api.v3_0.deployment.DeploymentAPI$AddHostThread.run(Dep
      loymentAPI.java:1003)
      [tomcat.tomcat] [Thread-503] at
      java.lang.Thread.run(Thread.java:822)
      [tomcat.tomcat]
      [Thread-503] Caused by:
      [tomcat.tomcat] [Thread-503]
      com.q1labs.configservices.common.ConfigServicesException:
      Unable to add managed host.
      [tomcat.tomcat] [Thread-503] at com.
      q1labs.configservices.capabilities.CapabilitiesHandler.addManage
      dHost(CapabilitiesHandler.java:2025)
      [tomcat.tomcat]
      [Thread-503] at com.ibm.si.configservices.api.impl.DeploymentAPI
      Impl.addManagedHost(DeploymentAPIImpl.java:893)
      [tomcat.tomcat]
      [Thread-503] ... 2 more
    16 April 2021
    ROUTING RULES IJ31911 ROUTING RULES WITH A FILTER CONTAINING A TRAILING BACKSLASH ARE NOT EDITABLE ONCE SAVED OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    Routing Rules with a filter containing a trailing backslash are not editable once saved. For example:
    1. Log in to the QRadar Console as an administrator.
    2. Click the Admin tab.
    3. Click the Routing Rules icon.
    4. Create a new rule.
    5. Add a filter to the rule that uses a trailing backslash. For example:
      Filename is equal to any of C:\Users\Test\
    6. Click Save.
    7. Attempt to edit the rule.

      Results
      The edit interface does not open. Users are unable to use the Edit button in the user interface.
    16 April 2021
    EVENT DATA IJ31537 MESSAGESIZEEXCEPTION CAN CAUSE THE QRADAR EVENT PIPELINE TO STOP FUNCTIONING AS EXPECTED OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    The QRadar event pipeline can stop working as expected when a message size exception is encountered causing a failure of events to be processed.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]
    com.q1labs.sem.nio.network.StreamProcessor: [ERROR]
    [NOT:0000003000][x.x.x.x/- -] [-/- -]Cannot get the event from
    SpilloverQueue
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]
    com.q1labs.frameworks.nio.exceptions.MessageSizeException:
    Message size exceeds communication buffer capacity 131062
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]    at
    com.q1labs.frameworks.nio.network.protocol.CollectionHandler.put
    (CollectionHandler.java:66)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]    at
    com.ibm.si.ecingress.destinations.SECStoreForwardDestination.sen
    dEventFromQ(SECStoreForwardDestination.java:471)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]    at
    com.q1labs.sem.nio.network.StreamProcessor.sendMessage(StreamPro
    cessor.java:96)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]    at
    com.q1labs.sem.nio.network.StreamProcessor.run(StreamProcessor.java:55)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]    at
    java.lang.Thread.run(Thread.java:818)
    16 April 2021
    LOG SOURCES IJ31917 LOG SOURCE IDENTIFIER COLUMN DISPLAYS “N/A” WHEN SELECTED IN A LOG ACTIVITY PAGE SEARCH OPEN Workaround
    This issue only affects users in the legacy user inteface, this issue does not affect the Log Source Management app. The Log Source Management App displays the correct Log Source Identifier value.

    Where possible, use the Log Source Management app to view Log Source Identifier data.

    Issue
    The Log Source Identifier column displays N/A when it is selected in a search in Log Activity page of the QRadar User Interface. This prevents being able to group by Log Source Identifier.

    When opening a received event, the Log Source Identifier column displays the expected data within that view.
    16 April 2021
    PROTOCOL IJ32031 LOG SOURCES CONFIGURED TO USE THE GOOGLE CLOUD PUB SUB PROTOCOL CAN INCORRECTLY DISPLAY ERROR STATUS OPEN Workaround
    1. Confirm events are being received by the Log Source by performing an event search.
    2. Toggling affected Log Sources to disabled and then back to enabled can temporarily correct the error status for the Google Pub/Sub log source.


      1. Issue
        Log Sources that are configured to use the Google Cloud Pub Sub Protocol can sometimes incorrectly display a status of “Error” when they are working correctly.
    16 April 2021
    UPGRADE IJ32030 QRADAR PATCH PRETEST FAILS TO RUN ON MANAGED HOSTS UNTIL CONSOLE IS PATCHED OPEN Workaround
    Perform the QRadar pretest and complete the Console software update. After the Console patching is successfully completed, the pretest can be run on the remaining Managed Hosts in the deployment.

    Issue
    The QRadar patch pretest function cannot be run on a Managed Host when the QRadar Console has not yet been patched. This issue prevents a pretest of a complete QRadar deployment prior to performing the patching process until after the Console is patched.

    A message similar to the following might be visible when attempting to run the pretest function:
    [ERROR] Failed to determine the patch level of the Console.
    16 April 2021
    UPGRADE IJ32036 LOG SOURCES CONFIGURED TO USE THE MQJMS PROTOCOL CAN STOP WORKING UNEXPECTEDLY OPEN Workaround
    Toggle the affected MQ JMS log source to disabled and then enable it again to correct the issue.

    Issue
    Log Sources that are configured to use the MQJMS Protocol stop working when a JMSWMQ1107 error occurs. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32]
    com.q1labs.semsources.sources.mqjms.MQJMSErrorHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Error Message:
    JMSWMQ1107: A problem with this connection has
    occurred.
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32]
    com.ibm.msg.client.jms.DetailedIllegalStateException:
    JMSWMQ1107: A problem with this connection has
    occurred.
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32] An error has occurred with the IBM
    MQ JMS connection.
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32] Use the linked exception to
    determine the cause of this error.
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.wmq.common.inte
    rnal.Reason.reasonToException(Reason.java:489)
    [ecs-ec-ingress.e
    cs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.
    wmq.common.internal.Reason.createException(Reason.java:215)
    [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ib
    m.msg.client.wmq.internal.WMQMessageConsumer.checkJmqiCallSucces
    s(WMQMessageConsumer.java:217)
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.wmq.internal.WM
    QMessageConsumer.checkJmqiCallSuccess(WMQMessageConsumer.java:273)
    [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32]
    at com.ibm.msg.client.wmq.internal.WMQAsyncConsumerShadow.consum
    er(WMQAsyncConsumerShadow.java:615)
    [ecs-ec-ingress.ecs-ec-ingre
    ss] [JMSCCThreadPoolWorker-32] at com.ibm.mq.jmqi.remote.impl.Re
    moteProxyQueue.callConsumer(RemoteProxyQueue.java:3616)
    [ecs-ec-
    ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.mq
    .jmqi.remote.impl.RemoteDispatchThread.run(RemoteDispatchThread.java:269)
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.commonservices.
    workqueue.WorkQueueItem.runTask(WorkQueueItem.java:319)
    [ecs-ec-
    ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.ms
    g.client.commonservices.workqueue.SimpleWorkQueueItem.runItem(Si
    mpleWorkQueueItem.java:99)
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.commonservices.
    workqueue.WorkQueueItem.run(WorkQueueItem.java:343)
    [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.msg.cl
    ient.commonservices.workqueue.WorkQueueManager.runWorkQueueItem(
    WorkQueueManager.java:312)
    [ecs-ec-ingress.ecs-ec-ingress]
    [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.commonservices.
    j2se.workqueue.WorkQueueManagerImplementation$ThreadPoolWorker.r
    un(WorkQueueManagerImplementation.java:1227)
    [ecs-ec-ingress.ecs
    -ec-ingress] [JMSCCThreadPoolWorker-32] 
    Caused by:
    com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with
    compcode '2' ('MQCC_FAILED') reason '2202'
    ('MQRC_CONNECTION_QUIESCING').
    16 April 2021
    SECURITY BULLETIN CVE-2020-7692 GOOGLE-API-CLIENT AS USED BY IBM QRADAR SIEM IS VULNERABLE TO AUTHORIZATION BYPASS CLOSED Resolved in
    7.3.0-QRADAR-PROTOCOL-GoogleCommon-7.3-20210126200436
    7.4.0-QRADAR-PROTOCOL-GoogleCommon-7.4-20210126200430

    Affected versions
    • All GoogleCommon versions before 7.3.0-QRADAR-PROTOCOL-GoogleCommon-7.3-20210126200436
    • All GoogleCommon versions before 7.4.0-QRADAR-PROTOCOL-GoogleCommon-7.4-20210126200430
    Issue
    CVE-2020-7692: Google APIs google-oauth-java-client could allow a remote attacker to bypass security restrictions, caused by no PKCE support implemented. By executing a specially-crafted application, an attacker could exploit this vulnerability to obtain the authorization code, and gain authorization to the protected resource. CVSS Base score: 7.4
    04 March 2021
    SERVICES IJ31105 POSTFIX SERVICE IN A BAD STATE CAN CAUSE HOSTCONTEXT TO HANG OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    QRadar’s hostcontext (responsible for multiple QRadar functions) can go into a hung state when the postfix service is not working correctly.

    Checking the status of postfix can help to identify that it may be in a bad state and can be perfomed via an SSH session to the QRadar Console:
    # systemctl status postfix
    postfix.service - Postfix Mail Transport Agent
       Loaded: loaded (/usr/lib/systemd/system/postfix.service;
    enabled; vendor preset: disabled)
      Drop-In: /etc/systemd/system/postfix.service.d
               80-si-postfix.conf
       Active: active (running) since Tue 2021-02-23 14:14:49 EST;
    1h 15min ago
     Main PID: 22618 (master)
        Tasks: 3
       Memory: 3.1M
       CGroup: /system.slice/postfix.service
               22618 /usr/libexec/postfix/master -w
               22619 pickup -l -t unix -u
               22620 qmgr -l -t unix -uFeb 23 15:26:02 (console)
    postfix/master[22618]: warning: /usr/libexec/postfix/smtpd: bad
    command startup -- throttling
    (console) postfix/smtpd[69654]: fatal: bad numerical
    configuration: unknown_local_recipient_reject_code = 550
    relayhost =
     (console) postfix/master[22618]: warning: process
    /usr/libexec/postfix/smtpd pid 69654 exit status 1
     (console) postfix/master[22618]: warning:
    /usr/libexec/postfix/smtpd: bad command startup -- throttling
    Feb 23 15:28:03 (console) postfix/smtpd[85954]: fatal: bad
    numerical configuration: unknown_local_recipient_reject_code =
    550 relayhost =
    (console) postfix/master[22618]: warning: process
    /usr/libexec/postfix/smtpd pid 85954 exit status 1
    (console) postfix/master[22618]: warning:
    /usr/libexec/postfix/smtpd: bad command startup -- throttling
    (console) postfix/smtpd[96641]: fatal: bad numerical
    configuration: unknown_local_recipient_reject_code = 550
    relayhost =
    (console) postfix/master[22618]: warning: process
    /usr/libexec/postfix/smtpd pid 96641 exit status 1
    (console) postfix/master[22618]: warning:
    /usr/libexec/postfix/smtpd: bad command startup -- throttlin

    More information on hostconext in QRadar, see: QRadar: Hostcontext service and the impact of a service restart
    31 March 2021
    LOG SOURCES IJ31534 AUTODISCOVERED LOG SOURCES WITH A 127.0.0.1 IP ADDRESS CAN CAUSE SYSTEM EVENTS TO BE CATEGORIZED INCORRECT OPEN Workaround
    Update your parsing order for log sources to move the autodiscovered log sources below the QRadar system log sources. For more information, see: Adding a log source parsing order.

    Issue
    Autodiscovered log sources with an IP Address of 127.0.0.1 can have a higher value in the parsing order than the system based log sources. This can cause internal events (example SIM Audit) to be associated to the incorrect log source.

    To identifiy if this is the issue for incorrect Log Source association for internal events, check the parsing order:
    1. Open the Log Source parsing order User Interface in the Admin tab
    2. Filter by identifier = 127.0.0.1.

      Results
      When this issue occurs, there will be log sources above internal log sources in the parsing order list. Updating the parsing order can resolve this issue. For more information about QRadar system (internal) log sources, see: Creating an Offense for Monitoring an Internal Log Source.
    31 March 2021
    LOG SOURCES IJ31840 LOG SOURCES CONFIGURED FOR IBM SECURITY IDENTITY MANAGER JDBC CAN FAIL TO PARSE AS EXPECTED OPEN Workaround
    1. Open the affected Log Source
    2. Save the log source.
    3. Verify that the Log Source is parsing the expected data from new events after re-saving it.
    4. Note: In some instances, a change to the Log Source might be needed, then save the Log Source anc check for proper event parsing.

      Issue
      Log Sources configured for use with IBM Security Identity Manager JDBC can fail to work as expected.

      Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
      [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol
      Provider Thread: class
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r2018]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]disconnected
      [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol
      Provider Thread: class
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r2018]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventSource:
      [INFO] [NOT:0000006000][epIp/- -] [-/- -]Provider 'class
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r2018' stopped.
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]Polling interval in
      milliseconds = 30000
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]jdbc session
      properties file already exists, loading its values
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r: [WARN] [NOT:0000004000][epIp/- -] [-/- -]null on
      DB2//ITIMDB@dbHost
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
      java.lang.NullPointerException
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
      com.q1labs.semsources.sources.jdbc.SourceDatabaseType$2.composeU
      rl(SourceDatabaseType.java:90)
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
      com.q1labs.semsources.sources.jdbc.JdbcEventConnector.connect(Jd
      bcEventConnector.java:482)
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
      com.q1labs.semsources.sources.jdbc.JdbcEventConnector.preExecute
      Configure(JdbcEventConnector.java:1060)
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r.preExecuteConfigure(IBMSIMJDBCEventConnector.java:483)
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
      com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv
      ider.java:179)
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r: [ERROR] [NOT:0000003000][epIp/- -] [-/- -]Unable to obtain a
      comparable value for the RECERTIFICATIONLOG table!
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
      java.lang.NullPointerException
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r.preExecuteConfigure(IBMSIMJDBCEventConnector.java:500)
      [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
      com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv
      ider.java:179)
      [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol
      Provider Thread: class
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r2018]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventSource:
      [INFO] [NOT:0000006000][epIp/- -] [-/- -]IBMSIMJDBC provider
      'class
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r2018' config ok; now trying to run...
      [ecs-ec-ingress.ecs-ec-ingress]
      [a5a99e1b-3d31-4659-8586-b5dcbbe148c6/SequentialEventDispatcher]
      com.q1labs.semsources.sources.base.SourceConfigDB: [INFO]
      [NOT:0000006000][epIp/- -] [-/- -]Updating provider (id = 2018)
      because its parameters have changed.
      [ecs-ec-ingress.ecs-ec-ingress]
      [a5a99e1b-3d31-4659-8586-b5dcbbe148c6/SequentialEventDispatcher]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventSource:
      [INFO] [NOT:0000006000][epIp/- -] [-/- -]Stopping provider
      'class
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r2018'.
      [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol
      Provider Thread: class
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r2018]
      com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
      r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]disconnected
    31 March 2021
    VULNERABILITY SCANNER IJ30930 QRADAR SCANS ARE CALLING DEPRECATED TENABLE ENDPOINTS OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    QRadar scans continue to call deprecated Tenable endpoints after updates have been made within the Tenable API. Changes within QRadar scanning are needed so that only the appropriate endoint fields are being parsed.
    05 March 2021
    APPLICATION FRAMEWORK IJ30953 DRQ DIAGNOSTIC TEST RUNS ON ANY HOST CAPABLE OF RUNNING APPS (CONSOLE OR APPHOST) AND FAILS ON STANDBY HOSTS OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    The drq diagnostic test for docker runs on any QRadar app capable host (console or App Host). When it runs on a Standby host (High Availability), the drq test fails as docker is inactive on Standby hosts.

    This drq diagnostic test failure on Standby hosts is benign and can be safely ignored.

    Messages similar to the following might be visible when drq is run on Standy hosts:
    root@hostname-secondary ~]# drq
    DrQ version 1.4.1 (mode(s): checkup, tag(s): , verbosity: summary)
    ------
    Docker Running Check
    Check if Docker is installed and running [FAILURE]
    'docker.service' is not active.
    05 March 2021
    UPGRADE IJ31087 PATCHING FROM A MOUNTED .SFS IN /STORE IS ALLOWED BY QRADAR BUT CAN CAUSE HIGH AVAILABILITY PATCHING TO FAIL OPEN Workaround
    Prior to a patch being run, ensure it is run from a mount of /tmp or /root (or another non High Availability filesytem). If the patching is in progress on an HA configured system from an .sfs mount point of /store and fails, please Contact QRadar Support.

    Issue
    QRadar patching via .sfs is allowed to be run when it’s mounted in /store partition. If it’s run from this location, patch failure can occur when run on High Availability (HA) appliances.
    05 March 2021
    UPGRADE IJ31084 PATCHING TO QRADAR 7.3.3 FP7 CAN FAIL WITH DRACUT RPM DEPENDENCIES OPEN Workaround
    If the patches.log contains the above messages, then remove the required file(s) using the following command from an SSH session to the QRadar Console:
    1. Type the following command:
      yum remove dracut-config-generic
    2. If that states it has no dependencies, then proceed to remove the dracut RPM.
    3. Re-run the patch Installer.

    Issue
    Patching to QRadar 7.3.3 FP7 can fail with due to RPM dependencies. Messages simlar to the following might be visible in /var/log/setup-#####/patches.log:
    Feb  5 08:22:07 2021: Feb  5 08:22:07 2021:[ERROR](testmode)
    sql pretest errored, halting.[6/9] Install & Upgrade Packages
    failed to complete successfully.
    Errors:
    [6/9] Install & Upgrade Packages  upgrading produced:
    Error: Package:
     dracut-config-generic-033-535.el7.x86_64 (installed)
    Requires: dracut = 033-535.el7
    Removing: dracut-033-535.el7.x86_64 (installed)
    dracut = 033-535.el7
    Updated By: dracut-033-564.el7.x86_64 (local)dracut =
    033-564.el7
    05 March 2021
    UPGRADE IJ31085 GLUSTERFS TO DRBD MIGRATION FAILS WHEN HOSTNAME IS LONGER THAN 54 CHARACTERS OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    The glusterfs to DRBD migration fails when the hostname it is being run on is longer than 54 characters.
    05 March 2021
    UPGRADE IJ31074 QRADAR PATCHING PROCESS CAN HANG AT MESSAGE “UPDATING : SYSTEMD-219-78.EL7.X86_64” OPEN Workaround
    It is possible old heap dumps need to be removed from /store/jheap/<dir> prior to patching.

    If you require any assistance to identify and remove these old heap dumps, Contact QRadar Support.

    Issue
    The QRadar patching process can hang with a message similar to the following being displayed on screen:
    Feb 21 11:53:44 2021: Feb 21 11:53:44 2021: [INFO](patchmode)
    Updating : systemd-219-78.el7.x86_64
    This issue can occur when there are dump files located in
    /store/jheap/ on a QRadar appliance being patched.
    27 March 2021
    UPGRADE IJ31079 ‘[WARNING] ALL APPLICABLE HOSTS HAVE MIGRATED FROM GLUSTERFS TO DRBD. EXITING’ WHEN RUNNING GLUSTERFS TO DRBD MIGRATION TOOL OPEN Workaround
    If you experience issues with the glusterfs_migration_manager, move the report on the Console to another directory location, such as /store/ibm_support. For example:
    1. Log in to the QRadar Console as the root user.
    2. To create a directory, type: mkdir /store/ibm_support
    3. To move the report, type: mv /etc/qradar/ha/glusterfs_migration_report.json /store/ibm_support
    4. Run the glusterfs_migration_manager.py tool again.

      Results
      If you are still facing issues, or require assistance with the workaround, Contact QRadar Support.

    Issue
    Running the glusterfs to DRBD migration in a QRadar Deployment with multiple affected hosts can fail to start again if one appliance fails the migration process.

    A message similar to the following might be visible when this issue occurs:
    [WARNING] All applicable hosts have migrated from GlusterFS to
    DRBD. Exiting.

    This is caused by the logic in glusterfs_migration_manager.py to check if all hosts are migrated and occurs if the report contains more than 1 host and the first host in the list has already completed migration.

    This then causes the system to call sys.exit(1) closing out the script saying all migration has completed.
    27 March 2021
    VULNERABILITY SCANNER IJ31088 QRADAR CAN SOMETIMES CONTINUE TO ATTEMPT TO DOWNLOAD A CERT FOR A SCANNER THAT HAS BEEN REMOVED OPEN Workaround
    From an SSH session to the QRadar Console:
    1. Log in to the QRadar Console as the root user.
    2. Find and modify the file “certificate_catalogue.txt”, remove the bad scanner record, then save the file.

    Issue
    QRadar can sometimes try to download a VA Scanner certificate even if scanner configuration was removed from QRadar. This is due to a cached value written in a temporary file. System Notifications similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    generateNotification: An attempt to download the server
    certificate for [IP:443] to
    [/opt/qradar/conf/trusted_certificates/IP_443.crt] has failed
    05 March 2021
    INDEX MANAGEMENT IJ31090 INDEX MANAGEMENT CAN DISPLAY ZEROS (0) ACROSS ALL COLUMNS WHEN A LARGE TIME RANGE IS CHOSEN OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Index management can show zeros (0) for every column of each index if a large time range is chosen. This occurs when a backend timeout happens due to the large amount of data processed.
    05 March 2021
    SYSTEM SETTINGS IJ31083 GEOGRAPHIC SETTINGS CAN FAIL TO WORK AS EXPECTED WHEN AN INCORRECT USERID AS BEEN INPUT OPEN Workaround
    Verify that the correct UserId data is entered into the field.

    Issue
    Geographic updates can fail in QRadar if incorrect values are input for the UserId text box in the Geographic Settings section of the System Settings page. UserIds provided are only numbers, but a lack of data validation in the UserId field allows users to input any characters.

    When incorrect information for UserId is entered, this can cause the GeoIP.conf file to have bad values in it.
    05 March 2021
    PROTOCOLS IJ31080 EVENTS COMING FROM THE SAME SOURCE CAN SOMETIMES BE PLACED WITH DIFFERENT GOOGLE PUB/SUB LOG SOURCES OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

    Issue
    An issue with with Google Pub/Sub log source auto-detection can occur when it sometimes randomly selects the last character of the regex “} and appends to the Log Source Identifier. When this occurs, events coming from the same source can be placed within different Log Sources.
    05 March 2021
    DEPLOY CHANGES IJ31081 DEPLOY FUNCTION CAN FAIL ON SOME MANAGED HOSTS IF A LEGACY DEPLOYMENT.XML FILE REMAINS IN /STORE/CONFIGSERVICES/DEPLOYED/ OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    The QRadar deploy function can fail on some Managed Hosts when there is a legacy deployment.xml file located in /store/configservices/deployed/.

    This deploy failure occurs when ECIngressConfigBuilder verifies if a file exists in the deployed folder, and only if not, then reads the staging folder. On a Managed Host that usually does not have a file in the deployed folder, this can result in deploy issues if a legacy file has been left there. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    com.q1labs.configservices.common.ConfigServicesException:
    Failed to create EC_Ingress.xml for component
    eventcollectoringress102.
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.localset.sem.ECIngressConfigBui
    lder.buildConfig(ECIngressConfigBuilder.java:130)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.AbstractComponentConfigBuilder.
    buildComponentConfig(AbstractComponentConfigBuilder.java:54)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.localset.component.ComponentTra
    nsformerManager.processComponent(ComponentTransformerManager.java:206)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.localset.component.ComponentTra
    nsformerManager.buildConfiguration(ComponentTransformerManager.java:117)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] ...22 more
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    Caused by:
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    java.lang.RuntimeException: Error merging velocity template and
    context
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.VelocityFileProducer.createConf
    igFile(VelocityFileProducer.java:56)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.localset.sem.ECIngressConfigBui
    lder.buildConfig(ECIngressConfigBuilder.java:126)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] ...25 more
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    Caused by:
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    org.apache.velocity.exception.MethodInvocationException:
    Invocation of method 'getEventThreshold' in class
    com.q1labs.configservices.config.localset.sem.ECIngressConfigBui
    lder threw exception java.lang.NumberFormatException: null at
    EC_Ingress.vm[line 498, column 79]
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.runtime.parser.node.ASTMethod.handleInvocati
    onException(ASTMethod.java:243)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMet
    hod.java:187)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.runtime.parser.node.ASTReference.execute(AST
    Reference.java:280)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.runtime.parser.node.ASTReference.render(ASTR
    eference.java:369)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.runtime.parser.node.ASTBlock.render(ASTBlock
    .java:72)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.runtime.parser.node.ASTIfStatement.render(AS
    TIfStatement.java:87)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.runtime.parser.node.SimpleNode.render(Simple
    Node.java:342)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.Template.merge(Template.java:356)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.Template.merge(Template.java:260)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.VelocityFileProducer.createConf
    igFile(VelocityFileProducer.java:50)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] ...26 more
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    Caused by:
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    java.lang.NumberFormatException: null
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    java.lang.Long.parseLong(Long.java:564)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    java.lang.Long.parseLong(Long.java:643)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.localset.sem.ECIngressConfigBui
    lder.getEPSThreshold(ECIngressConfigBuilder.java:315)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    com.q1labs.configservices.config.localset.sem.ECIngressConfigBui
    lder.getEventThreshold(ECIngressConfigBuilder.java:307)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    java.lang.reflect.Method.invoke(Method.java:508)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.util.introspection.UberspectImpl$VelMethodIm
    pl.doInvoke(UberspectImpl.java:395)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.util.introspection.UberspectImpl$VelMethodIm
    pl.invoke(UberspectImpl.java:384)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
    org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMet
    hod.java:173)
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] ...34 more
    05 March 2021
    UPGRADE IJ31092 QRADAR PATCHING CAN FAIL DUE TO A FREE SPACE CHECK THAT FAILS OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    QRadar patching can fail because of an invalid drq check. This check of /var/log/lastlog is not required and should not cause QRadar patching to fail. Messages similar to the following might be visible when this issue occurs:
    Available Space Checks
      Checks if /var/log has enough space
    
       [FAILURE]
        Not enough space in /var/log: Available Space: 14108 MB - File:
        /var/log/lastlog 99520 MB. This will cause logrotate to fail.
    
       [REMEDIATION]
        Free up space in /var/log. You need at least 99720 MB free.
    05 March 2021
    CONTENT MANAGEMENT TOOL (CMT) IJ30916 HIDDEN CONTROL CHARACTERS CAN CAUSE A CONTENT MANAGEMENT TOOL (CMT) IMPORT TO FAIL OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Performing a Content Management Tool import can fail when there are hidden control characters in the import. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ContentManager.cmt] [root@127.0.0.1:60778
    (ContentManagementCLI)] javax.xml.bind.UnmarshalException
    [ContentManager.cmt] [root@127.0.0.1:60778
    (ContentManagementCLI)] - with linked exception:
    [ContentManager.cmt] [root@127.0.0.1:60778
    (ContentManagementCLI)] [org.xml.sax.SAXParseException: An
    invalid XML character (Unicode: 0x3) was found in the element
    content of the document.]
    05 March 2021
    LOG SOURCES IJ31577 LOG FILE PROTOCOL STOPS PROCCESSING ANY FURTHER FILES WHEN AN EMPTY FILE IS READ IN A ZIPPED FILE OPEN Workaround
    • Manually unzip the files, remove the empty files and zip them again.
    • OR
    • If download size is not important (storage free space), there is the option to directly process text files instead of zipped files.

    Issue
    When an empty file is encountered in a zipped file, Log File Protocol stops processing any further files and repeatedly proceses the last file that was not empty.

    For example:
    3 files are in a .zip file as file1, file2, and file3 and in this instance, file2 is empty. The protocol stops when processing file2 to post events from file1 repeatedly and never reaches file3.
    31 March 2021
    LOG SOURCES IJ31868 “THE FIELD MUST NOT EXCEED 2047 CHARACTERS” MESSAGE CAN BE GENERATED WHEN CONFIGURING A TLS SYSLOG PROTOCOL CERTIFICATE OPEN Workaround
    Close out of the Log Source interface if editing, and then change the allowable character limit using the following command from an SSH session to the QRadar Console:
    psql -U qradar -c "UPDATE sensorprotocolparameter SET maxlength
    = 4096 WHERE id = 22022 AND name = 'issuerPk';"

    Issue
    The TLS syslog protocol character limit for entering a Root/Intermediate Issuer’s Certificate is set at 2047 and attempting to enter anything longer fails with a message similar to:
    The field must not exceed 2047 characters
    31 March 2021
    DEPLOYMENT IJ31762 RE-ADD OF A MANAGED HOST CAN FAIL DUE TO INCORRECT STATUS OF THE MANANGED HOST IN THE QRADAR DATABASE OPEN Workaround
    From an SSH session to the QRadar console, identify the id number and set the affected Managed Host to “Deleted” in the managedhost database table:
    1. To locate the id of the managed host that failed to add, type:
      psql -U qradar -c "select * from managedhost where hostname
      like '%hostname%'"

      Note the id value from the query as it is required for the next step.
    2. To set the managed host to deleted by id, type the following command and use the id from the query in step 1:
      psql -U qradar -c "update managedhost set status ='Deleted'
      where id=xxx"
    3. Attempt the re-add process for the affected Managed Host.

    Issue
    Re-adding a Managed Host can fail when the status of the Managed Host is not correct in the QRadar database. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext]
    [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
    com.q1labs.configservices.capabilities.AddHost: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]host already exists with
    that ip: (ipaddress) with status: ADD_FAILED_CHECK_LOGS
    [hostcontext.hostcontext]
    [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
    com.q1labs.configservices.capabilities.AddHost: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Precheck: unable to mark
    host as being added
    [hostcontext.hostcontext]
    [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
    com.q1labs.configservices.common.ConfigServicesException:
    Precheck: unable to mark host as being added
    [hostcontext.hostcontext]
    [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.add(AddHost.java:
    1241)
    [hostcontext.hostcontext]
    [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.addManagedHost(Ad
    dHost.java:324)
    [hostcontext.hostcontext]
    [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH
    ost(AddHostExecutor.java:74)
    31 March 2021
    EMC VMWARE PROTOCOL IJ31531 VCENTER LOG SOURCES USING THE EMCVMWARE PROTOCOL CAN FAIL TO CONNECT DUE TO IPADDRESS IN CONFIGURATION VERSUS A FQDN OPEN Workaround
    No workaround available.

    APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

    Issue
    VCenter Log Sources can fail to connect as the single sign-on (SSO) mechanism for VCenter 7.0 accepts only a server’s fully qualified domain name (FQDN) under the https requests. As the accepted value of the VCenter Log Source address can be only be an IP address, the connection from QRadar to the VCenter server cannot be established.
    31 March 2021
    BACKUP AND RESTORE IJ31100 QRADAR 7.4.X CONFIGURATION RESTORE FAILS DUE TO DUPLICATE ENTRIES IN THE ATTACKER_HISTORY DATABASE TABLE OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Restoring a config backup from QRadar 7.4.x fails due to duplicate entries in attacker_history database table. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext] [Thread-355377] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    pg_restore: pg_restore: [archiver (db)] COPY failed for table
    "attacker_history": ERROR: duplicate key value violates unique
    constraint "attacker_history_ipaddress_key"
    [hostcontext.hostcontext] [Thread-355377] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    pg_restore: DETAIL: Key (ipaddress, domain_id)=(ip_address, 1)
    already exists.
    31 March 2021
    AUTHENTICATION IJ31665 ATTEMPTING TO REMOVE A GROUP MAPPING FROM LDAP GROUP BASED AUTHENTICATION CAN FAIL TO WORK AS EXPECTED OPEN Workaround

    Option 1
    When removing a group, and then adding a group, and then clicking save, the process works as expected.

    Option 2
    Disable group based authentication, click save. Then before performing a deploy function, re-enable group mapping and configure it from the beginning.

    If this still does not correct the issue, contact Support for a an additional workaround that might address this issue in some instances.

    Issue
    While attempting to remove a group mapping in LDAP group based authentication from a Security role, the group can fail to be removed and is still displayed when navigating back to the configuration settings. For example:
    1. Have group based LDAP authentication.
    2. Add a group to the group mapping.
    3. Deploy changes.
    4. Remove a group.

      Result
      No deploy is needed, and if you go back in the configuration settings, the group is again displayed.
    31 March 2021
    ASSETS IJ31924 THE CLEAN VULNERABILITES FUNCTION DOES NOT WORK AS EXPECTED FOR ASSETS THAT DO NOT HAVE AN IP ADDRESS CONFIGURED OPEN Workaround
    Where possible, use one of the following methods to workaround the issue described above:
    • Assign the asset an IP address.
    • OR
    • Delete the vulnerability from the asset UI.
    • OR
    • Delete the asset.
      • For more information, see: working with assets.

        Issue
        When an asset has no IP address assigned to it, the clean vulnerabilities option does not remove the vulnerabilities from the asset. For Example:
        1. Have an asset with vulnerabilities with no IP address assigned to it in the Asset tab.
        2. For that asset, select Actions > Clean Vulnerabilities.
        3. Select the date for today for remove vulnerabilities and select the scanner.

          Result
          When the clean vulnerabilities runs, the vulnerabilities remainl listed in the User Interface (UI) and under the asset.
    16 April 2021
    QRADAR NETWORK INSIGHTS (QNI) IJ30903 SOME QRADAR NETWORK INSIGHTS (QNI) APPLIANCES CANNOT BE SETUP TO CONNECT TO QRADAR ON CLOUD (QRoC) ENVIRONMENTS OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Virtual QRadar Network Insights QNI (6500) and 1940/6600 40Gbps appliance types cannot be setup to connect to QRadar On Cloud (QRoC) due to variables within the setup_qradar_host.py script. Messages similar to the following might be visible when this issue occurs:
    Skipping apply VPN action: This host does not support VPN
    actions.
    05 March 2021
    QRADAR PACKET CAPTURE IJ32043 NAPATECH CARD FIRMWARE INSTALLED IN PACKET CAPTURE APPLIANCES CAN BE AT AN OLDER VERSION THAN EXPECTED OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Some Napatech cards that were installed in QRadar Packet Capture appliances have a down level firmware version (9232-52-13). The Packet Capture software installation does not attempt detection and upgrade of the firmware to the expected version.

    To verify the Napatech firmware version, type the following command from an SSH session to the appliance:
    /opt/napatech3/bin/adapterinfo

    Result
    • FPGA ID: 200-9232-52-13-0000 (down leveled firmware version)
    • FPGA ID: 200-9232-53-01-0000 (expected firmware version)
    15 April 2021
    VULNERABILITY SCANNER IJ26097 MAXPATROL VULNERABILITY SCANNER CAN FAIL TO CONNECT TO QRADAR AS IT USES THE DEPRECATED MICROSOFT WINDOWS SMBV1 OPEN Workaround
    No workaround available.

    Issue
    The Positive Technologies MaxPatrol vulnerabilities scanner can fail to connect to QRadar as expected as it is configured to use the now deprecated Microsoft Windows SMBv1 network protocol.

    This protocol version is no longer installed by default on computer systems running Microsoft Windows.
    15 July 2020
    USER INTERFACE IJ31931 QRRADAR RISK MANAGER: AN ‘APPLICATION ERROR’ CAN OCCUR WHEN OPENING THE RISKS TAB IN THE USER INTERFACE DUE TO IPV6 SETTINGS IN A CONFIGURATION FILE OPEN Workaround
    1. Edit the following file using the vi command on the QRadar Risk Manager server appliance:
      /opt/tomcat-rm/conf/server.xml
    2. Remove address=”::” from this section of the file:
      <Connector port="18009" address="::"
      enableLookups="false" redirectPort="18443" protocol="AJP/1.3"
      URIEncoding="UTF-8" maxPostSize="67108864"
      secretRequired="false"/> <!-- 67 108 864 = 64 MB -->
    3. Save your changes and exit vi.
    4. Type the following command:
      systemctl restart tomcat-rm

    Issue
    An “Application Error” can be displayed on the Risks tab of the QRadar User Interface if Internet Protocol version 6 is disabled on the QRadar Risk Manager (QRM) server appliance.

    Messages similar to the following might be visible in /var/log/qradar.log on the QRadar Console when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1 (6623)
    /console/do/120/networkTopology]
    com.q1labs.srmconsole.util.WSUtil$WebClientProxy: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Error invoking method
    isTopologyReloading on the appliance; full error details in
    appliance log
    [tomcat.tomcat] [admin@127.0.0.1 (6623)
    /console/do/120/networkTopology]
    com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
    while processing the request:
    [tomcat.tomcat] [admin@127.0.0.1 (6623)
    /console/do/120/networkTopology]
    com.sun.xml.ws.client.ClientTransportException: The server sent
    HTTP status code 503: Service Unavailable
    Messages similar to the following might be visible in
    logging on the QRM server appliance when this issue
    occurs:
    Mar 26 13:33:28 hostname tomcat-rm[17470]: SEVERE: Failed to
    initialize connector [Connector[AJP/1.3-18009]]
    Mar 26 13:33:28 hostname tomcat-rm[17470]:
    org.apache.catalina.LifecycleException: Protocol handler
    initialization failed
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.connector.Connector.initInternal(Connector.java:1077)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.core.StandardService.initInternal(StandardSe
    rvice.java:552)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.core.StandardServer.initInternal(StandardSer
    ver.java:848)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.startup.Catalina.load(Catalina.java:639)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.startup.Catalina.load(Catalina.java:662)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    java.lang.reflect.Method.invoke(Method.java:508)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: Caused by:
    java.net.SocketException: Protocol family unavailable
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    sun.nio.ch.Net.bind0(Native Method)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    sun.nio.ch.Net.bind(Net.java:460)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    sun.nio.ch.Net.bind(Net.java:452)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.
    java:253)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:86)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:221)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoin
    t.java:1118)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJss
    eEndpoint.java:222)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:587)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: at
    org.apache.catalina.connector.Connector.initInternal(Connector.java:1075)
    Mar 26 13:33:28 hostname tomcat-rm[17470]: ... 13 more
    07 April 2021
    WINCOLLECT IJ31843 WINCOLLECT 7.3.0 P1 AGENTS CAN STOP SENDING LOGS WHEN INFORMATION AND WARN EVENT TYPES ARE NOT SELECTED OPEN Workaround
    • Ensure that information, and warning messages are selected to be sent to QRadar from the WinCollect agent.
      OR
    • Configure Xpath for required Critical and Error logs to be retrieved: https://www.ibm.com/support/pages/how-use-xpath-queries-wincollect-suppress-specific-events

      For example:
      <QueryList>
      <Query Id="0" Path="System">
      <Select Path="System">*[System[(Level=1 or Level=2)]]</Select>
      </Query>
      </QueryList>

      • Issue
        WinCollect 7.3.0 P1 agents can stop sending logs to QRadar when information and warn type events are not selected. When this issue occurs, affected WinCollect agent hosts can be checked for messages that include “Error code 15001: The specified query is invalid.” when the host agent logs are placed into debug.

        To place a WinCollect agent host into debug, see: https://www.ibm.com/support/pages/node/6404330#localsrv
        Note: Ensure to disable Debug as soon as possible to prevent log bloat.
    13 April 2021
    WINCOLLECT IJ32028 WINCOLLECT LOG SOURCE MANAGEMENT DISPLAYS MULTIPLE INCORRECT ENTRIES WHEN A MANAGED HOST IS REMOVED AND ADDED BACK OPEN Workaround
    Create a WinCollect destination in the WinCollect UI and configure the WinCollect log sources to use this destination instead: https://www.ibm.com/community/qradar/2019/06/11/wincollect-configure-local-collection-when-installing-agent/

    Issue
    When a Managed Host is removed from a QRadar deployment and then added back with either the same or a new hostname and/or same or different IP address, the database does not get updated correctly.

    When this occurs it creates additional duplicate Target Internal Destination options in the Log Source Management App for WinCollect log sources that can be invalid.
    12 April 2021
    WINCOLLECT IJ31923 STANDALONE WINCOLLECT CAN FAIL TO WORK WHEN USING TCP TLS CONFIGURATION AND A CERTIFICATE SIZE OVER 8000 CHARACTERS OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums: https://ibm.biz/wincollectforums

    Issue
    Standalone WinCollect fails to receive logs and work as expected when using TCP TLS configuration and a certificate with a character size over 8000 characters. When using a certificate that is too large, the deploy changes does not work to push out required deployconfiguration changes.
    12 April 2021
    SCAN RESULTS IJ32044 QRADAR VULNERABILITY MANAGER (QVM) SCAN STATUS REMAINS AT ‘OUTSIDE OPERATIONAL WINDOW’ AFTER SCAN COMPLETES OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    When a scan uses operational windows, the scan status remains at “Outside Operational Window” after the scan completes.

    The asset model is updated, but the user is unable to open the scan results.
    12 April 2021
    SECURITY BULLETIN CVE-2020-2773
    CVE-2020-14797
    CVE-2020-14779
    CVE-2020-14796
    CVE-2020-14803
    CVE-2020-27221
    CVE-2020-14782
    CVE-2020-14781
    MULTIPLE VULNERABILITIES IN IBM JAVA SDK AND IBM JAVA RUNTIME AFFECT IBM QRADAR SIEM CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
    QRadar 7.3.3 Fix Pack 7 Interim Fix 2 (7.3.3.20210330030509)

    Affected versions
    • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
    • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
    Issue
    • CVE-2020-2773: An unspecified vulnerability in Java SE related to the Java SE Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7
    • CVE-2020-14797: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 3.7
    • CVE-2020-14779: An unspecified vulnerability in Java SE related to the Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7
    • CVE-2020-14796: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 3.1
    • CVE-2020-14803: An unspecified vulnerability in Java SE could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 5.3
    • CVE-2020-27221: Eclipse OpenJ9 is vulnerable to a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base score: 9.8
    • CVE-2020-14782: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 3.7
    • CVE-2020-14781: An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 3.7
    12 April 2021
    SECURITY BULLETIN CVE-2021-3156 SUDO AS USED BY IBM QRADAR SIEM IS VULNERABLE TO ARBITRARY CODE EXECUTION CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
    QRadar 7.3.3 Fix Pack 7 Interim Fix 2 (7.3.3.20210330030509)

    Affected versions
    • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
    • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
    Issue
    CVE-2021-3156: Sudo is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when parsing command line arguments. By sending an “sudoedit -s” and a command-line argument that ends with a single backslash character, a local attacker could overflow a buffer and execute arbitrary code on the system with root privileges. This vulnerability is also known as Baron Samedit. CVSS Base score: 8.4
    12 April 2021
    DEPLOYMENT IJ32056 RE-ADD OF MANAGED HOST ON QRADAR 7.4.2 FIX PACK 3 HANGS AT “HOST IS BEING ADDED TO THE DEPLOYMENT” AFTER A QCHANGE_NETSETUP COMMAND IS PERFORMED OPEN Workaround
    1. After you have confirmed you are experiencing the issue described has occurred during re-add (unable to add managed host: SSH connection or SSH command execution failed), close the QRadar user interface window for the re-add.
    2. Verify in Admin tab > System and License Management that the Managed Host has not been re-added.
    3. After verification the Managed Host has not be re-added, attempt the Add Host steps again.

      Results
      A second attempt to add the managed host should complete successfully and Managed Host should be correctly added to the deployment.

      1. Issue
        When re-adding a Managed Host to a QRadar deployment running 7.4.2 Fix Pack 3 after it has been removed, and qchange_netsetup has been run prior to the re-add attempt, the Managed Host can fail to add and the Add Host process appears in a hung state with a message similar to:
        Host is being added to the deployment.

        Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
        [hostcontext.hostcontext] [a65729b7-ff60-47c7-bdef-33c4b20063e8/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to add host. Output: 'Done Presence Script', data:'hostcontext is already stopped, no need to stop the service.
        [hostcontext.hostcontext] [a65729b7-ff60-47c7-bdef-33c4b20063e8/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to read output from ssh connection on host 127.0.0.1
        [hostcontext.hostcontext] [a65729b7-ff60-47c7-bdef-33c4b20063e8/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]SSH connection or SSH command execution failed. The ip of the host is: 127.0.0.1
        [hostcontext.hostcontext] [a65729b7-ff60-47c7-bdef-33c4b20063e8/SequentialEventDispatcher] com.q1labs.configservices.hostcontext.core.HostContextServices: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error retrieving message
        [tomcat.tomcat] [Thread-644] com.q1labs.configservices.capabilities.CapabilitiesHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Removing host 127.0.0.1 from the deployment model, if present, due to add_host failure.
        [tomcat.tomcat] [Thread-644] com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]unable to add managed host: SSH connection or SSH command execution failed.
    12 April 2021
    NETWORK CONFIGURATION IJ31239 A CRITICAL ISSUE HAS BEEN IDENTIFIED IN /OPT/QRADAR/BIN/QCHANGE_NETSETUP CLOSED Resolved in
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    A flash notice is available for administrators that describes how to confirm information in qradar_netsetup.log before you complete any network changes using the /opt/qradar/bin/qchange_netsetup utility. For more information, see: Important: A critical issue has been identified in /opt/qradar/bin/qchange_netsetup (IJ31239).

    Issue
    QRadar development has identified a defect in the network component /opt/qradar/bin/qchange_netsetup where a hostname issue can cause a critical error, impacting the appliance configuration.
    31 March 2021
    APPLICATION FRAMEWORK IJ25911 QRADAR APPS CAN FAIL TO INSTALL AFTER TOMCAT CLIENT CERTIFICATE(S) ARE RENEWED UNTIL SERVICE RESTARTS OCCUR CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Note: This issue was resolved for QRadar on Cloud administrators in 7.4.1 Fix Pack 2 QRoC Interim Fix 1, which is not available to on-premise users.

    Workaround
    If you are unable to upgrade, administrators can restart the Tomcat and Hostcontext services. Before you complete this procedure, administrators can alert their users that the user interface is unavailable and all users will be required to log back in when Tomcat is restarted. The user interface is unavailable until all required services are running as expected.
    1. Use SSH to log in to the Console as the root user.
    2. Type the following command:
      systemctl restart tomcat
    3. Wait until the service succesfully restarts.
    4. Type the following command:
      systemctl restart hostcontext

    For more details on the effects of QRadar service restarts, see:
    • QRadar: Hostcontext service and the impact of a service restart
    • QRadar Core Services and the Impact when Restarted

    • Issue
      QRadar Apps can fail to install after Tomcat client certificate(s) are renewed (eg. tomcat-client-conman or tomcat-client-traefik) until the tomcat service and hostcontext have been succesfully restarted.

      Messages similar to the following might be visible in journalctl -u conman when this issue is occuring:
      {host}.com conman-server[23711]: 2020/06/28 21:23:32 http: TLS
      handshake error from 127.0.0.1:47032: tls: failed to verify
      client's certificate: x509: certificate has expired or is not
      yet valid
      {host}.com conman-server[23711]: 2020/06/28 21:23:36 http: TLS
      handshake error from 127.0.0.1:47602: tls: failed to verify
      client's certificate: x509: certificate has expired or is not
      yet valid
    24 March 2021
    UPGRADE IJ30763 QRADAR APPLICATION FRAMEWORK CAN FAIL AFTER PATCHING DUE TO INCORRECT HANDLING OF CASE SENSITIVITY OF HOSTNAMES CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances. More information is available for administrators in this technical note: Upgrades can fail for hosts that contain case sensitivity of hostnames (APAR IJ30763).

    Issue
    After performing the QRadar patching process, the QRadar Application Framework can fail due to incorrect handling of the case sensitivity of hostnames.

    When this occurs, QRadar apps fail to load.
    09 February 2021
    SEARCH IJ26117 PERFORMING A FREE TEXT SEARCH IN THE LAST FEW SECONDS OF AN HOUR CAN RETURN PARTIAL RESULTS AND CAUSE INDEX CORRUPTION CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    Where possible, do not perform a free text Quick Filter search in the last 5-10 seconds of the hour.

    Issue
    Due to a timing issue (race condition), performing a free text Quick Filter search can sometimes only return partial results and cause corrupted indexes when the free text search is performed in the in last 5-10 seconds of an hour. A message generated in the QRadar User Interface can be similar to:
    Partial results may be returned due to incomplete payload
    indexes for the specified time range".

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    /events/records/aux/1/2020/5/4/13/lucene
    lockFactory=org.apache.lucene.store.NativeFSLockFactory@87bbef33: 
    org.apache.lucene.store.LockObtainFailedException: Lock held
    by this virtual machine:
    /store/ariel/events/records/aux/1/2020/5/4/13/lucene/write.lock
    [ariel.ariel_query_server] [odi_31]    at
    org.apache.lucene.store.SleepingLockWrapper.obtainLock(SleepingL
    ockWrapper.java:102)
    [ariel.ariel_query_server] [odi_31]    at
    org.apache.lucene.index.IndexWriter.(IndexWriter.java:800)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.FTSIndexWriter.(FTSIndexWriter.java:34)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.FTSIndexWriter_MT.(FTSIndexWriter_MT.java:106)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.LuManager.createIndexWriter(LuManager.java:308)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.LuIndexer.getODIWriter(LuIndexer.java:412)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.LuIndexer.indexDirectory(LuIndexer.java:466)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.LuIndexer.indexDirectory(LuIndexer.java:429)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.ReaderCache$IndexReaderInfo.reIndexDire
    ctory(ReaderCache.java:156)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.ReaderCache$IndexReaderInfo.openDirecto
    ryReader(ReaderCache.java:139)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.ReaderCache$IndexReaderInfo.call(ReaderCache.java:187)
    [ariel.ariel_query_server] [odi_31]    at
    com.q1labs.ariel.liquery.ReaderCache$IndexReaderInfo.call(ReaderCache.java:59)
    [ariel.ariel_query_server] [odi_31]    at
    java.util.concurrent.FutureTask.run(FutureTask.java:277)
    [ariel.ariel_query_server] [odi_31]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [ariel.ariel_query_server] [odi_31]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
    [ariel.ariel_query_server] [odi_31]    at
    java.lang.Thread.run(Thread.java:818)
    [ariel.ariel_query_server] [odi_31] Caused by:
    [ariel.ariel_query_server] [odi_31]
    org.apache.lucene.store.LockObtainFailedException: Lock held by
    this virtual machine:
    /store/ariel/events/records/aux/1/2020/5/4/13/lucene/write.lock
    [ariel.ariel_query_server] [odi_31]    at
    org.apache.lucene.store.NativeFSLockFactory.obtainFSLock(NativeF
    SLockFactory.java:127)
    [ariel.ariel_query_server] [odi_31]    at
    org.apache.lucene.store.FSLockFactory.obtainLock(FSLockFactory.java:41)
    [ariel.ariel_query_server] [odi_31]    at
    org.apache.lucene.store.BaseDirectory.obtainLock(BaseDirectory.java:45)
    [ariel.ariel_query_server] [odi_31]    at
    org.apache.lucene.store.SleepingLockWrapper.obtainLock(SleepingLockWrapper.java:84)
    [ariel.ariel_query_server] [odi_31]    ... 15 more
    12 April 2021
    DASHBOARD IJ24804 ‘AVAILABLE DASHBOARDS’ AND SELECTED DASHBOARDS’ TABLES CAN SOMETIMES BE BLANK WHEN ATTEMPTING TO SHARE DASHBOARDS CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    No workaround available.

    Issue
    QRadar users are sometimes unable to share dashboards amongst other users. When navigating the following; Admin > User Roles, the two tables “available dashboards” and “selected dashboards” can be blank.
    12 April 2021
    AMAZON AWS PROTOCOL IJ28708 ALL QRADAR EVENT COLLECTION CAN UNEXPECTEDLY STOP WHEN USING A LOG SOURCE WITH THE AMAZON AWS S3 REST API PROTOCOL CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

    Issue
    QRadar administrators can sometimes observe that no events are being received/processed by QRadar in instances where they have a Log Source in use configured with the Amazon AWS S3 Rest API protocol.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread]
    java.lang.RuntimeException: Error attempting to load
    host.q1labs.lab:ecs-ec-ingress/EC_Ingress/Q1Labs_AmazonAWSREST
    Error : java.lang.NoClassDefFoundError:
    com.amazonaws.auth.AWSCredentialsProvider
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] Since
    there isn't a configuration error handler defined, the original
    error is wrapped in a new RuntimeException
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] at
    com.eventgnosis.system.SystemObject.installChildByName(SystemObj
    ect.java:317)
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] at
    com.eventgnosis.sources.EventSourceListenerManager.doWork(EventS
    ourceListenerManager.java:88)
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] at
    com.eventgnosis.system.SystemObject$DoWork.doIt(SystemObject.java:876)
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] at
    com.eventgnosis.system.SystemObject.doForAllMembers(SystemObject
    .java:854)
    12 April 2021
    HIGH AVAILABILITY (HA) IJ26435 HIGH AVAILABILITY APPLIANCE JOIN CAN FAIL WHEN THE /STORE PARTITION ON THE SECONDARY APPLIANCE IS BUSY CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

    Issue
    When attempting to create a High Availability (HA) pair, the process can fail when the /store partition on the Secondary appliance is unexpectedly in a busy state and unable to be accessed.

    A message similar to the following might be visible in the logs when this issue occurs.

    In qradar_hasetup.log:
    [HA Setup (S-M----)] [ERROR] Failed to start repartitioning on
    the slave host

    In the ha_part_setup.log file:
    mkfs.xfs: cannot open /dev/mapper/storerhel-store: Device or resource busy
    12 April 2021
    BACKUP AND RESTORE IJ30677 DISCREPANCIES IN ARCHIVE DB TABLES CAN CAUSE ISSUES WITH BACKUP AND RESTORE FUNCTION ON FRESH INSTALL VS PATCHED APPLIANCE CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)

    Workaround
    If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

    Issue
    Discrepancies in archive database tables can cause issues in the backup and restore function on fresh install versus patched QRadar appliances.

    Messages similar to the following might be visible in qradar logging when this issue occurs:
    ErrorStream pg_restore: pg_restore: [archiver (db)] could not
    execute query: ERROR: column "column name x" of relation
    "column name y" does not exist
    12 April 2021
    PROTOCOLS IJ28166 LOG SOURCES CONFIGURED TO USE THE WINDOWS EVENT LOG RPC PROTOCOL CAN GO INTO ERROR STATE DISPLAYING ‘INTERNAL ERROR’ OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number. If you have questions about this issue, ask in our Support Forums.

    Issue
    Some log source that are configured to use the Windows Event Log RPC Protocol can go into “Error” state with an “Internal Error”.

    These instances have been identified as being caused when the jNQ jar file is required for use by the Protocol.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]] java.lang.ArrayIndexOutOfBoundsException
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]   at
    jcifs.util.Encdec.dec_uint32le(Encdec.java:90)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    ndr.NdrBuffer.dec_ndr_long(NdrBuffer.java:135)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    ndr.NetworkDataRepresentation.readUnsignedLong(NetworkDataRepres
    entation.java:64)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    com.q1labs.semsources.sources.windowseventrpc.ndr.util.NetworkDa
    taRepresentationAdapter.readUnsignedLong(NetworkDataRepresentati
    onAdapter.java:34)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]] java.lang.NullPointerException
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    com.visuality.nq.client.rpc.Dcerpc.close(Dcerpc.java:901)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    com.q1labs.semsources.sources.windowseventrpc.eventsource.common
    .EventLogWinRegistry.disconnectRemoteRegistry(EventLogWinRegistr
    y.java:245)
    23 September 2020
    DEPLOYMENT IJ26729 USING QCHANGE_NETSETUP IN NAT’D QRADAR ENVIRONMENTS CAN CAUSE EVENT COLLECTION TO FAIL AFTER A MANAGED HOST IS RE-ADDED OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    When re-adding a Managed Host to a deployment after performing a qchange_netsetup to add a public IP (NAT’d), some QRadar components can fail to be remapped or created correctly on the Managed Host. In these instances, affected QRadar component services have been identified as hostcontext, ecs-ec and ecs-ep. When this issue occurs, event collection can stop working for these affected Managed Hosts and not allow hosts to be connected together in a QRadar deployment successfully (eg. connecting an Event Collector to an Event Processor, or a DataNode to an Event Processor) due to the missing component services.

    Messages similar to the following might be visible in /var/log/qradar.log on an affected Managed Host when this issue occurs:
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    com.q1labs.hostcontext.configuration.ConfigChangeObserver:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to
    download and apply new configuration
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    com.q1labs.hostcontext.exception.HostContextConfigException:
    Unable to properly download and apply new configuration
    ...
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    Caused by:
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    com.q1labs.hostcontext.exception.HostContextConfigException:
    Failed to download and process global set
    ..
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    Caused by:
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    com.q1labs.hostcontext.exception.HostContextConfigException:
    Failed to build local configuration set
    ...
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    Caused by:
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    com.q1labs.hostcontext.exception.HostContextConfigException:
    Failed to build local configuration set
    ...
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    Caused by:
    ...
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    Caused by:
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    com.q1labs.configservices.common.ConfigServicesException:
    unable to transform components
    ...
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    Caused by:
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    com.q1labs.configservices.common.ConfigServicesException:
    Failed to create EC_Ingress.xml for component
    eventcollectoringress103.
    ...
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    Caused by:
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    java.lang.RuntimeException: Error merging velocity template and
    context
    ...
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    org.apache.velocity.exception.MethodInvocationException:
    Invocation of method 'getEventThreshold' in  class
    com.q1labs.configservices.config.l
    ocalset.sem.ECIngressConfigBuilder threw exception
    java.lang.NumberFormatException: null at EC_Ingress.vm[line
    498, column 79]
    ...
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    Caused by:
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    java.lang.NumberFormatException: null
    ...
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
    com.q1labs.hostcontext.configuration.ConfigChangeObserver:
    [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Setting
    deployment status to Error
    14 December 2020
    PROTOCOL IJ31104 LOG SOURCES CAN FAIL (IBMSIMJDBC, ORABLE, MCAFEE EPO) AFTER INSTALLATION OF PROTOCOL-JDBC-20201123202423.NOARCH.RPM OPEN Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    Some Log Sources (IBMSIMJDBC, Oracle, McAfee EPO) can stop working as expected after the Autoupdate installation of the following Protocol due to a an SQLException that occurs: PROTOCOL-JDBC-7.4-20201123202423.noarch.rpm

    If these types of Log Sources have stopped working, verify if the Protocol version named above is installed: https://www.ibm.com/support/pages/qradar-using-yum-manually-install-reinstall-or-search-rpm-packages.
    06 March 2021
    WINCOLLECT IJ30911 MICROSOFT EXCHANGE LOG SOURCES CONFIGURED TO USE WINCOLLECT MICROSOFT EXCHANGE PROTOCOL MISS MSGTRKMD(DATE)-*.LOG FILES OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

    Issue
    Microsoft Exchange Log Sources that are configured using the WinCollect Microsoft Exchange protocol fail to read MSGTRKMD(date)-*.log files (containing DELIVER logs), resulting in those logs not being processed by QRadar. This affects WinCollect v7.3.0 p1
    10 March 2021
    UPGRADE IJ31253 PATCHING A DETACHED QRADAR APP HOST CAN HANG AT ‘APPLYING PRESQL SCRIPT’ COMMAND DUE TO IMQ CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    Administrators who experience an issue where the App Host appliance appears to be hung on ‘Running presqlscripts’ can locate the IMQ PID and force it to exit to complete the App Host appliance upgrade. A support technical note is also available for this issue.

    If you believe to be encountering this issue and would like assistance completing the workaround, contact support.
    1. From an SSH session run the following to find any IMQ PID still running:
      systemctl status imq | grep -i PID
    2. Use GDB to stop IMQ processes still running:
      gdb --batch --eval-command 'call exit(0)' --pid {IMQPID}
    3. The App Host appliance upgrade should now proceed.

    Issue
    Applying a patch on a detached QRadar App Host can sometimes hang at applying presql scripts. When App Host is stuck upgrading, ‘Applying presql script’ can be displayed in the command line without progressing and the ugprade cannot continue. For example:
    When App Host is stuck upgrading, 'Applying presql script' can  be displayed in the command line and the ugprade cannot continue.

    Administrators can confirm if the App Host upgrade appears to be hung on ‘Applying presql script’ in the command line.
    [INFO] (-i-patchmode) Runing presql scripts
    Applying presql script (57/57)
    12 April 2021
    REPORTS IJ31245 REPORTS BASED ON AQL CAN RETURN INCORRECT RESULTS COMPARED TO RUNNING THE REPORT ON RAW DATA OPEN Workaround
    Run a daily report on raw data to provide the correct results.

    Issue
    Reports generate properly when run on raw data (values returned are the same as performing a search in log activity) but when the report is using AQL and run scheduled/manually (daily), the values do not represent 24 hours.

    For Example:
    1. Have a simple AQL, such as:
      SELECT UNIQUECOUNT("userName") as 'Unique Usernames Count'
      from events
      GROUP BY 'userName'
      LAST 1 DAYS
    2. Create a daily report by checking all days.

      Results
      Differences are observed in the scheduled report and the raw data or log activity results.
    18 March 2021
    PROTOCOLS IJ30702 UNKNOWN EVENT TYPE FOR LOG SOURCES USING SALESFORCE PROTOCOL CAN CAUSE ‘UNABLE TO RETRIEVE SOME EVENT LOG FILE EVENTS’ OPEN Workaround
    No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

    Issue
    QRadar can experience a Null Pointer Exception when some unknown events are processed by Log Sources using the Salesforce protocol.

    A message similar to the following can be observed in the User Interface when this issue occurs:
    "Unable to retrieve some
    event log file events."
    Also, messages similar to the following might be visible in /var/log/qradar.log:
    [ecs-ec-ingress.ecs-ec-ingress] [Salesforce REST API Provider
    Protocol Provider Thread: class
    com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP
    IProvider5405]
    com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP
    IProvider: [WARN] [NOT:0000004000][ipaddress/- -] [-/- -]Null
    Pointer Exception while procesing Event Log File API result
    [ecs-ec-ingress.ecs-ec-ingress] [Salesforce REST API Provider
    Protocol Provider Thread: class
    com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP
    IProvider5405] java.lang.NullPointerException
    [ecs-ec-ingress.ecs-ec-ingress] [Salesforce REST API Provider
    Protocol Provider Thread: class
    com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP
    IProvider5405] at java.lang.String.compareTo(String.java:1405)
    [ecs-ec-ingress.ecs-ec-ingress] [Salesforce REST API Provider
    Protocol Provider Thread: class
    com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP
    IProvider5405] at
    com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP
    IProvider.processEventLogFileAPIResults(SalesforceRESTAPIProvide
    r.java:464)
    26 February 2021
    QRADAR VULNERABILITY MANAGER IJ28786 RESULTS DISPLAYED ON ‘SCAN RESULTS’ SCREEN DO NOT ACCOUNT FOR ‘PURGE SCAN RESULTS AFTER PERIOD (IN EXECUTION CYCLES)’ SETTING CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)

    Workaround
    No workaround available. APARs identified with no workaround require administrators to upgrade their software version to resolve this issue.

    Issue
    The results displayed on the Scan Results screen does not take into account the value of “Purge Scan Results After Period (In Execution Cycles)”.

    Results of scans that were run before the value of “Purge Scan Results After Period (In Days)” are not displayed.
    29 January 2021
    LOG ACTIVITY / SEARCH IJ29703 REAL TIME EVENT STREAMING CAN SOMETIMES FAIL TO DISPLAY WHILE EVENTS ARE STILL BEING RECEIVED BY QRADAR CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)

    Workaround

    If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

    Issue
    In some instances, real time streaming can fail to display while events are still received by QRadar. This can be caused when custom properties exceed the default allocated spillover cache size configured for CustomPropertyCache.spillover.threshold and then begins spilling to disk.

    While still being able to view events in QRadar when this is occuring, other behavior can be observed indicating that this issue is being experienced:
    • Missing properties from the drop down menus.
    • Missing reference data sets.
    • Broken accumulation.
    • Searches fail to work.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [localhost-startStop-1]
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error reading
    custom properities.
    [tomcat.tomcat] [localhost-startStop-1]
    com.q1labs.frameworks.cache.SpilloverCacheException: Error
    reading object from buffer
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.GenericSerializer.objectFromByteBuff
    er(GenericSerializer.java:49)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali
    zer.java:83)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali
    zer.java:17)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.chainentry.InsertionChainEntry.deser
    ialize(InsertionChainEntry.java:69)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.chainentry.ChainEntry.read(ChainEntr
    y.java:60)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.ChainAppendCache.readChainEntry(Chai
    nAppendCache.java:1362)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.ChainAppendCache.findOnDisk(ChainApp
    endCache.java:1213)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.ChainAppendCache.needsDiskUpdate(Cha
    inAppendCache.java:407)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.ChainAppendCache.access$100(ChainApp
    endCache.java:55)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.ChainAppendCache$ChainAppendCacheMem
    oryMap.removeEldestEntry(ChainAppendCache.java:298)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.util.LinkedHashMap.afterNodeInsertion(LinkedHashMap.java:310)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.util.HashMap.putVal(HashMap.java:675)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.util.HashMap.put(HashMap.java:623)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.ChainAppendCache.put(ChainAppendCach
    e.java:1128)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.core.shared.ariel.CustomPropertyServices.constructAnd
    CacheProperty(CustomPropertyServices.java:410)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.core.shared.ariel.CustomPropertyServices.loadCustomPr
    operty(CustomPropertyServices.java:539)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.core.shared.ariel.CustomPropertyServices.getCustomPro
    pertyNoCache(CustomPropertyServices.java:77)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.t
    estCustomEventProperties(GlobalViewConfiguration.java:559)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.r
    ead(GlobalViewConfiguration.java:513)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.l
    oad(GlobalViewConfiguration.java:593)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.l
    oad(GlobalViewConfiguration.java:210)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.cve.accumulation.definition.GlobalViewsManager.{init}
    (GlobalViewsManager.java:102)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.cve.accumulation.definition.GlobalViewsManager.getIns
    tance(GlobalViewsManager.java:141)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.reporting.ReportServices.loadTemplates(ReportServices
    .java:683)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.reporting.ReportServices.onInit(ReportServices.java:279)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:916)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop
    edComponent(FrameworksNaming.java:897)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc
    e(FrameworksContext.java:1369)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.reports.ui.ReportsApplication.{init}(ReportsApplicati
    on.java:47)
    [tomcat.tomcat] [localhost-startStop-1]    at
    sun.reflect.NativeConstructorAccessorImpl.newInstance0(NativeMethod)
    [tomcat.tomcat] [localhost-startStop-1]    at
    sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeCons
    tructorAccessorImpl.java:83)
    [tomcat.tomcat] [localhost-startStop-1]    at
    sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delega
    tingConstructorAccessorImpl.java:57)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.lang.reflect.Constructor.newInstance(Constructor.java:437)
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.uiframeworks.listener.FrameworksLifeCycle.contextInit
    ialized(FrameworksLifeCycle.java:364)
    [tomcat.tomcat] [localhost-startStop-1]    at
    org.apache.catalina.core.StandardContext.listenerStart(StandardC
    ontext.java:4689)
    [tomcat.tomcat] [localhost-startStop-1]    at
    org.apache.catalina.core.StandardContext.startInternal(StandardC
    ontext.java:5155)
    [tomcat.tomcat] [localhost-startStop-1]    at
    org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
    [tomcat.tomcat] [localhost-startStop-1]    at
    org.apache.catalina.core.ContainerBase.addChildInternal(Containe
    rBase.java:743)
    [tomcat.tomcat] [localhost-startStop-1]    at
    org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:719)
    [tomcat.tomcat] [localhost-startStop-1]    at
    org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
    [tomcat.tomcat] [localhost-startStop-1]    at
    org.apache.catalina.startup.HostConfig.deployDirectory(HostConfi
    g.java:1125)
    [tomcat.tomcat] [localhost-startStop-1]    at
    org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostC
    onfig.java:1858)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.ja
    va:522)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.util.concurrent.FutureTask.run(FutureTask.java:277)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    [tomcat.tomcat] [localhost-startStop-1]    at
    java.lang.Thread.run(Thread.java:822)
    [tomcat.tomcat] [localhost-startStop-1] Caused by:
    [tomcat.tomcat] [localhost-startStop-1] java.io.IOException:
    Not enough buffer to read object from.
    [tomcat.tomcat] [localhost-startStop-1]    at
    com.q1labs.frameworks.cache.GenericSerializer.objectFromByteBuff
    er(GenericSerializer.java:37)
    [tomcat.tomcat] [localhost-startStop-1]    ... 46 more
    29 January 2021
    UPGRADE IJ29511 QRADAR PATCHING PROCESS FAILS WHEN A DUPLICATE IP '0.0.0.0' EXISITS IN THE ATTACKER DATABASE TABLE CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)

    Workaround

    If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

    Issue
    Patching to QRadar 7.4.x fails when there is a duplicate IP "0.0.0.0" in the attacker database table as the patch process is unable to create a proper index due to the duplication in attacker address.
    29 January 2021
    FORWARDED EVENTS IJ29516 ONLINE FORWARDER CAN STOP SENDING EVENTS DUE TO A NULLPOINTEREXCEPTION WHEN SENDING TOO MANY EVENTS CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround

    • Use the offline forwarder option instead of online as it does not experience this issue.
      OR
    • Decrease the "default inactivity timeout" to be 2000 milliseconds (example below) or 1000 milliseconds instead of the default 3000 value.

      This can be done by modifying the /opt/qradar/conf/frameworks.properties on the QRadar Console to add or update the following property:
      selectiveforwarding.communicator.inactivity=2000

      Issue
      When using the Online Forwarder in QRadar and configured with UDP protocol, a NullPointerException can occur causing the forwarding to stop when there are too many events being sent. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
      [ecs-ec.ecs-ec] [SFCT_67] java.lang.NullPointerException
      [ecs-ec.ecs-ec] [SFCT_67] at
      com.q1labs.sem.forwarding.network.ForwardingUDPConnector.send(Fo
      rwardingUDPConnector.java:93)
      [ecs-ec.ecs-ec] [SFCT_67] at
      com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
      orThread.process(SelectiveForwardingCommunicatorThread.java:289)
      [ecs-ec.ecs-ec] [SFCT_67] at
      com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
      orThread.run(SelectiveForwardingCommunicatorThread.java:169)
    29 January 2021
    QFLOW IJ29315 QFLOW SERVICE CAN STOP PROCESSING FLOWS AND SWAP MEMORY USAGE CONTINUALLY GROWS UNTIL THE SERVICE IS RESTARTED CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround

    A technical note with a support utility is available for this issue to assist administrators. For more information about the SwapMonitor utility for APAR IJ29315, see: https://www.ibm.com/support/pages/node/6370705.

    Issue
    The QRadar qflow process can stop receiving and processing flows from some flow sources causing the received packet count to drop and the qflow swap memory to start growing continually until the qflow service is restarted.

    Memory fixes were implemeted to address this behavior within QRadar QRM QVM release 7.4.1 Fix Pack 1, but the behavior can still occur until an upgrade to QRadar 7.4.2 Fix Pack 2 is completed.
    29 January 2021
    SERVICES IJ28752 THE QRADAR PIPELINE CAN STOP RECEIVING ALL EVENTS DUE TO A STRINGOUTOUFBOUNDSEXCEPTION OCCURRING CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround

    Perform a restart of the ecs-ingress service.
    1. On the navigation menu, click the Admin tab.
    2. On the Advanced menu, click Restart Event Collection Services. Event collection is briefly interrupted on all appliances while the service restarts.

    Issue
    In some instances, the QRadar pipeline can stop receiving all events when a stringoutofbounds exception occurs. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]
    java.lang.StringIndexOutOfBoundsException: String index out of
    range: 43
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at
    java.lang.String.substring(String.java:2682)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at
    com.q1labs.sem.types.SyslogSourcePayload.parseLine(SyslogSourceP
    ayload.java:196)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at
    com.q1labs.sem.types.SyslogSourcePayload.getSourceName(SyslogSou
    rcePayload.java:159)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at
    com.q1labs.sem.types.SourcePayloadBase.put(SourcePayloadBase.jav
    a:331)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at
    com.q1labs.sem.types.SyslogSourcePayload.put(SyslogSourcePayload
    .java:412)
    29 January 2021
    RULES / AQL IJ28798 'THERE WAS A PROBLEM PARSING THE AQL QUERY. INVALID ESCAPE SEQUENCES DETECTED' WHEN " \ " IS USED IN AQL RULE FILTER CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)

    Workaround

    Use an underscore character instead of a backslash character. As in the example above: "Process Commandline" ILIKE '%C:_Program Files%'

    Issue
    When editing or creating a rule that references a file path or filename that contains a backslash character " \ " in the AQL rule filter, a parsing error similar to the following can be displayed:
    There was a problem parsing the AQL query. Invalid escape sequences detected.

    For Example:
    • Edit or create a rule.
    • In the condition for the AQL Filter, click this to add an AQL query.
    • In the text field, type "Process Commandline" ILIKE '%C:\Program Files%'
    • .
    • Attempt to save the rule change.

      Result
      The query fails to save and displays the error: There was a problem parsing the AQL query. Invalid escape sequences detected.
    29 January 2021
    RULE RESPONSE IJ25315 EMAILS FROM RULE RESPONSES CAN FAIL AND NOT BE SENT PROPERLY CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround

    As a temporary workaround, you can set the smtp_host_lookup value from "dns" to "dns,native" in the /etc/postfix/main.cf file by running the following commands in CLI on the host(s) that the email server is configured:
    sed -i "s/smtp_host_lookup = dns/smtp_host_lookup =
    dns,native/g" /etc/postfix/main.cf
    You will also need to change the script /opt/ibm/si/si-postfix/bin/configure-postfix.sh to prevent the postfix service to reset the configuration by running this command:
    sed -i "s/'tls|sasl|smtp' |/'tls|sasl|smtp' | grep -v
    smtp_host_lookup |/g"
    /opt/ibm/si/si-postfix/bin/configure-postfix.sh


    Issue
    Due to the new SMTP changes in QRadar v7.4.0 where the relay host is changed to localhost, the SMTP configuration is overwritten for the lookup causing emails to not be sent properly. This can prevent emails from features such as the rule response to not be sent.

    To identify the issue you can use the grep command to verify if the error is found such as:
    grep -A1 "relayhost configuration problem" /var/log/maillog


    The following errors can be seen in the /var/log/maillog file when this issue occurs:
    May 29 10:17:37 postfix/smtp[1446]: warning: relayhost
    configuration problem
    May 29 10:17:37 postfix/smtp[1448]: 31145B59:
    to=, relay=none, delay=435,
    delays=395/0.03/40/0, dsn=4.4.3, status=deferred (Host or
    domain name not found. Name service error for name=localhost
    type=AAAA: Host not found)
    29 January 2021
    SERVICES IJ22145 NEWLY CREATED QRADAR OUT OF MEMORY JAVA HEAP DUMPS DO NOT OVERWRITE PREVIOUSLY EXISTING ONES IN /STORE/JHEAP CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    No workaround available. APARs identified with no workaround require administrators to upgrade their software version to resolve this issue.

    Issue
    Newly created QRadar "out of memory" java heap dumps do not overwrite older/existing heap dumps found in /store/jheap. This issue can cause an accumulation of unneeded files and file space consumed in /store/jheap on QRadar appliances.
    29 January 2021
    APPLICATIONS / USER INTERFACE IJ28638 SOME QRADAR APPS CAN DISPLAY AS A PAGE WITH RANDOM TEXT WHEN A HOSTNAME BEGINS WITH 'CONSOLE' CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)

    Workaround
    No workaround available.

    APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

    Issue
    Attempting to load some QRadar Apps within the User Interface can instead result in the displaying of a page with random text. This has been identifed as being caused by a error within the QRadar app framework when a hostname in the deployment begins with 'console'.

    Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [tomcat.tomcat] (474) /console/plugins/1301/app_proxy/]
    com.q1labs.uiframeworks.application.servlet.ContainerServlet:
    [ERROR] Unable to generate xConsoleHostHeader
    [tomcat.tomcat] (474) /console/plugins/1301/app_proxy/]
    java.lang.StringIndexOutOfBoundsException: String index out of
    range: 8
    [tomcat.tomcat]  (474) /console/plugins/1301/app_proxy/]    at
    java.lang.String.substring(String.java:2682)
    [tomcat.tomcat] (474) /console/plugins/1301/app_proxy/]    at
    com.q1labs.uiframeworks.application.servlet.ContainerServlet.cre
    ateConnection(ContainerServlet.java:382)
    [tomcat.tomcat]  (474) /console/plugins/1301/app_proxy/]    at
    com.q1labs.uiframeworks.application.servlet.ContainerServlet.ser
    vice(ContainerServlet.java:129)
    29 January 2021
    APPLICATIONS / HIGH AVAILABILITY IJ21232 QRADAR APPS CAN FAIL TO LOAD AFTER A HIGH AVAILABILITY (HA) FAILOVER DUE TO SHARED SERVICE (VAULT) NOT WORKING AS EXPECTED CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    No workaround available.

    Issue
    It has been identified that QRadar defined users can have different uid (user id) and gid (group id) for the same username on different systems resulting in shared services (vault) on High Availability (HA) failing to start after a HA failover occurs.
    29 January 2021
    DOMAIN MANAGEMENT IJ28496 ATTACKER DATA FROM ANOTHER DOMAIN CAN BE VIEWED BY USERS NOT AUTHORIZED FOR THAT DOMAIN CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Users that are assigned rights to a specific domain can see attacker info from a domain they have not been assigned to in multi domain QRadar environments.

    For example:
    When viewing the top source dashboard targets, attacker data from a different domain can be observed.
    29 January 2021
    QRADAR VULNERABILITY MANAGER IJ28480 VULNERABILITY DETAILS SCREEN DISPLAYS ASSETS ON WHICH THE VULNERABILITY HAS BEEN REMEDIATED CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    No workaround available.

    APARs identified with no workaround require administrators to upgrade their software version to resolve this issue.

    Issue
    When a vulnerability is selected to view the details, the Vulnerability Details screen displays assets on which the vulnerability has been remediated.
    For example:
    1. Run a scan against an asset and make a note of a vulnerability.
    2. Search for the vulnerability on the Research screen, then click on the vulnerability. The asset is displayed on the Vulnerability Details screen.
    3. Remediate the vulnerability on the asset.
    4. Run the scan again.
    5. Search for the vulnerability on the Research screen, then click on the vulnerability.

      Results The asset is still displayed on the Vulnerability Details screen.
    29 January 2021
    QRADAR VULNERABILITY MANAGER IJ28757 ASSET VULNERABILITY ASSIGNMENTS CAN FAIL TO WORK AS EXPECTED DUE TO AN INCORRECT JAR REFERENCE CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround

    The classpath in the script needs to reference an updated version of the icu4j jar file.
    1. Use SSH to log in to the QRadar Console as the root user.
    2. Navigate to /opt/qvm/assetupdates/
    3. Update the classpath setting in the following script: run-qvm-assetupdates.sh
    4. Update the line:
      APP_CP=${APP_CP}:${QRADAR_JARS}/icu4j-58.2.jar
      with
      APP_CP=${APP_CP}:${QRADAR_JARS}/icu4j-65.1.jar
    5. Save the changes.


    Issue
    Asset Vulnerability assignments updates can fail to work as expected when an incorrect jar file is used within QRadar (icu4j-58.2.jar instead of icu4j-65.1.jar)

    The crontab entry on the QRadar Console that runs the script /opt/qvm/assetupdates/run-qvm-assetupdates.sh fails with "class not found error", but the error is only visible when the command is run on the command line. For example:
    # /opt/qvm/assetupdates/run-qvm-assetupdates.sh
    The following error is displayed:
    09:07:19,962 INFO  [FrameworksContext]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Initializing resource
    loggers:
    [Lcom.q1labs.frameworks.core.IFrameworksContext$ResourceLogger;@
    41bb258b
    09:07:19,968 INFO  [FrameworksContext]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Frameworks instance name:
    09:07:19,968 INFO  [FrameworksContext]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Initializing with URL:
    file:/opt/qradar/conf/
    09:07:19,968 INFO  [FrameworksContext]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Frameworks booting -
    logging, loader complete
    09:07:19,969 INFO  [FrameworksContext]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Loading
    frameworks.properties
    09:07:20,244 INFO  [NamedThreadFactory]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Thread factory created:
    Spillover Cache Vacuum
    09:07:20,256 INFO  [FrameworksContext]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Frameworks global cache
    manager was initialized using: /opt/qradar/conf/ehcache.xml
    09:07:20,256 INFO  [FrameworksContext]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Initializing jpa
    09:07:21,003 INFO  [FrameworksContext]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Initializing naming
    09:07:21,005 INFO  [FrameworksNaming]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Naming initializing,
    failFast disabled: false
    09:07:21,441 INFO  [FrameworksNaming]
    [NOT:0000006000][127.0.0.1/- -] [-/-
    -]com.q1labs.assetprofile.service.ui.UIByVulnerability.NAME
    MUST be public, static and not final for naming to help with
    setting of NAME
    09:07:21,446 INFO  [FrameworksNaming]
    [NOT:0000006000][127.0.0.1/- -] [-/-
    -]com.q1labs.assetprofile.service.ui.UIVulnerabilityService.NAME
    MUST be public, static and not final for naming to help with
    setting of NAME
    09:07:22,072 INFO  [FrameworksNaming]
    [NOT:0000006000][127.0.0.1/- -] [-/-
    -]com.q1labs.core.api.impl.health.HealthMetricAPIImpl.NAME MUST
    be public, static and not final for naming to help with setting
    of NAME
    09:07:22,099 INFO  [FrameworksNaming]
    [NOT:0000006000][127.0.0.1/- -] [-/-
    -]com.q1labs.core.dao.application.ApplicationUserRoleMapping.App
    licationUserRoleMapping.NAME MUST be public, static and not
    final for naming to help with setting of NAME
    09:07:22,100 INFO  [FrameworksNaming]
    [NOT:0000006000][127.0.0.1/- -] [-/-
    -]com.q1labs.core.dao.application.AugmentedSecurityProfile.NAME
    MUST be public, static and not final for naming to help with
    setting of NAME
    09:07:22,495 ERROR [ThreadExceptionHandler]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught
    in thread: main
    org.springframework.beans.factory.BeanCreationException: Error
    creating bean with name 'qradarFrameworksContextService'
    defined in class path resource [appContext.xml]: Invocation of
    init method failed; nested exception is
    java.lang.NoClassDefFoundError: com.ibm.icu.text.DateFormat
            at
    org.springframework.beans.factory.support.AbstractAutowireCapabl
    eBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.j
    ava:1745)
            at
    org.springframework.beans.factory.support.AbstractAutowireCapabl
    eBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.jav
    a:576)
            at
    org.springframework.beans.factory.support.AbstractAutowireCapabl
    eBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:
    498)
            at
    org.springframework.beans.factory.support.AbstractBeanFactory.la
    mbda$doGetBean$0(AbstractBeanFactory.java:320)
            at
    org.springframework.beans.factory.support.AbstractBeanFactory$$L
    ambda$7.0000000014E93B30.getObject(Unknown Source)
            at
    org.springframework.beans.factory.support.DefaultSingletonBeanRe
    gistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
            at
    org.springframework.beans.factory.support.AbstractBeanFactory.do
    GetBean(AbstractBeanFactory.java:318)
            at
    org.springframework.beans.factory.support.AbstractBeanFactory.ge
    tBean(AbstractBeanFactory.java:199)
            at
    org.springframework.beans.factory.support.DefaultListableBeanFac
    tory.preInstantiateSingletons(DefaultListableBeanFactory.java:846)
            at
    org.springframework.context.support.AbstractApplicationContext.f
    inishBeanFactoryInitialization(AbstractApplicationContext.java:863)
            at
    org.springframework.context.support.AbstractApplicationContext.r
    efresh(AbstractApplicationContext.java:546)
            at
    org.springframework.context.support.ClassPathXmlApplicationConte
    xt.{init}(ClassPathXmlApplicationContext.java:144)
            at
    org.springframework.context.support.ClassPathXmlApplicationConte
    xt.{init}(ClassPathXmlApplicationContext.java:85)
            at
    com.q1labs.qvm.assetupdates.Bootstrapper.initialize(Bootstrapper
    .java:42)
            at
    com.q1labs.qvm.assetupdates.Bootstrapper.main(Bootstrapper.java:106)
    Caused by:
    java.lang.NoClassDefFoundError: com.ibm.icu.text.DateFormat
            at java.lang.J9VMInternals.prepareClassImpl(Native
    Method)
            at
    java.lang.J9VMInternals.prepare(J9VMInternals.java:304)
            at java.lang.Class.getField(Class.java:1079)
            at
    com.q1labs.frameworks.naming.FrameworksNaming.checkNameConstant(
    FrameworksNaming.java:399)
            at
    com.q1labs.frameworks.naming.FrameworksNaming.loadClasses(Framew
    orksNaming.java:323)
            at
    com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(Framewo
    rksNaming.java:171)
            at
    com.q1labs.frameworks.naming.FrameworksNaming.loadClasses(Framew
    orksNaming.java:270)
            at
    com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(Framewo
    rksNaming.java:171)
            at
    com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(Framewo
    rksNaming.java:105)
            at
    com.q1labs.frameworks.naming.FrameworksNaming.{init}(FrameworksN
    aming.java:86)
            at
    com.q1labs.frameworks.core.FrameworksContext.initServices(Framew
    orksContext.java:620)
            at
    com.q1labs.frameworks.core.FrameworksContext.initFrameworks(Fram
    eworksContext.java:257)
            at
    com.q1labs.qvm.assetupdates.frameworks.FrameworksContextServiceI
    mpl.retrieveFrameworkContext(FrameworksContextServiceImpl.java:31)
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
    Method)
            at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
            at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
            at java.lang.reflect.Method.invoke(Method.java:508)
            at
    org.springframework.beans.factory.support.AbstractAutowireCapabl
    eBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanF
    actory.java:1870)
            at
    org.springframework.beans.factory.support.AbstractAutowireCapabl
    eBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactor
    y.java:1813)
            at
    org.springframework.beans.factory.support.AbstractAutowireCapabl
    eBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.j
    ava:1741)
            ... 14 more
    Caused by:
    java.lang.ClassNotFoundException: com.ibm.icu.text.DateFormat
            at
    java.net.URLClassLoader.findClass(URLClassLoader.java:610)
            at
    java.lang.ClassLoader.loadClassHelper(ClassLoader.java:943)
            at java.lang.ClassLoader.loadClass(ClassLoader.java:888)
            at
    sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
            at java.lang.ClassLoader.loadClass(ClassLoader.java:871)
            ... 34 more
    29 January 2021
    APPLICATIONS / DEPLOY CHANGES IJ28820 DEPLOY FUNCTION CAN BE SLOW TO COMPLETE AND APPS CAN FAIL TO LOAD AFTER IPTABLES RESTART ON A CONSOLE UNDER HEAVY LOAD CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    No workaround available.

    APARs identified with no workaround require administrators to upgrade their software version to resolve this issue.

    Issue
    Docker rules can fail to be restored after a restart of iptables on a Console appliance under heavy load (high event processing, high CPU usage, ariel searches, system activity, etc.). When this occurs, multiple issues within QRadar can be experienced. For example:
    1. Performing a 'Deploy Changes' can take longer than expected to complete.
    2. QRadar apps can fail to load.
    Messages similar to the following might be visible in /var/log/messages when this issue occurs:
    hostname systemd[1]: Stopping IPv4 firewall with iptables...
    hostname preserve-docker-iptables-rules.sh[10574]: iptables:
    Setting chains to policy ACCEPT: filter nat [  OK  ]
    hostname preserve-docker-iptables-rules.sh[10574]: iptables:
    Flushing firewall rules: [  OK  ]
    hostname preserve-docker-iptables-rules.sh[10574]: iptables:
    Unloading modules:  ip_tables[FAILED]
    hostname systemd[1]: iptables.service: control process exited,
    code=exited status=1
    hostname systemd[1]: Stopped IPv4 firewall with iptables.
    hostname systemd[1]: Unit iptables.service entered failed state.
    hostname systemd[1]: iptables.service failed.
    hostname systemd[1]: Starting IPv4 firewall with iptables...
    hostname iptables.init[11422]: iptables: Applying firewall
    rules: [  OK  ]
    hostname configure-docker-firewall.sh[12072]: Tue Feb 18
    22:18:11 AST 2020 [configure_docker_firewall] Docker and
    iptables are running: will attempt to restore docker iptables
    hostname configure-docker-firewall.sh[12072]: Tue Feb 18
    22:18:11 AST 2020 [configure_docker_firewall] Running 'bash -x
    /etc/docker/.docker_iptables_rules'
    hostname configure-docker-firewall.sh[12072]: Tue Feb 18
    22:18:17 AST 2020 [configure_docker_firewall] Cleaning up
    stored docker iptables rules
    hostname configure-docker-firewall.sh[12072]: Tue Feb 18
    22:18:17 AST 2020 [configure_docker_firewall] Running 'rm -f
    /etc/docker/.docker_iptables_rules'
    hostname systemd[1]: Started IPv4 firewall with iptables.
    hostname systemd[1]: Stopping IPv4 firewall with iptables...
    hostname preserve-docker-iptables-rules.sh[12930]: iptables:
    Setting chains to policy ACCEPT: nat filter [  OK  ]
    hostname preserve-docker-iptables-rules.sh[12930]: iptables:
    Flushing firewall rules: [  OK  ]
    hostname preserve-docker-iptables-rules.sh[12930]: iptables:
    Unloading modules:  iptable_nat iptable_nat ip_tables[FAILED]
    hostname systemd[1]: iptables.service: control process exited,
    code=exited status=3
    29 January 2021
    DSM EDITOR IJ25729 EVENTS CONTAINING A CLOSED BRACKET " } " IN THE VALUE FIELD OF A JSON ARE NOT PARSED CORRECTLY BY THE DSM EDITOR CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    No workaround available. APARs identified with no workaround require administrators to upgrade their software version to resolve this issue.

    Issue
    Events containing a single '}' in value field of the JSON is not parsed correctly by DSM editor.

    When in the DSM editor, the preview (highlight) works as expected, but the actual value does not extract when this issue occurs.

    For Example:
    Event 1: Having closing bracket in value field- ANDROID}.
    Mar 04 09:10:10  LEEF:2.0|YYYYY|XXXXX|1.0|Sandbox
    Report|^|Report={"Full Details":{"Summary":{"Status":"COMPLETED","Category":"ANDROID}",
    "FileType":"TEST"}}}
    Event 2: Not having the closing bracket in value field, parses properly.
    Mar 04 09:10:10  LEEF:2.0|YYYYY|XXXXX|1.0|Sandbox
    Report|^|Report={"Full Details":{"Summary":{"Status":"COMPLETED","Category":"ANDROID","
    FileType":"TEST"}}}
    29 January 2021
    MSRPC PROTOCOL IJ29923 THE QRADAR MSRPC PROTOCOL CAN INCREASE CPU UTILIZATION ON MICROSOFT WINDOWS SERVERS OPEN Workaround
    A flash notice is available for administrators that describes how to downgrade the Microsoft Windows Security Event Log over MSRPC version. For more information, see:https://www.ibm.com/support/pages/node/6382106

    Issue
    Administrators with the latest version of the MSRPC protocol from December 9th, 2020 weekly auto update can experience increased CPU utilization for the EventLog service under svchosts.exe on their Windows Servers. Over time, this issue can lead to instability for the remote server. Administrators can downgrade their Microsoft Security Event Log over MSRPC protocol (PROTOCOL-WindowsEventRPC) version to avoid this reported issue.

    The following RPM versions are affected by this issue:
    1. PROTOCOL-WindowsEventRPC-7.3-20201110190432.noarch.rpm
    2. PROTOCOL-WindowsEventRPC-7.4-20201110190414.noarch.rpm
    29 January 2021
    OFFICE 365 PROTOCOL IJ28711 UNABLE TO CAPTURE LOGS FROM AN OFFICE 365 TENANT THAT IS NOT A .COM CLOSED Resolved in
    The following RPMs were delivered during the 2 February 2021 (Build 1612292229) weekly auto update:
    1. PROTOCOL-Office365RESTAPI-7.3-20201207151632.noarch.rpm
    2. PROTOCOL-Office365RESTAPI-7.4-20201207151640.noarch.rpm
    Workaround
    Administrators can verify the latest RPM is installed for your QRadar version. If you continue to experience issues, contact support for a possible workaround that might address this issue in some instances or if you experience issues with your weekly auto update.

    Issue
    Attempting to capture logs from an Office 365 tenant can fail to receive any logs when the tenant does not end in ".com". The testing feature on the Log Source can successfully connect and authenticate to the API in these instances, but QRadar fails to receive the expected logs and stays in the state where it displays "Connected. Waiting for logs".
    03 February 2021
    OFFICE 365 PROTOCOL IJ28829 'WARNING: EXPECTED ROLE [ROLE] WAS NOT IN THE OBTAINED ACCESS TOKEN' MESSAGE DURING OFFICE 365 LOG SOURCE PROTOCOL TESTS CLOSED Resolved in
    The following RPMs were delivered during the 2 February 2021 (Build 1612292229) weekly auto update:
    1. PROTOCOL-Office365RESTAPI-7.3-20201207151632.noarch.rpm
    2. PROTOCOL-Office365RESTAPI-7.4-20201207151640.noarch.rpm
    Workaround
    Administrators can verify the latest RPM is installed for your QRadar version. If you continue to experience issues, contact support for a possible workaround that might address this issue in some instances or if you experience issues with your weekly auto update.

    Issue
    An error warning similar to the following can be observed when testing protocol parameters in Log Source Management for Office 365 Log Source. This is due to the Roles ThreatIntelligence.Read, and ActivityReports.Read now being deprecated. Administrators who attempt to test their configuration might experience the following error messages:
    Testing ClientID [ID] :: TenantID [ID]
    Successfully obtained Azure AD Access Token with supplied
    credentials
    Access Token Roles: [ActivityFeed.ReadDlp, ServiceHealth.Read,
    ActivityFeed.Read]
    Warning: Expected role [ThreatIntelligence.Read] was not in the
    obtained Access Token - this may cause issues with data
    collection
    Warning: Expected role [ActivityReports.Read] was not in the
    obtained Access Token - this may cause issues with data
    collection
    Access Token contained expected role [ActivityFeed.ReadDlp]
    Access Token contained expected role [ServiceHealth.Read]
    Access Token contained expected role [ActivityFeed.Read]
    03 February 2021
    JDBC PROTOCOL IJ26314 LOG SOURCE MANAGEMENT APP JDBC TESTS CAN FAIL WITH 'LOGIN FAILED FOR USER {USERNAME}' ON LOG SOURCES USING DOMAIN AUTHENTICATION CLOSED Resolved in
    The following RPMs were delivered during the 2 February 2021 (Build 1612292229) weekly auto update:
    1. PROTOCOL-JDBC-7.3-20201123202429.noarch.rpm
    2. PROTOCOL-JDBC-7.4-20201123202423.noarch.rpm
    Workaround
    Administrators can verify the latest RPM is installed for your QRadar version. If you continue to experience issues, contact support for a possible workaround that might address this issue in some instances or if you experience issues with your weekly auto update.

    Issue
    When using Domain Authentication for JDBC log source configuration, the log source can be in Success state and working as expected, but the Log Source Management App tests for those log sources can fail with a message similar to the following: "Login failed for user '{username}'"
    03 February 2021
    JDBC PROTOCOL IJ29049 LOG SOURCES CONFIGURED TO USE JDBC CAN FAIL TO COLLECT LOGS AFTER AN ECS-EC-INGRESS SERVICE RESTART HAS OCCURRED CLOSED Resolved in
    The following RPMs were delivered during the 2 February 2021 (Build 1612292229) weekly auto update:
    1. PROTOCOL-JDBC-7.3-20201123202429.noarch.rpm
    2. PROTOCOL-JDBC-7.4-20201123202423.noarch.rpm
    Workaround
    Administrators can verify the latest RPM is installed for your QRadar version. If you continue to experience issues, contact support for a possible workaround that might address this issue in some instances or if you experience issues with your weekly auto update.

    Issue
    JDBC Log Sources can fail to collect events after an ecs-ec-ingress service restart has occurred. In these instances, the Log Sources continue to display "Success" state with a last status update of days or weeks prior to the ecs-ec-ingress restart date.
    03 February 2021
    OFFENSES IJ15472 EVENT COUNT NUMBERS DOESN'T MATCH IN THE OFFENSE DETAILS SCREEN ON CLICKING THE EVENT/FLOW COUNT CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)

    Workaround
    No workaround available. APARs identified with no workaround require administrators to upgrade their software version to resolve this issue.

    Issue
    It has been identified that the Event count in the Offense details screen does not match with the event count displayed when clicking the event/flow count. Rules using "when at least this many events are seen with the same event properties in this many minutes condition" are not matching the Event/Flow count in an Offense versus the Ariel search list of Events/Flows.
    03 February 2021
    SEARCH / LOG ACTIVITY IJ25367 UNABLE TO DELETE AN EMPTY LOG SOURCE GROUP DUE TO DEPENDENCY CHECK FAIL OPEN Workaround
    Contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Attempting to delete an empty Log Source Group can fail with an error similar to "Error while getting Saved Search dependents for this Log Source Group: {xxxxxx}".

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [pool-1-thread-4]
    com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error while
    getting Saved Search dependents for this Log Source Group:
    103540
    [tomcat.tomcat] [pool-1-thread-4]
    java.lang.ArrayIndexOutOfBoundsException
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.cve.utils.CustomColumnDefinition.fromString(CustomCol
    umnDefinition.java:386)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF
    orm.java:1396)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF
    orm.java:1301)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF
    orm.java:1290)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.requiresPayload(ArielSe
    archForm.java:1171)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getMappingFactory(Ariel
    SearchForm.java:1099)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getMappingFactory(Ariel
    SearchForm.java:1094)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.cve.utils.CriteriaParser.processPredicates(CriteriaPa
    rser.java:177)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:833)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:790)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:746)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:740)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:731)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getAr
    ielSavedSearchDependentsByGroupId(LogSourceGroupDeletion.java:131)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getUs
    age(LogSourceGroupDeletion.java:58)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getA
    ctualUsage(FindDependentsTask.java:291)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getC
    hildUsage(FindDependentsTask.java:212)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getD
    efaultUsage(FindDependentsTask.java:169)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.runT
    ask(FindDependentsTask.java:122)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.ja
    va:522)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.util.concurrent.FutureTask.run(FutureTask.java:277)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.lang.Thread.run(Thread.java:812)
    [tomcat.tomcat] [pool-1-thread-4]
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error trying to
    find Dependents for id: [103540], and type: LOG_SOURCE_GROUP
    [tomcat.tomcat] [pool-1-thread-4]
    java.lang.ArrayIndexOutOfBoundsException
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.cve.utils.CustomColumnDefinition.fromString(CustomCol
    umnDefinition.java:386)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF
    orm.java:1396)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF
    orm.java:1301)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF
    orm.java:1290)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.requiresPayload(ArielSe
    archForm.java:1171)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getMappingFactory(Ariel
    SearchForm.java:1099)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getMappingFactory(Ariel
    SearchForm.java:1094)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.cve.utils.CriteriaParser.processPredicates(CriteriaPa
    rser.java:177)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:833)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:790)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:746)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:740)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:731)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getAr
    ielSavedSearchDependentsByGroupId(LogSourceGroupDeletion.java:131)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getUs
    age(LogSourceGroupDeletion.java:58)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getA
    ctualUsage(FindDependentsTask.java:291)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getC
    hildUsage(FindDependentsTask.java:212)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getD
    efaultUsage(FindDependentsTask.java:169)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.runT
    ask(FindDependentsTask.java:122)
    [tomcat.tomcat] [pool-1-thread-4]    at
    com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.ja
    va:522)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.util.concurrent.FutureTask.run(FutureTask.java:277)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    [tomcat.tomcat] [pool-1-thread-4]    at
    java.lang.Thread.run(Thread.java:812)
    12 June 2020
    SECURITY BULLETIN CVE-2020-4888
    IBM QRADAR SIEM IS VULNERABLE TO DESERIALIZATION OF UNTRUSTED DATA CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 7 IF1 (7.3.3.20210120163940)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 7
    Issue
    CVE-2020-4888: IBM QRadar SIEM could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker could exploit this vulnerability to execute arbitrary commands on the system. CVSS Base score: 6.3
    28 January 2021
    SECURITY BULLETIN CVE-2019-19126
    CVE-2020-10754
    CVE-2019-19956
    CVE-2019-20388
    CVE-2020-7595
    CVE-2019-5482
    CVE-2018-20843
    CVE-2019-15903
    CVE-2019-20386
    CVE-2019-16935
    CVE-2020-8492
    CVE-2019-17498
    CVE-2019-2974
    CVE-2020-2574
    CVE-2020-2752
    CVE-2020-2780
    CVE-2020-2812
    CVE-2019-14907
    CVE-2019-14866
    IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Affected versions
    • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    Issue
    • CVE-2019-19126: GNU C Library could allow a local attacker to bypass security restrictions, caused by failing to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution. An attacker could exploit this vulnerability to bypass ASLR for a setuid program. CVSS Base score: 4
    • CVE-2020-10754: NetworkManager could allow a remote authenticated attacker to bypass security restrictions, caused by improper configuration in the nmcli. By connecting to a network, an attacker could exploit this vulnerability to bypass authentication. CVSS Base score: 4.3
    • CVE-2019-19956: libxml2 is vulnerable to a denial of service, caused by a memory leak in xmlParseBalancedChunkMemoryRecover in parser.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 3.3
    • CVE-2019-20388: GNOME libxml2 could allow a remote attacker to obtain sensitive information, caused by a xmlSchemaValidateStream memory leak in xmlSchemaPreRun in xmlschemas.c. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to obtain sensitive information.
    • CVE-2020-7595: The Gnome Project Libxml2 is vulnerable to a denial of service, caused by an error in xmlStringLenDecodeEntities in parser.c. An attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 7.5
    • CVE-2019-5482: cURL libcurl is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the tftp_receive_packet function. By sending specially-crafted request containing an OACK without the BLKSIZE option, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base score: 6.3
    • CVE-2018-20843: libexpat is vulnerable to a denial of service, caused by an error in the XML parser. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to consume all available CPU resources. CVSS Base score: 3.3
    • CVE-2019-15903: libexpat is vulnerable to a denial of service, caused by a heap-based buffer over-read in XML_GetCurrentLineNumber. By using a specially-crafted XML input, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
    • CVE-2019-20386: systemd is vulnerable to a denial of service, caused by a memory leak in the button_open function in login/logind-button.c. By executing the udevadm trigger command, a local attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 6.2
    • CVE-2019-16935: Python is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the python/Lib/DocXMLRPCServer.py. A remote attacker could exploit this vulnerability using the server_title field to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
    • CVE-2020-8492: Python is vulnerable to a denial of service, caused by a flaw in the urllib.request.AbstractBasicAuthHandler. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a Regular Expression Denial of Service (ReDoS). CVSS Base score: 5.3
    • CVE-2019-17498: libssh2 is vulnerable to a denial of service, caused by an out-of-bounds read when connecting to a malicious SSH server that sends a disconnect message. A remote attacker could exploit this vulnerability to cause a denial of service or obtain sensitive information. CVSS Base score: 6.5
    • CVE-2019-2974: An unspecified vulnerability in product related to the Server Oracle MySQL component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 6.5
    • CVE-2020-2574: An unspecified vulnerability in Oracle MySQL related to the Client C API component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 5.9
    • CVE-2020-2752: An unspecified vulnerability in Oracle MySQL related to the Client C API component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 5.3
    • CVE-2020-2780: An unspecified vulnerability in Oracle MySQL related to the Server Server: DML component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 6.5
    • CVE-2020-2812: An unspecified vulnerability in Oracle MySQL related to the Server Server: Stored Procedure component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 4.9
    • CVE-2019-14907: Samba is vulnerable to a denial of service, caused by an error after a failed character conversion at log level 3 or above. By sending a specially crafted string during the NTLMSSP authentication exchange, an attacker could exploit this vulnerability to cause a long-lived process to terminate. CVSS Base score: 6.5
    • CVE-2019-14866: GNU cpio could allow a local authenticated attacker to gain elevated privileges on the system, caused by the failure to properly validate input files when generating TAR archives. An attacker could exploit this vulnerability to inject any tar content and compromise the system. CVSS Base score: 6.7
    26 January 2021
    SECURITY BULLETIN CVE-2018-18074
    CVE-2018-20060
    CVE-2019-11236
    CVE-2019-11324
    CVE-2019-5094
    CVE-2019-5188
    CVE-2020-11008
    CVE-2019-12450
    CVE-2019-14822
    CVE-2019-14973
    CVE-2019-17546
    CVE-2017-15715
    CVE-2018-1283
    CVE-2018-1303
    CVE-2019-10098
    CVE-2020-1927
    CVE-2020-1934
    CVE-2017-18551
    CVE-2018-20836
    CVE-2019-15217
    CVE-2019-15807
    CVE-2019-15917
    CVE-2019-16231
    CVE-2019-16233
    CVE-2019-16994
    CVE-2019-17053
    CVE-2019-17055
    CVE-2019-19046
    CVE-2019-19062
    CVE-2019-19063
    CVE-2019-19332
    CVE-2019-19447
    CVE-2019-19524
    CVE-2019-19530
    CVE-2019-19534
    CVE-2019-19537
    CVE-2019-19767
    CVE-2019-19807
    CVE-2019-20054
    CVE-2019-20636
    CVE-2019-9454
    CVE-2019-9458
    CVE-2020-10690
    CVE-2020-10732
    CVE-2020-10742
    CVE-2020-10751
    CVE-2020-10942
    IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Affected versions
    • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    Issue
    • CVE-2018-18074: The Requests package for Python could allow a remote attacker to obtain sensitive information, caused by sending information in an insecure manner. By sniffing the network, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3
    • CVE-2018-20060: urllib3 could allow a remote attacker to obtain sensitive information, caused by the failure to remove the Authorization HTTP header when following a cross-origin redirect. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain credentials in the Authorization header. CVSS Base score: 7.5
    • CVE-2019-11236: Python urllib3 is vulnerable to CRLF injection, caused by improper validation of user-supplied input by the request parameter. By sending a specially-crafted HTTP response containing CRLF character sequences, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. CVSS Base score: 5.3
    • CVE-2019-11324: urllib3 could allow a remote attacker to bypass security restrictions, caused by mishandling of certificates. By sending a specially-crafted certificate, an attacker could exploit this vulnerability to allow SSL connections. CVSS Base score: 5.3
    • CVE-2019-5094: E2fsprogs could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the quota file functionality. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
    • CVE-2019-5188: E2fsprogs could allow a local authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the directory rehashing function. By using a specially-crafted ext4 directory, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
    • CVE-2020-11008: Git could allow a remote attacker to obtain sensitive information, caused by a flaw in the external "credential helper" programs. By feeding a specially-crafted URL to git clone, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. CVSS Base score: 7.5
    • CVE-2019-12450: GNOME GLib could allow a remote attacker to bypass security restrictions, caused by improper permission control in the file_copy_fallback in gio/gfile.c. An attacker could exploit this vulnerability to bypass access restrictions. CVSS Base score: 5.3
    • CVE-2019-14822: IBus could allow a local authenticated attacker to bypass security restrictions, caused by improper authorization validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to monitor and send method calls to the ibus bus of another user. CVSS Base score: 5.5
    • CVE-2019-14973: LibTIFF is vulnerable to a denial of service, caused by an iInteger overflow in the _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
    • CVE-2019-17546: libtiff is vulnerable to a heap-based buffer overflow, caused by an integer overflow in the tif_getimage.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base score: 7.8
    • CVE-2017-15715: Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by the FilesMatch expression matching '$' to a newline character in a malicious filename instead of the end of the filename. By matching the trailing portion of the filename, an attacker could exploit to bypass security controls that use the FilesMatch directive. CVSS Base score: 3.7
    • CVE-2018-1283: Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by an error when mod_session is configured with SessionEnv on to forward session data to CGI applications. By using a specially crafted "Session" header, an attacker could exploit this vulnerability to modify mod_session data on the system. CVSS Base score: 5.3
    • CVE-2018-1303: Apache HTTPD is vulnerable to a denial of service, caused by an out-of-bounds memory read error in mod_cache_socache. By sending a specially crafted HTTP request header, an attacker could exploit this vulnerability to cause the service to crash. CVSS Base score: 5.3
    • CVE-2019-10098: Apache HTTP Server could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the mod_rewrite module. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites. CVSS Base score: 3.7
    • CVE-2020-1927: Apache HTTP Server could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the mod_rewrite module. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites. CVSS Base score: 7.4
    • CVE-2020-1934: Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by the use of uninitialized value in mod_proxy_ftp. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. CVSS Base score: 8.1
    • CVE-2017-18551: Linux kernel is vulnerable to a buffer overflow, caused by a missing bounds check in drivers/i2c/i2c-core-smbus.c. An attacker could overflow an array and perform unspecified actions. CVSS Base score: 7.8
    • CVE-2018-20836: Linux Kernel is vulnerable to a denial of service, caused by a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c. A local attacker could exploit this vulnerability to cause the system to crash. CVSS Base score: 4
    • CVE-2019-15217: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the yurex.c driver. By using a specially-crafted USB device, a physical attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 4.6
    • CVE-2019-15807: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in sas_expander.c when SAS expander discovery fails. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5
    • CVE-2019-15917: Linux Kernel could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c. A remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. CVSS Base score: 7.3
    • CVE-2019-16231: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in drivers/net/fjes/fjes_main.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5
    • CVE-2019-16233: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in drivers/scsi/qla2xxx/qla_os.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5
    • CVE-2019-16994: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the sit_init_net function in net/ipv6/sit.c. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 6.2
    • CVE-2019-17053: Linux Kernel could allow a local authenticated attacker to bypass security restrictions, caused by not enforcing CAP_NET_RAW in the ieee802154_create function in net/ieee802154/socket.c in the AF_IEEE802154 network module. By sending a specially-crafted request, an attacker could exploit this vulnerability to create a raw socket. CVSS Base score: 5.5
    • CVE-2019-17055: Linux Kernel could allow a local authenticated attacker to bypass security restrictions, caused by not enforcing CAP_NET_RAW in the base_sock_create function in drivers/isdn/mISDN/socket.c in the AF_ISDN network module. By sending a specially-crafted request, an attacker could exploit this vulnerability to create a raw socket. CVSS Base score: 5.5
    • CVE-2019-19046: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c. A remote attacker could exploit this vulnerability to consume all available memory resources. CVSS Base score: 7.5
    • CVE-2019-19062: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the crypto_report() function in crypto/crypto_user_base.c. A remote attacker could exploit this vulnerability to consume all available memory resources. CVSS Base score: 7.5
    • CVE-2019-19063: Linux Kernel is vulnerable to a denial of service, caused by multiple memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c. A remote attacker could exploit this vulnerability to consume all available memory resources. CVSS Base score: 7.5
    • CVE-2019-19332: Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds memory write in KVM hypervisor. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.5
    • CVE-2019-19447: Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a use-after-free flaw in the ext4_put_super function in fs/ext4/super.c. By using a specially-crafted image file, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. CVSS Base score: 8.4
    • CVE-2019-19524: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/input/ff-memless.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic. CVSS Base score: 4.2
    • CVE-2019-19530: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/usb/class/cdc-acm.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic. CVSS Base score: 4.2
    • CVE-2019-19534: Linux Kernel could allow a local attacker to obtain sensitive information, caused by missing memory initialization in drivers/net/can/usb/peak_usb/pcan_usb_core.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 2.4
    • CVE-2019-19537: Linux Kernel is vulnerable to a denial of service, caused by a race condition in drivers/usb/core/file.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause the system to stop responding. CVSS Base score: 4.2
    • CVE-2019-19767: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in the __ext4_expand_extra_isize and ext4_xattr_set_entry functions in fs/ext4/inode.c and fs/ext4/super.c. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 6.2
    • CVE-2019-19807: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in sound/core/timer.c. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 4
    • CVE-2019-20054: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 4
    • CVE-2019-20636: Linux Linux could allow a local attacker to execute arbitrary code on the system, caused by an out-of-bounds write flaw in the input_set_keycode function. By using a specially-crafted keycode table, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. CVSS Base score: 8.4
    • CVE-2019-9454: Google Android could allow a local authenticated attacker to gain elevated privileges on the system, caused by a memory corruption in the i2c driver. An attacker could exploit this vulnerability to escalate privileges. CVSS Base score: 7.8
    • CVE-2019-9458: Google Android could allow a local attacker to gain elevated privileges on the system, caused by a race condition in the video driver. An attacker could exploit this vulnerability to escalate privileges. CVSS Base score: 8.4
    • CVE-2020-10690: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in the cdev_put function in the Precision Time Protocol (PTP). By removing a PTP device while chardev is open, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 4.4
    • CVE-2020-10732: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in the implementation of Userspace core dumps. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a program to crash. CVSS Base score: 3.3
    • CVE-2020-10742: Linux Kernel is vulnerable to a denial of service, caused by a stack-based buffer overflow during Direct IO write. A local authenticated attacker could exploit this vulnerability using a reach out of the index after one memory allocation by kmalloc to cause the NFS client to crash. CVSS Base score: 6
    • CVE-2020-10751: Linux Kernel could allow a local authenticated attacker to bypass security restrictions, caused by a flaw with improper validation of first netlink message by the SELinux LSM hook implementation. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow or deny the rest of the netlink messages within the skb with the granted permission without further processing. CVSS Base score: 6.1
    • CVE-2020-10942: Linux Kernel is vulnerable to a denial of service, caused by improper validation of an sk_family field by the get_raw_socket function in drivers/vhost/net.c. By sending specially-crafted system calls, a local attacker could exploit this vulnerability to cause a kernel stack corruption resulting in a denial of service condition. CVSS Base score: 6.2
    26 January 2021
    SECURITY BULLETIN CVE-2019-2974
    CVE-2020-2574
    CVE-2020-2752
    CVE-2020-2780
    CVE-2020-2812
    CVE-2019-14973
    CVE-2019-17546
    CVE-2019-17498
    CVE-2017-15715
    CVE-2018-1283
    CVE-2018-1303
    CVE-2017-15715
    CVE-2018-1283
    CVE-2018-1303
    CVE-2019-10098
    CVE-2020-1927
    CVE-2020-1934
    CVE-2017-18551
    CVE-2019-10098
    CVE-2020-1927
    CVE-2020-1934
    CVE-2019-5094
    CVE-2019-5188
    CVE-2020-0034
    IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Affected versions
    • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    Issue
    • CVE-2019-2974: An unspecified vulnerability in product related to the Server Oracle MySQL component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 6.5
    • CVE-2020-2574: An unspecified vulnerability in Oracle MySQL related to the Client C API component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 5.9
    • CVE-2020-2752: An unspecified vulnerability in Oracle MySQL related to the Client C API component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 5.3
    • CVE-2020-2780: An unspecified vulnerability in Oracle MySQL related to the Server Server: DML component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 6.5
    • CVE-2020-2812: An unspecified vulnerability in Oracle MySQL related to the Server Server: Stored Procedure component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 4.9
    • CVE-2019-14973: LibTIFF is vulnerable to a denial of service, caused by an iInteger overflow in the _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
    • CVE-2019-17546: libtiff is vulnerable to a heap-based buffer overflow, caused by an integer overflow in the tif_getimage.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base score: 7.8
    • CVE-2019-17498: libssh2 is vulnerable to a denial of service, caused by an out-of-bounds read when connecting to a malicious SSH server that sends a disconnect message. A remote attacker could exploit this vulnerability to cause a denial of service or obtain sensitive information. CVSS Base score: 6.5
    • CVE-2017-15715: Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by the FilesMatch expression matching '$' to a newline character in a malicious filename instead of the end of the filename. By matching the trailing portion of the filename, an attacker could exploit to bypass security controls that use the FilesMatch directive. CVSS Base score: 3.7
    • CVE-2018-1283: Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by an error when mod_session is configured with SessionEnv on to forward session data to CGI applications. By using a specially crafted "Session" header, an attacker could exploit this vulnerability to modify mod_session data on the system. CVSS Base score: 5.3
    • CVE-2018-1303: Apache HTTPD is vulnerable to a denial of service, caused by an out-of-bounds memory read error in mod_cache_socache. By sending a specially crafted HTTP request header, an attacker could exploit this vulnerability to cause the service to crash. CVSS Base score: 5.3
    • CVE-2019-10098: Apache HTTP Server could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the mod_rewrite module. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites. CVSS Base score: 3.7
    • CVE-2020-1927: Apache HTTP Server could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the mod_rewrite module. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites. CVSS Base score: 7.4
    • CVE-2020-1934: Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by the use of uninitialized value in mod_proxy_ftp. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. CVSS Base score: 8.1
    • CVE-2019-5094: E2fsprogs could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the quota file functionality. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
    • CVE-2019-5188: E2fsprogs could allow a local authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the directory rehashing function. By using a specially-crafted ext4 directory, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
    • CVE-2020-0034: Google Android could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read in the vp8_decode_frame of decodeframe.c. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 7.5
    26 January 2021
    SECURITY BULLETIN CVE-2020-11979
    APACHE ANT AS USED BY IBM QRADAR SIEM IS VULNERABLE TO INSECURE TEMPORARY FILES CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Affected versions
    • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    Issue
    CVE-2020-11979: Apache Ant could allow a remote authenticated attacker to bypass security restrictions, caused by an insecure temporary file flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to inject modified source files into the build process. CVSS Base score: 6.5
    26 January 2021
    SECURITY BULLETIN CVE-2020-4789
    IBM QRADAR SIEM IS VULNERABLE TO ARBITRARY FILE READ CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Affected versions
    • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    Issue
    CVE-2020-4789: IBM QRadar could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. CVSS Base score: 6.5
    26 January 2021
    SECURITY BULLETIN CVE-2020-4787
    IBM QRADAR SIEM IS VULNERABLE TO SERVER SIDE REQUEST FORGERY (SSRF) CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Affected versions
    • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    Issue
    CVE-2020-4787: IBM QRadar is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. CVSS Base score: 4.2
    26 January 2021
    SECURITY BULLETIN CVE-2020-4786
    IBM QRADAR SIEM IS VULNERABLE TO SERVER SIDE REQUEST FORGERY (SSRF) CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Affected versions
    • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    Issue
    CVE-2020-4786: IBM QRadar Network Security is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. CVSS Base score: 5.4
    26 January 2021
    SECURITY BULLETIN CVE-2020-5421
    SPRING FRAMEWORK AS USED BY IBM QRADAR SIEM IS VULNERABLE TO IMPROPER INPUT VALIDATION CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Affected versions
    • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    Issue
    CVE-2020-5421: VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by improper input validation. By using a specially-crafted jsessionid path parameter, an attacker could exploit this vulnerability to bypass RFD Protection. CVSS Base score: 5.3
    26 January 2021
    SERVICES IJ30161 A QRADAR "DEPLOY CHANGES" PERFORMED ON DECEMBER 31 2020 CAN CAUSE QRADAR FUNCTIONALITY ISSUES CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 1 (7.4.2.20210105144619)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Workaround
    For more detailed information, please see the following Flash Notification: https://ibm.biz/BdfDdV

    An issue report and FAQ is available for IJ30161 from QRadar Support. For more information, see: https://www.ibm.com/support/pages/node/6398674

    Issue
    Performing a "Deploy Changes" function on December 31 2020 can cause a QRadar deployment to stop functioning as expected. This issue is related to the function that validates a license key.

    Messages similar to the following might be visible in var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [main] com.eventgnosis.ecs:
    [INFO] [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid
    license...
    [ecs-ep.ecs-ep] [main] com.eventgnosis.ecs: [INFO]
    [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license...
    [ecs-ec.ecs-ec] [main] com.eventgnosis.ecs: [INFO]
    [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license..


    Note: This affects a manual "Deploy changes" function or any that are performed automatically (example: Auto Update)
    11 January 2021
    RULES IJ29115 PERFORMING AN EXTENSION MANAGEMENT UNINSTALL CAN SOMETIMES CORRUPT RULES WITHIN QRADAR CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Workaround
    Upgrade to a QRadar verison to resolve this issue or contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    Performing an Uninstall with the Extension Manager can corrupt rules if QRadar's change-tracker has incorrectly recorded the "new_value" field in content_field_info within the QRadar database.

    When this occurs, attempting to modify a rule response or edit or delete a rule can generate an error pop-up similar to: A server exception occurred:
    PersistenceException: ERROR: could not parse XML document
    Detail: line 1: Start tag expected, '<' not found
    and messages in /varlog/qradar.log similar to:
    [tomcat.tomcat] [pool-1-thread-3]
    org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: could
    not parse XML document
      Detail: line 1: Start tag expected, '<' not found
    16 November 2020
    FORWARDING DESTINATIONS IJ27364 THE OPTION TO USE IPV6 SOURCE AND DESTINATION FROM AN EVENT WHEN CONFIGURING JSON FORWARDING DESTINATION IS NOT AVAILABLE CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Workaround
    A custom property could be added to parse IPv6 from events and used in the JSON format. For more information, see: How to create custom properties in QRadar.

    Issue
    When configuring Forwarding Destinations to forward data to other system using IPV6, the source or destination from an event is not an available option to select from when using JSON.
    02 September 2020
    FLOW FORWARDING IJ26689 FORWARDING NORMALIZED FLOWS THAT ARE ASSOCIATED TO A DOMAIN FAILS WITH A BUFFERUNDERFLOWEXCEPTION WRITTEN TO QRADAR LOGGING CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Workaround
    Potential workaround for this issue. Note: This will impact all event and flow forwarding of normalized data, setting it to the the default domain.

    1. On the QRadar Console that is sending, edit nva.conf:
      vi /store/configservices/staging/globalconfig/nva.conf
      Add and save the following line:
      IS_DOMAIN_FORWARDING=0
    2. Log in to QRadar as an administrator.
    3. Click the Admin tab > Deploy Changes.
    4. On the Managed Host that is sending events or flows, type the following command to restart the ecs-ec service:
      systemctl restart ecs-ec


      Issue
      Forwarding normalized flows that are associated to a domain on the sending side to another deployment fails and a BufferUnderflowException is generated in QRadar logging. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      com.q1labs.sem.nio.network.ReceiverServerWithChannelActivity
      0.0.0.0:32005: [WARN] [NOT:0000004000][X.X.X.X/- -] [-/-
      -]Error: /127.0.0.1:41902 : RuntimeException : 0 records read,
      type: 68, expected buffer size after decompression: 0, expected
      record size: 195, java.nio.DirectByteBuffer[pos=182 lim=209
      cap=13312000], Serializer:
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
      ECSMappingAll@1
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      java.lang.RuntimeException: 0 records read, type: 68, expected
      buffer size after decompression: 0, expected record size: 195,
      java.nio.DirectByteBuffer[pos=182 lim=209 cap=13312000],
      Serializer:
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
      ECSMappingAll@1
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
      ode(ProtocolProcessor.java:281)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
      odeCompressedObjectsSync(ProtocolProcessor.java:302)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
      Protocol.java:1185)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.Protocol$2.readFromCh
      annel(Protocol.java:126)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.Protocol.read(Protoco
      l.java:396)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.ReceiverServerProtocol.readAll
      (ReceiverServerProtocol.java:85)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.ReceiverServer.read(ReceiverSe
      rver.java:229)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.sem.nio.network.ReceiverServerWithChannelActivity.run
      (ReceiverServerWithChannelActivity.java:140)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at java.lang.Thread.run(Thread.java:818)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      Caused by: java.nio.BufferUnderflowException
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at java.nio.DirectByteBuffer.get(DirectByteBuffer.java:271)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at java.nio.ByteBuffer.get(ByteBuffer.java:715)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.CustomPropertyRecord.fromByte
      BufferForMPC(CustomPropertyRecord.java:164)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt
      ils.readCustomPropertiesWithMPCAttributes(NetworkEventMappingUti
      ls.java:435)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMappingECS.readCust
      omProperties(FlowRecordMappingECS.java:139)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMapping.getData(Flo
      wRecordMapping.java:393)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMapping.get(FlowRec
      ordMapping.java:226)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMappingECS.get(Flow
      RecordMappingECS.java:65)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMappingECSAll.get(F
      lowRecordMappingECSAll.java:30)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
      ECSMappingAll.getFlow(NetworkEventMappings.java:71)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappingEx
      .get(NetworkEventMappingEx.java:86)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappingEx
      .get(NetworkEventMappingEx.java:25)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
      ode(ProtocolProcessor.java:272)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        ... 8 more
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      com.q1labs.sem.nio.network.ReceiverServerWithChannelActivity
      0.0.0.0:32005: [WARN] [NOT:0000004000][X.X.X.X/- -] [-/-
      -]Error: /127.0.0.1:41930 : RuntimeException : 2 records read,
      type: 68, expected buffer size after decompression: 0, expected
      record size: 540, java.nio.DirectByteBuffer[pos=1130 lim=1411
      cap=65536], Serializer:
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
      ECSMappingAll@1
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      java.lang.RuntimeException: 2 records read, type: 68, expected
      buffer size after decompression: 0, expected record size: 540,
      java.nio.DirectByteBuffer[pos=1130 lim=1411 cap=65536],
      Serializer:
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
      ECSMappingAll@1
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
      ode(ProtocolProcessor.java:281)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
      odeCompressedObjectsSync(ProtocolProcessor.java:302)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
      Protocol.java:1185)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.Protocol$2.readFromCh
      annel(Protocol.java:126)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.Protocol.read(Protoco
      l.java:396)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.ReceiverServerProtocol.readAll
      (ReceiverServerProtocol.java:85)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.ReceiverServer.read(ReceiverSe
      rver.java:229)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.sem.nio.network.ReceiverServerWithChannelActivity.run
      (ReceiverServerWithChannelActivity.java:140)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at java.lang.Thread.run(Thread.java:818)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      Caused by: java.nio.BufferUnderflowException
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at java.nio.DirectByteBuffer.get(DirectByteBuffer.java:271)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at java.nio.ByteBuffer.get(ByteBuffer.java:715)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.CustomPropertyRecord.fromByte
      BufferForMPC(CustomPropertyRecord.java:164)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt
      ils.readCustomPropertiesWithMPCAttributes(NetworkEventMappingUti
      ls.java:435)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMappingECS.readCust
      omProperties(FlowRecordMappingECS.java:139)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMapping.getData(Flo
      wRecordMapping.java:393)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMapping.get(FlowRec
      ordMapping.java:226)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMappingECS.get(Flow
      RecordMappingECS.java:65)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.flow.mapping.FlowRecordMappingECSAll.get(F
      lowRecordMappingECSAll.java:30)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
      ECSMappingAll.getFlow(NetworkEventMappings.java:71)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappingEx
      .get(NetworkEventMappingEx.java:86)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.core.types.networkevent.mapping.NetworkEventMappingEx
      .get(NetworkEventMappingEx.java:25)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        at
      com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
      ode(ProtocolProcessor.java:272)
      [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
        ... 8 more
    31 July 2020
    RULE RESPONSE IJ28818 ARIEL DATA FILE CORRUPTION CAN OCCUR CAUSING "I/O ERROR" DURING SEARCHES WHEN EMAIL RESPONSE TO A SPECIFIC RULE IS CONFIGURED CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Workaround
    Where possible, do not use the email response option when using the rule "log source stopped sending events".

    Issue
    Ariel data corruption can occur when using the rule "log source stopped sending events" with a large number of Custom Event Properties (CEP) and/or log sources in a log source group with an email response configured.

    When this data corruption is experienced, ariel searches can generate an "I/O error" in the QRadar User Interface if these corrupted files are acccessed.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    java.lang.IndexOutOfBoundsException
            at java.nio.Buffer.checkBounds(Buffer.java:578)
            at java.nio.ByteBuffer.get(ByteBuffer.java:686)
            at
    java.nio.DirectByteBuffer.get(DirectByteBuffer.java:285)
            at
    com.q1labs.core.types.BitMask.getBitMask(BitMask.java:107)
            at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.get
    (NormalizedEventMappingV2.java:61)
            at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.get
    (NormalizedEventMappingV2.java:31)
            at
    com.q1labs.ariel.FileReader.doRead(FileReader.java:192)
            at com.q1labs.ariel.FileReader.read(FileReader.java:184)
            at
    com.q1labs.ariel.RecordDumper.dumpRecords(RecordDumper.java:66)
            at
    com.q1labs.cve.utils.CommandLineClient.doDump(CommandLineClient.
    java:153)
            at
    com.q1labs.cve.utils.CommandLineClient.run(CommandLineClient.jav
    a:188)
            at
    com.q1labs.cve.utils.CommandLineClient.main(CommandLineClient.ja
    va:173)


    ------- or --------
    java.lang.IllegalStateException: Potential mapping error. Array
    size: -1792 Max is 32767
     at
    com.q1labs.frameworks.nio.MappingBase.getSizeShort(MappingBase.j
    ava:86)
     at
    com.q1labs.frameworks.nio.MappingBase.getSizeShort(MappingBase.j
    ava:80)
     at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt
    ils.readCustomRuleResultMap(NetworkEventMappingUtils.java:238)
     at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.rea
    dCustomRules(NormalizedEventMappingV2.java:715)
     at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.get
    (NormalizedEventMappingV2.java:147)
     at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.get
    (NormalizedEventMappingV2.java:35)
     at com.q1labs.ariel.FileReader.doRead(FileReader.java:192)
     at com.q1labs.ariel.FileReader.read(FileReader.java:184)
     at
    com.q1labs.ariel.searches.service.ids.ArielFile$Crawler.nextReco
    rd(ArielFile.java:31)
     at
    com.q1labs.ariel.searches.service.ids.ArielFile.next(ArielFile.j
    ava:206)
     at
    com.q1labs.ariel.searches.service.ids.FilteredSource.next(Filter
    edSource.java:39)
     at
    com.q1labs.ariel.searches.tasks.QueryWorker.execute(QueryWorker.
    java:53)
     at
    com.q1labs.ariel.searches.tasks.ServiceTaskBase.runTask(ServiceT
    askBase.java:89)
     at
    com.q1labs.ariel.searches.tasks.ServiceTask.runTask(ServiceTask.
    java:69)
     at
    com.q1labs.ariel.searches.tasks.ServiceTaskBase$Runner.run(Servi
    ceTaskBase.java:32)
     at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
     at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
     at java.lang.Thread.run(Thread.java:818)


    -------or-------
    [ecs-ep.ecs-ep] Ariel Writer#events
    com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
    [NOT:0000003000][ IP_ADDRESS/- -] [-/- -]Exception was uncaught
    in thread: Ariel Writer#events
    [ecs-ep.ecs-ep] Ariel Writer#events
    java.lang.NullPointerException
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.core.types.networkevent.CustomPropertyRecord.toByteBu
    ffer(CustomPropertyRecord.java:188)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt
    ils.writeCustomProperties(NetworkEventMappingUtils.java:326)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
    CustomProperties(NormalizedEventMappingV2.java:701)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
    Event(NormalizedEventMappingV2.java:541)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.core.types.event.mapping.NormalizedEventMappings$Exlu
    deCachedResults.putData(NormalizedEventMappings.java:68)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
    (NormalizedEventMappingV2.java:281)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
    (NormalizedEventMappingV2.java:35)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.ariel.io.NIOFileWriter.write(NIOFileWriter.java:110)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.ariel.io.SimpleWriter.writeRecord(SimpleWriter.java:47)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.ariel.io.BucketWriter.writeRecord(BucketWriter.java:62)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.ariel.io.AbstractDatabaseWriter.put(AbstractDatabaseW
    riter.java:114)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.ariel.DatabaseWriterAsync.processRecord(DatabaseWrite
    rAsync.java:131)
    [ecs-ep.ecs-ep] Ariel Writer#events at
    com.q1labs.ariel.ScatteringDatabaseWriter.access$401(ScatteringD
    atabaseWriter.java:30
    10 November 2020
    PROTOCOLS IJ29518 SMBTAILPROTOCOL LOG SOURCES CAN FUNCTION NORMALLY BUT DISPLAY IN 'ERROR' STATE WHEN A JNQEXCEPTION OCCURS OPEN Workaround
    No workaround available.

    APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

    Issue
    Log Sources using the SMBTail Protocol display in an error state when a jNQ exception is thrown, but the Log Source continues to function as expected. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
    [127.0.0.1][smb://127.0.0.1/dhcplog/]]
    com.q1labs.semsources.sources.smbtail.io.jnq.JNQException:
    Unable to create/open - j50.log status = -1073741757
    (0xc0000043) (0xC0000043)
    [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
    [127.0.0.1][smb://127.0.0.1/dhcplog/]]
    com.q1labs.semsources.sources.windowsdhcp.WindowsDHCPTailProvide
    r: [ERROR] [NOT:0000003000][10.42.165.13/- -] [-/-
    -]TailingException: Unable to create/open - j50.log status =
    -1073741757 (0xc0000043) (0xC0000043)
    02 December 2020
    PROTOCOLS IJ29923 THE QRADAR MSRPC PROTOCOL CAN INCREASE CPU UTILIZATION ON MICROSOFT WINDOWS SERVERS OPEN Workaround
    A flash notice is available for administrators that describes how to downgrade the Microsoft Windows Security Event Log over MSRPC version. For more information, see: https://www.ibm.com/support/pages/node/6382106.

    Issue
    Administrators with the latest version of the MSRPC protocol from 9 December 2020 weekly auto update can experience increased CPU utilization for the EventLog service under svchosts.exe on their Windows Servers. Over time, this issue can lead to instability for the remote server. Administrators can downgrade their Microsoft Security Event Log over MSRPC protocol (PROTOCOL-WindowsEventRPC) version to avoid this reported issue.

    The following RPM versions are affected by this issue:
    • PROTOCOL-WindowsEventRPC-7.3-20201110190432.noarch.rpm
    • PROTOCOL-WindowsEventRPC-7.4-20201110190414.noarch.rpm
    14 December 2020
    UPGRADE IJ28593 QRADAR PATCHING PROCESS CAN BE SLOWER THAN EXPECTED WHEN MILLIONS OF RECORDS EXIST IN DATABASE TARGET TABLES OPEN Workaround
    Contact support for a possible workaround that might address this issue in some instances.

    Issue
    The QRadar patching process can run slower than expected in instances where there are millions of records in the database target tables.

    To identify why the patching process is experiencing issues, review the patches.log file for database clean up ID messages. If /var/log/setup-#####/patches.log displays Removing ID messages for target database tales at a rate of less than 50 lines per second, this can indicate that you need to contact support. For example:
    Removing id = XXXXX from public.target table.
    08 December 2020
    SECURITY BULLETIN CVE-2020-2590
    CVE-2020-2601
    CVE-2020-14621
    CVE-2020-14577
    CVE-2020-14578
    CVE-2020-14579
    CVE-2020-2781
    CVE-2020-2583
    MULTIPLE VULNERABILITIES IN IBM JAVA SDK AND IBM JAVA RUNTIME AFFECT IBM QRADAR SIEM CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Affected versions
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    Issue
    • CVE-2020-2590: An unspecified vulnerability in Java SE related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 3.7
    • CVE-2020-2601: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVSS Base score: 6.8
    • CVE-2020-14621: An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 5.3
    • CVE-2020-14577: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 3.7
    • CVE-2020-14578: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7
    • CVE-2020-14579: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7
    • CVE-2020-2781: An unspecified vulnerability in Java SE related to the Java SE JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3
    • CVE-2020-2583: An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7
    15 December 2020
    SECURITY BULLETIN CVE-2019-12400 APACHE SANTUARIO AS USED IN IBM QRADAR SIEM IS VULNERABLE TO IMPROPER INPUT VALIDATION CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Affected versions
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    Issue
    Apache Santuario XML Security for Java could allow a remote attacker to bypass security restrictions, caused by the loading of XML parsing code from an untrusted source. An attacker could exploit this vulnerability to launch further attacks on the system when validating signed documents. CVSS Base score: 5.3
    15 December 2020
    SECURITY BULLETIN CVE-2020-13692 POSTGRESSQL JDBC DRIVER AS USED IN IBM QRADAR SIEM IS VULNERABLE TO INFORMATION DISCLOSURE CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Affected versions
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    Issue
    PostgreSQL JDBC Driver could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By sending specially crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 6.5
    15 December 2020
    SECURITY BULLETIN CVE-2014-3607 LDAPTIVE AS USED IN IBM QRADAR SIEM IS VULNERABLE TO SPOOFING CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Affected versions
    • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
    • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
    Issue
    Ldaptive could allow a remote attacker to conduct spoofing attack in DefaultHostnameVerifier, caused by the failure to properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to spoof SSL server. CVSS Base score: 5.3
    15 December 2020
    LOG SOURCE MANAGEMENT APP IJ29323 EXPORTING LOG SOURCES TO CSV THAT USE AN XPATH WITH LINE BREAKS CAUSES EXTRA LINES TO BE GENERATED WITHIN THE EXPORTED CSV FILE OPEN Workaround
    When exporting Log Sources from the Log Source Management (LSM) app, users can remove the line breaks when entering the data into the LSM app or edit the CSV file to remove them after it is generated by the export.

    Issue
    When exporting Log Sources from the Log Source Management app, if there are Windows Log Sources using XPath that contains line breaks, it causes the exported CSV file to display incorrectly by also adding lines into the CSV file.
    19 November 2020
    User Behavior Analytics (UBA) App IJ29455 USER BEHAVIOR ANALYTICS (UBA) APP VERSIONS PRIOR TO VERSION 3.8 FAIL TO START AFTER AN UPGRADE TO QRADAR 7.4.2 GA CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)

    Workaround
    Administrators can upgrade their UBA app to version 3.8 or later after they complete their QRadar 7.4.2 upgrade.

    Issue
    The User Behavior Analytics for QRadar App (UBA) versions prior to 3.8 fail to load or start after an upgrade to QRadar version 7.4.2 GA.
    12 April 2021
    AUTO UPDATE IJ29298 AUTOUPDATE ERROR IN THE QRADAR USER INTERFACE AFTER CHANGING TO THE NEW CLOUD BASED ADDRESS OPEN Workaround
    This error described is benign and does not cause any problems with the autoupdate download or expected functionality.

    Issue
    After changing the Autoupdate server to the new Cloud based address, the user interface can display a benign error message as described in this technical note.

    Error message:
    Autoupdate settings are updated. However, the system cannot
    connect to the specified web server address, directory. This
    will cause updates to fail. Verify that web server address,
    directory, credentials and the proxy settings are configured
    correctly and the web server is running properly.
    16 November 2020
    ASSETS IJ26166 VULN COUNT IN ASSET LIST VIEW CAN FAIL TO MATCH VULN COUNT IN ASSET DETAILS OR QVM MANAGE VULNS BY ASSET VIEW OPEN Workaround
    No workaround available.

    APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

    Issue
    The vulnerability count in Asset list view can fail to match the vulnerability count in asset details or in the QVM manage vulnerabilities by asset view. This vulnerability count mismatch can be observed when using the api endpoint /qvm/vuln also. The mismatch occurs when vulnerabilities are no longer present on a second scan after being fixed or a service being disabled. The mismatch can also occur if vulnerability exceptions are configured.
    14 July 2020
    SCAN RESULTS IJ29292 WHEN THE QVM PROCESSOR IS NOT RUNNING ON THE CONSOLE, SCAN START AND STOP EMAILS CONTAIN INCORRECT DATA IN SUBJECT AND BODY OPEN Workaround
    No workaround available.

    APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

    Issue
    When the QVM processor is not running on the console, scan start and scan stop emails contain: '$body.scanProfile.name' instead of the name of the scan profile.
    24 November 2020
    USER INTERFACE IJ28347 THE TOMCAT SERVICE CAN HANG ON STARTUP WHEN CUSTOM AQL PROPERTIES EXIST CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    In some instances the QRadar Tomcat service (required for the User Interface) can hang during service startup due to the occurence of deadlocks when there are custom AQL properties configured in QRadar.
    26 November 2020
    SYSTEM NOTIFICATIONS IJ26223 QRADAR DEPLOY OVERWRITES INDIVIDUALLY CONFIGURED SAR SENTINEL NOTIFICATION TUNING FOR EACH MANAGED HOST WITH CONSOLE'S CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    The QRadar Deploy function overwrites the SAR Sentinel notification configuration tunings for each Managed Host in the deployment with that of the Console. This can cause erroneous SAR Sentinel "system load" notification messages to be generated for some QRadar Managed Hosts.
    26 November 2020
    DSM EDITOR IJ26131 'FAILED TO LOAD DATA' ERROR DISPLAYED IN THE QRADAR DSM EDITOR WINDOW CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install a software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    A 'failed to load data' message can be displayed in the QRadar DSM Editor while performing Event mapping.

    Example steps that can generate this error:
    1. Open the Event mapping tab in DSM Editor for LS type Windows Security Event Log.
    2. Filter for event with ID=1 & category="Microsoft-Windows-Sysmon/Operational".
    3. Override that event with any other event (does not matter which one), and save the changes.
    4. Reload DSM editor and the following error is displayed, "failed to load data".
    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12]
    com.q1labs.frameworks.session.SessionContext: [ERROR] 1 leak(s)
    detected in session context: xxxx-xxxx-xxxx-xxxx-xxxx
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12]
    com.q1labs.frameworks.session.SessionContext: [ERROR]
    java.sql.PreparedStatement leak detected. Object created in
    following code path
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12]
    java.lang.Exception
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    com.q1labs.frameworks.session.BaseWrapper.{init}(BaseWrapper.java)
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    com.q1labs.frameworks.session.PreparedStatementWrapper.{init}(Pr
    eparedStatementWrapper.java:35)
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    com.q1labs.frameworks.session.ConnectionWrapper.prepareStatement
    (ConnectionWrapper.java:262)
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    com.ibm.si.data_ingestion.api.impl.application.ApplicationAPIImp
    l.getMappings(ApplicationAPIImpl.java:262)
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    com.ibm.si.data_ingestion.api.v7_0.application.ApplicationAPI.ge
    tEventMappings(ApplicationAPI.java:175)
    [tomcat.tomcat] 
    [/console/restapi/api/application/data_ingestion/mappings/12]
    org.postgresql.util.PSQLException: The column name lc_name was
    not found in this ResultSet.
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    org.postgresql.jdbc.PgResultSet.findColumn(PgResultSet.java)
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    org.postgresql.jdbc.PgResultSet.getString(PgResultSet.java:2467)
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    com.mchange.v2.c3p0.impl.NewProxyResultSet.getString(NewProxyRes
    ultSet.java:3342)
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    org.apache.openjpa.lib.jdbc.DelegatingResultSet.getString(Delega
    tingResultSet.java:187)
    [tomcat.tomcat]
    [/console/restapi/api/application/data_ingestion/mappings/12] at
    com.ibm.si.data_ingestion.api.impl.application.ApplicationAPIImp
    l.getMappings(ApplicationAPIImpl.java:284)
    26 November 2020
    QRADAR NETWORK INSIGHTS IJ26096 WHEN RUNNING QNI IN ADVANCED MODE MESSAGES '...[ERRNO 24] TOO MANY OPEN FILES' ARE WRITTEN TO QRADAR LOGGING CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    When running QRadar Network Insights in Advanced Mode, repeated messages similar to the following can sometimes be observed being written to /var/log/qradar.log:
    TikaServer (6690) - ERROR - Error starting subprocess: [Errno
    24] Too many open files
    TikaServer (6690) - ERROR - Error starting subprocess: [Errno
    24] Too many open files
    26 November 2020
    SEARCH IJ26095 QUICK SEARCH 'TOP IDS/IPS ALERT BY COUNTRY/REGION' GROUPS BY THE NON-EXISTENT COLUMN 'GEOGRAPHIC COUNTRY/REGION' CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    The quick search 'Top IDS/IPS Alert by Country/Region' groups by a non-existent column 'Geographic Country/Region'.

    For example:
    1. Navigate to the Log Activity tab and select Quick Searches.
    2. Load the search "Top IDS/IPS Alert by Country/Region".
      Note that it is grouping by the column "Geographic Country/Region".
    3. Go to Edit Search. Notice that the Group by column is empty.
    4. Search for the column under the "Available Columns".

      Results
      Expected: Column "Geographic Country/Region" is diplayed.
      Actual Result: Column "Geographic Country/Region" is not displayed, instead the columns "Source Geographic Country/Region" and "Destination Geographic Country/Region" are displayed.
    26 November 2020
    QRADAR VULNERABILITY MANAGER IJ26089 QVM SCHEDULED SCANS CAN FAIL TO DISPLAY WHEN THERE ARE A LARGE NUMBER OF SCAN PROFILE CRON SCHEDULES CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available. Administrators must upgrade to resolve this software issue.

    Issue
    QRadar Vulnerability Manager scheduled scans entries can fail to be displayed in the User Interface calendar view when there are a large number (hundreds) of scan profile cron schedules. When this issue is occurring, clicking in the scheduled scans view in the User Interface can generate an error in the QRadar Console's /var/log/qradar.error log when the qvmprocessor is deployed on a separate QRadar managed host. Note: This issue is less likely to occur on systems where there are only a small number of scan profiles. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]
    com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
    while executing the remote method 'getCronScanProfiles'
    {hostname} tomcat[13976]: org.apache.cxf.interceptor.Fault:
    Could not receive Message.
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles] javax.xml.ws.WebServiceException:
    Could not receive Message.
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.jaxws.JaxWsClientProxy.mapException(JaxWsClientPr
    oxy.java:183)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.ja
    va:145)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.j
    ava:56)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende
    rEndingInterceptor.handleMessage(MessageSenderInterceptor.java)
    {hostname} tomcat[13976]: at
    org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:355)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInte
    rceptorChain.java:308)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:355)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.ja
    va:140)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    ... 67 more
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles] Caused by:
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles] java.net.SocketTimeoutException: Read
    timed out
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    java.net.SocketInputStream.socketRead0(Native Method)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    java.net.SocketInputStream.socketRead(SocketInputStream.java)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    java.net.SocketInputStream.read(SocketInputStream.java:182)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at
    java.net.SocketInputStream.read(SocketInputStream.java:152)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at com.ibm.jsse2.b.a(b.java:297)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at com.ibm.jsse2.b.a(b.java:290)
    [tomcat.tomcat] [admin@127.0.0.1(8387)
    /console/JSON-RPC/QVM.getCronScanProfiles
    QVM.getCronScanProfiles]    at com.ibm.jsse2.av.a(av.java:840)
    {hostname} tomcat[13976]: at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    {hostname} tomcat[13976]: at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    {hostname} tomcat[13976]: at
    org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T
    askThread.java:61)
    {hostname} tomcat[13976]: at
    java.lang.Thread.run(Thread.java:818)
    {hostname} tomcat[13976]: Caused by:
    {hostname} tomcat[13976]: java.net.SocketTimeoutException:
    SocketTimeoutException invoking
    https://XXXXXXXXXX:9999/scanProfileService: Read timed out
    {hostname} tomcat[13976]: at
    sun.reflect.GeneratedConstructorAccessor697.newInstance(Unknown
    Source)
    {hostname} tomcat[13976]: at
    sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delega
    tingConstructorAccessorImpl.java:57)
    {hostname} tomcat[13976]: at
    java.lang.reflect.Constructor.newInstance(Constructor.java:437)
    {hostname} tomcat[13976]: at
    org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.ma
    pException(HTTPConduit.java:1402)
    {hostname} tomcat[13976]: at
    org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.cl
    ose(HTTPConduit.java:1386)
    {hostname} tomcat[13976]: at
    org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.j
    ava:56)
    {hostname} tomcat[13976]: at
    org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java)
    {hostname} tomcat[13976]: at
    org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende
    rEndingInterceptor.handleMessage(MessageSenderInterceptor.java)
    {hostname} tomcat[13976]: ... 74 more
    {hostname} tomcat[13976]: Caused by:
    {hostname} tomcat[13976]: java.net.SocketTimeoutException: Read
    timed out
    {hostname} tomcat[13976]: at
    java.net.SocketInputStream.socketRead0(Native Method)
    {hostname} tomcat[13976]: at
    java.net.SocketInputStream.socketRead(SocketInputStream.java:127)
    {hostname} tomcat[13976]: at
    java.net.SocketInputStream.read(SocketInputStream.java:182)
    26 November 2020
    OFFENSES IJ25448 'APPLICATION ERROR' WHEN ATTEMPTING TO CLOSE AN OFFENSE ACCESSED FROM AN EMAIL LINK CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    Navigate manually to the Offense using the QRadar user interface "Offenses" tab.

    Issue
    When attempting to close an Offense from within an email link, an "Application Error" is generated in the QRadar User Interface.

    The Offense opens as expected from within the email link, but the "Application Error" occurs when attempting to close it. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]
    com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1 /- -] [-/- -]An exception occurred
    while processing the request:
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]
    com.ibm.si.content_management.utils.ApplicationErrorStateException
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.sem.ui.action.MaintainProperties.findNextForward(Main
    tainProperties.java:230)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.sem.ui.action.MaintainProperties.updatePropertiesSecu
    re(MaintainProperties.java:80)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.sem.ui.action.MaintainProperties.updateProperties(Mai
    ntainProperties.java:213)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    java.lang.reflect.Method.invoke(Method.java:508)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.struts.actions.DispatchAction.dispatchMethod(Dispatch
    Action.java:280)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.struts.actions.DispatchAction.execute(DispatchAction.
    java:216)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.actions.DispatchAction.execute(DispatchA
    ction.java:64)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.struts.action.RequestProcessor.processActionPerform(R
    equestProcessor.java:484)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.action.RequestProcessor.processActionPer
    form(RequestProcessor.java:101)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.struts.action.RequestProcessor.process(RequestProcess
    or.java:275)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.struts.action.ActionServlet.process(ActionServlet.jav
    a:1482)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.action.ActionServlet.process(ActionServl
    et.java:122)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.struts.action.ActionServlet.doPost(ActionServlet.java)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:231)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.ja
    va:52)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.servlet.AddUserHeaderFilter.doFilter(Add
    UserHeaderFilter.java:86)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.servlet.ThreadNameFilter.doFilter(Thread
    NameFilter.java:53)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.core.ui.filters.StrutsParamFilter.doFilter(StrutsPara
    mFilter.java:41)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.postauthredirect.PostLoginRedirectFilter
    .doFilter(PostLoginRedirectFilter.java:70)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1 (1312)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.auth.AuthenticationVerificationFilter.do
    Filter(AuthenticationVerificationFilter.java:304)
    15 September 2020
    ASSETS IJ25823 NO ASSETS FOUND WHEN USING SCAN RESULTS -> OPEN SERVICES -> ASSETS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Perform an asset search on the Asset tab using the "Assets With Open Service" search parameter.

    Issue
    An asset can fail to be found when using Scan Results -> Open Services -> Assets on the Vulnerabilities tab. This occurs when the asset has the service, but has no vulnerabilities.
    26 November 2020
    SEARCH IJ25805 NULLPOINTEREXCEPTION CAN CAUSE ACCUMULATED VALUE TIMESERIES DATA DISCREPANCIES WHEN MANAGED HOSTS ARE ENCRYPTED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Where possible, disable encryption for Managed Hosts.

    Issue
    When encryption is enabled for Managed Hosts, there can be variances in the accumulated value reported by some ADE Rules vs accumulated values shown in the timeseries graph when a Null Pointer Exception occurs.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [accumulator.accumulator] [SE client /127.0.0.1:59638]
    com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [
    NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught in
    thread: SE client /127.0.0.1:59638
    [accumulator.accumulator] [SE client /127.0.0.1:59638]
    java.lang.NullPointerException
    [accumulator.accumulator] [SE client /127.0.0.1:59638]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
    Protocol.java:1227)
    [accumulator.accumulator] [SE client /127.0.0.1:59638]    at
    com.q1labs.frameworks.nio.network.Communicator.read(Communicator
    .java:108)
    [accumulator.accumulator] [SE client /127.0.0.1:59638]    at
    com.q1labs.cve.sentryengine.SentryEngineCommunicator.run(SentryE
    ngineCommunicator.java:50)
    [accumulator.accumulator] [SE client /127.0.0.1:59638]    at
    java.lang.Thread.run(Thread.java:812)
    And
    [accumulator.accumulator] [SE client /127.0.0.1:33012]
    com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught
    in thread: SE client /127.0.0.1:33012
    [accumulator.accumulator] [SE client /127.0.0.1:33012]
    java.lang.NullPointerException
    [accumulator.accumulator] [SE client /127.0.0.1:33012]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
    Protocol.java:1227)
    [accumulator.accumulator] [SE client /127.0.0.1:33012]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.readFromSock
    et(Protocol.java:413)
    [accumulator.accumulator] [SE client /127.0.0.1:33012]    at
    com.q1labs.frameworks.nio.network.Communicator.selectAndRead(Com
    municator.java:134)
    [accumulator.accumulator] [SE client /127.0.0.1:33012]    at
    com.q1labs.frameworks.nio.network.Communicator.read(Communicator
    .java:110)
    [accumulator.accumulator] [SE client /127.0.0.1:33012]    at
    com.q1labs.cve.sentryengine.SentryEngineCommunicator.run(SentryE
    ngineCommunicator.java:50)
    [accumulator.accumulator] [SE client /127.0.0.1:33012]    at
    java.lang.Thread.run(Thread.java:812)
    And
    [accumulator.accumulator] [SE client /127.0.0.1:53604]
    com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught
    in thread: SE client /127.0.0.1:53604
    [accumulator.accumulator] [SE client /127.0.0.1:53604]
    java.lang.NullPointerException
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.disposeBuffe
    r(Protocol.java:1121)
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.decodeObject
    Internal(Protocol.java:291)
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.processProto
    colMessage(Protocol.java:1074)
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
    Protocol.java:1198)
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.readFromSock
    et(Protocol.java:413)
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    com.q1labs.frameworks.nio.network.Communicator.selectAndRead(Com
    municator.java:134)
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    com.q1labs.frameworks.nio.network.Communicator.read(Communicator
    .java:110)
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    com.q1labs.cve.sentryengine.SentryEngineCommunicator.run(SentryE
    ngineCommunicator.java:50)
    [accumulator.accumulator] [SE client /127.0.0.1:53604]    at
    java.lang.Thread.run(Thread.java:812)
    26 November 2020
    OFFENSES IJ25800 OFFENSES CAN BE CLOSED WITH NO APPROPRIATE REASON FOR CLOSE BEING SELECTED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Ensure to select a proper reason from the available drop dwon list options.

    Issue
    Offense Closed Reason can be blank for an offense if a previously used Reason for Close has been removed from the list and a QRadar user clicks OK without making another selection from drop-down.

    When this occurs, the closing reason for the affected offense displays as NULL in Offense reports.
    26 November 2020
    WINCOLLECT IJ24355 WINCOLLECT 7.2.9 PATCH 3 INSTALLATION CAN FAIL UNEXPECTEDLY DUE TO THE MINIMUM UPGRADE VERSION CHECK CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Temporarily rename the .minimum_upgrade_version hidden file that is causing the problem and rerun the WinCollect Installer. After the installation completes, rename the .minimum_upgrade_version hidden file back to the original filename.
    1. SSH to the QRadar Console.
    2. Type the following command:
      mv /etc/qradar/.minimum_upgrade_version
      /etc/qradar/.minimum_upgrade_version_old
    3. Run the WinCollect Installer.
    4. After the installation is complete, run the following command:
      mv /etc/qradar/.minimum_upgrade_version_old
      /etc/qradar/.minimum_upgrade_version

    Issue
    When attempting to install the SFS for WinCollect 7.2.9 P3 on Qradar 7.3.2, an error similar to the following might be observed during the installation process: "You are attempting to upgrade to 2019.14.0. The installed version only supports upgrades to 7.3.3.20191203144110".
    26 November 2020
    QRADAR VULNERABILITY MANAGER IJ22896 'FOUND BY SCAN PROFILE' SEARCH RETURNS NO RESULTS WHEN SCAN PROFILE NAME STARTS OR ENDS WITH SPACE (BLANK) CHARACTERS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    None for existing scan profiles. Do not add leading or trailing spaces when creating a scan profile.

    Issue
    A "Found By Scan Profile" search returns no results when the name of the scan profile starts or ends with space (blank) characters.
    26 November 2020
    UPGRADE IJ26199 LACK OF ADEQUATE FREE SPACE ON /BOOT PARTITION CAN CAUSE QRADAR PATCH FAILURE DURING RPM INSTALL CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    Older QRadar appliance configurations allowed for smaller /boot partititons. As such, when upgrading QRadar, there can sometimes be inadequate free space available in the /boot partition causing the upgrade to fail during rpm file installation.

    This lack of adequate available free space in the /boot partition is not currently identified during the QRadar pretests in Test Mode performed when an upgrade is performed. Messages similar to the following might be visible in the patches.log file for the QRadar installation version attempted (/var/log/setup-7.x.x.xxxxxx):
    [6/9] Install & Upgrade Packages
    Transaction check error:
      installing package kernel-3.XXXXXXXXXX.el7.x86_64 needs 812KB
    on the /boot filesystem
    Error Summary
    -------------
    Disk Requirements:
    At least 1MB more space needed on the /boot filesystem.
    Please Check patches.log
    [INFO](patchmode) error was during install and we can't rollback
    [WARN](patchmode) =============================================
    [WARN](patchmode) [6/9] Install & Upgrade Packages  PROBLEMS!
    Can we roll back?? [6/9] Install & Upgrade Packages ? no
    [WARN](patchmode)
    26 November 2020
    APPLICATION FRAMEWORK IJ23719 SI-QRADARCA CAN RETURN SUCCESSFUL STATUS EVEN WHEN A CERT IS FAILING WITH CERTIFICATE SIGNING FAILED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    Running si-qradarca (i.e. # opt/qradar/ca/bin/si-qradarca) can return:
    "Successfully setup server certificate for service"

    Which conflicts with errors displayed in /var/log/localca.log:
    time="2020-01-23T15:25:16Z" level=error msg="Validating CSR
    /etc/docker/tls/si-docker.csr failed for host X.X.X.X with
    error Certificate signing failed for
    /opt/qradar/ca/certs/from-X.X.X.X/si-docker.csr as no hostname
    is found in deployment for ip address X.X.X.X"
    26 November 2020
    VULNERABILITY SCANNER IJ23838 CREATING A TENABLE SECURITY CENTER SCAN CAN SOMETIMES FAIL WITH 'FAILED TO LOGIN TO TENABLE SECURITY SCANNER' IN QRADAR LOGGING CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available. Administrators must upgrade to resolve this software issue.

    Issue
    Creating a Tenable Security Center scan using correct credentials can sometimes fail. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [vis] [Scanner Manager]
    com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterRES
    TClient: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
    -]IOException caught while executing API call; Error message
    [java.security.NoSuchAlgorithmException: Error constructing
    implementation (algorithm: Default, provider: IBMJSSE2, class:
    com.ibm.jsse2.aj)]
    [vis] [Scanner Manager] com.q1labs.vis.ScannerManager: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Could not initialize
    scanner 'TenableSecurityCenter - Regression': Failed to
    initialize Tenable Security Center module; Error message
    [Failed to login to Tenable Security Center;]
    [vis] [Scanner Manager]
    com.q1labs.vis.exceptions.ScannerInitException: Failed to
    initialize Tenable Security Center module; Error message
    [Failed to login to Tenable Security Center;]
    [vis] [Scanner Manager]    at
    com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterMod
    ule.init(SecurityCenterModule.java:104)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.scanners.base.ScannerModule.init(ScannerModule.ja
    va:310)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.initializeScanner(ScannerManager.j
    ava:482)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.submitFailedStatusIfInitError(Scan
    nerManager.java:298)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.processScanRequest(ScannerManager.
    java:243)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.processScanRequest(ScannerManager.
    java:208)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.messages.VisRequestMessageEnum$1.process(VisReque
    stMessageEnum.java:42)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.run(ScannerManager.java:155)
    [vis] [Scanner Manager]    at
    java.lang.Thread.run(Thread.java:818)
    [vis] [Scanner Manager] Caused by:
    [vis] [Scanner Manager]
    com.q1labs.vis.exceptions.ScannerInitException: Failed to login
    to Tenable Security Center;
    [vis] [Scanner Manager]    at
    com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterMod
    ule.init(SecurityCenterModule.java:99)
    [vis] [Scanner Manager]    ... 8 more
    [vis] [Scanner Manager] com.q1labs.vis.ScannerManager: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable to initialize
    scanner module 61 for scan request 11.
    [vis] [Scanner Manager]
    com.q1labs.vis.exceptions.ScannerInitException: Could not
    initialize scanner 'TenableSecurityCenter - Regression': Failed
    to initialize Tenable Security Center module; Error message
    [Failed to login to Tenable Security Center;]
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.initializeScanner(ScannerManager.j
    ava:491)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.submitFailedStatusIfInitError(Scan
    nerManager.java:298)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.processScanRequest(ScannerManager.
    java:243)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.processScanRequest(ScannerManager.
    java:208)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.messages.VisRequestMessageEnum$1.process(VisReque
    stMessageEnum.java:42)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.run(ScannerManager.java:155)
    [vis] [Scanner Manager]    at
    java.lang.Thread.run(Thread.java:818)
    [vis] [Scanner Manager] Caused by:
    [vis] [Scanner Manager]
    com.q1labs.vis.exceptions.ScannerInitException: Failed to
    initialize Tenable Security Center module; Error message
    [Failed to login to Tenable Security Center;]
    [vis] [Scanner Manager]    at
    com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterMod
    ule.init(SecurityCenterModule.java:104)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.scanners.base.ScannerModule.init(ScannerModule.ja
    va:310)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.initializeScanner(ScannerManager.j
    ava:482)
    [vis] [Scanner Manager]    ... 6 more
    [vis] [Scanner Manager] Caused by:
    [vis] [Scanner Manager]
    com.q1labs.vis.exceptions.ScannerInitException: Failed to login
    to Tenable Security Center;
    [vis] [Scanner Manager]    at
    com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterMod
    ule.init(SecurityCenterModule.java:99)
    [vis] [Scanner Manager]    ... 8 more
    26 November 2020
    HIGH AVAILABILITY (HA) IJ21012 A HIGH AVAILABILITY FAILOVER CAN OCCUR AS MANAGED HOSTS REMOVED FROM DEPLOYMENT ARE NOT UPDATED IN THE PING TEST LIST CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available. Administrators must upgrade to resolve this software issue.

    Issue
    It has been identified that in some instances a High Availablity (HA) failover can occur due to Managed Hosts being removed from the QRadar Deployment, not being removed from the ping test list.
    26 November 2020
    PERFORMANCE IJ23649 SYSTEMSTABMON CAN RESULT IN LARGE NUMBERS OF STUCK 'DF' COMMANDS WHEN A HUNG NFS MOUNT OCCURS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that in some instances a High Availablity (HA) failover can occur due to Managed Hosts being removed from the QRadar Deployment, not being removed from the ping test list.
    26 November 2020
    APP HOST IJ21302 APPS CAN FAIL TO LOAD IN QRADAR DUE TO FAILED CERTIFICATE REPLICATION TO APP HOST CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that the QRadar update-remote-certs.sh script fails to list the proper IP of App Host if the Qradar Console is in a NATed environment when an App Host is not. When this issue is occuring, certificate generation fails to push out as the managed host IP returns an empty result.
    26 November 2020
    DEPLOY CHANGES IJ21234 RHEL KERNEL CRASH CAN OCCUR WHEN IPTABLES RESTARTS DURING QRADAR DEPLOY FUNCTIONS WHERE NAT'D CONNECTIONS EXIST CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that iptables restarts during QRadar Deploy functions and can cause a RHEL kernel crash on systems that have NAT'd connections configured.
    26 November 2020
    CERTIFICATES IJ21198 DER ENCODED CERTIFICATE IS ACCEPTED BY QRADAR BUT THEN DOES NOT WORK AS EXPECTED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Convert the DER encoded certificate to PEM type and retry to install the cert using /opt/qradar/bin/install-ssl-cert.sh.

    Issue
    It has been identified that QRadar install-ssl-cert.sh allows DER encoded certificate files to be copied to QRadar, but QRadar does not work as expected with this format of certificate files.
    26 November 2020
    APPLICATION FRAMEWORK IJ21178 QRADAR APPS CAN FAIL TO LOAD WITH 'ERROR INITIALIZING CORE: FAILED TO LOCK MEMORY: CANNOT ALLOCATE MEMORY' ERROR CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available. Administrators can upgrade to the released software vresion that resolves this issue.

    Issue
    It has been identified that in some instances QRadar Apps can fail to load. Messages similar to the following might be visible when this issue is occuring after attempting to restart vault:
    # systemctl restart vault-qrd
    {hostname} ensure-vault-ready-for-unseal.sh[23036]: Ensuring vault
    is ready to be unsealed...
    {hostname} si-vault[23035]: Error initializing core: Failed to lock
    memory: cannot allocate memory
    {hostname} si-vault[23035]: This usually means that the mlock
    syscall is not available.
    {hostname} si-vault[23035]: Vault uses mlock to prevent memory from
    being swapped to
    {hostname} si-vault[23035]: disk. This requires root privileges as
    well as a machine
    {hostname} si-vault[23035]: that supports mlock. Please enable
    mlock on your system or
    {hostname} systemd[1]: vault-qrd.service: main process exited,
    code=exited, status=1/FAILURE
    {hostname} ensure-vault-ready-for-unseal.sh[23036]: % Total    %
    Received % Xferd  Average Speed   Time    Time     Time  Current
    {hostname} ensure-vault-ready-for-unseal.sh[23036]: Dload  Upload
    Total   Spent    Left  Speed
    {hostname} ensure-vault-ready-for-unseal.sh[23036]: 0     0    0
     0    0     0      0      0 --:--:-- --:--:-- --:--:--
    0curl: (7) Failed to connect to {IP_ADDRESS}: Invalid argument
    26 November 2020
    QRADAR NETWORK INSIGHTS IJ20593 QNI LOG MESSAGES CAN DISPLAY INCORRECT STATISTICS WHEN LOW (BASIC) INSPECTION LEVEL IS SELECTED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available. Administrators can upgrade to the released software vresion that resolves this issue.

    Issue
    It has been identified that QRadar Network Inspection (QNI) can generate system log messages with incorrect statistics when Low (Basic) inspection level is selected.
    26 November 2020
    DISK SPACE IJ17854 /TMP CAN FILL UP WITH NUMEROUS /TMP/TMP.XXXXXXXXXX DIRECTORIES CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available. Administrators can upgrade to the released software vresion that resolves this issue.

    Issue
    It has been identified that the /tmp partition can sometimes fill up with /tmp/tmp.xxxxxxxx directories due to a missing cleanup configuration within QRadar.
    26 November 2020
    OFFENSES IJ19855 OFFENSE WITH A LONG DESCRIPTION SPLITS AUDIT LOG INTO MULTIPLE ROWS CAUSING UNKNOWN SIM GENERIC EVENTS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available. Administrators can upgrade to the released software vresion that resolves this issue.

    Issue
    It has been identified that Offenses with a long offense description can split one audit log message into multiple rows causing Unknown SIM Generic events within QRadar.
    26 November 2020
    SERVICES IJ12278 CONSOLE APPLIANCE CAN EXPERIENCE A KERNEL PANIC CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support to diagnose any Console crash/failure to clearly identify the cause of the issue.

    Support can implement a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that a QRadar Console can experience a kernel panic and crash due to values in:
    /usr/lib/systemd/system/iptables.service
    26 November 2020
    LICENSE IJ06169 FlOW PROCESSOR (1729) APPLIANCES ARE ASSIGNED AN INCORRECT AND EXPIRING LICENSE BY DEFAULT AFTER BEING ADDED INTO A QRADAR DEPLOYMENT CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Email q1pd@us.ibm.com to receive a Flow Processor license update and apply a corrected license to the appropriate 1729 appliance in the System and License Management interface from the Admin tab.

    Issue
    It has been identified that a 1729 appliance added into a QRadar deployment receive an incorrect license. By default, the license expires in 33 days for the appliance, unless replaced.
    26 November 2020
    HIGH AVAILABILITY (HA) IJ04244 RE-ADDING A PREVIOUSLY REMOVED HIGH AVAILABILITY 15XX SECONDARY INTO AN HA PAIR CAN FAIL DURING THE GLUSTERFS CONFIGURATION CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that removing a High Availability (HA) Event Collector (15xx) Secondary appliance and then attempting to re-add it back into an HA pair can sometimes result in the glusterFS failing to be correctly configured. When this issue occurs, the HA join process fails.

    Messages similar to the following might be visible in the qradar_hasync.log file when this issue occurs:
    [INFO] [ha_sync_replication.py] Failed to run command 'start':
    fuse directory "/store/persistent_queueha" is populated, but
    "/store/persistent_queue" is not empty. Please manually migrate
    data from "/store/persistent_queue to
    "/store/persistent_queueha"
    26 November 2020
    MANAGED HOSTS IJ03437 QRADAR COMPONENTS CAN SOMETIMES BE REMOVED WHEN ADDING A NEW MANAGED HOST TO A QRADAR DEPLOYMENT CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that during the process of adding a new Managed Host to a QRadar deployment that QRadar components can sometimes be removed from a deployment.

    For example, Managed Hosts that are in the ADDING or ADD_FAILED_RETRY_CONNECTION state in the managedhost and serverhost tables can cause the qvmprocessor components to be removed during the rewrite of the deployment.xml file after the Admin tab, Actions drop-down, Deploy Full Configuration is performed.
    26 November 2020
    MANAGED HOSTS IJ02463 UNABLE TO ADD A MANAGED HOST TO A DEPLOYMENT IF THE APPLIANCE SERIAL NUMBER ALREADY EXISTS IN THE DEPLOYMENT CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that a Managed Host cannot be added into a QRadar Deployment if the appliance serial number already exisits in the Deployment. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [tomcat.tomcat] [Thread-296]
    com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]unable to add
    managed host: The serial number is already found in the
    deployment.
    [tomcat.tomcat] [Thread-296]
    com.q1labs.restapi_annotations.content.exceptions.endpointExcept
    ions.ServerProcessingException: The serial number is already
    found in the deployment.
    [tomcat.tomcat] [Thread-296]    at
    com.ibm.si.configservices.api.impl.DeploymentAPIImpl.addManagedH
    ost(DeploymentAPIImpl.java:849)
    [tomcat.tomcat] [Thread-296]    at
    com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI$AddH
    ostThread.run(DeploymentAPI.java:979)
    [tomcat.tomcat] [Thread-296]    at
    java.lang.Thread.run(Thread.java:785)
    [tomcat.tomcat] [Thread-296] Caused by:
    [tomcat.tomcat] [Thread-296]
    com.q1labs.configservices.common.ConfigServicesException: The
    serial number is already found in the deployment.
    [tomcat.tomcat] [Thread-296]    at
    com.q1labs.configservices.capabilities.CapabilitiesHandler.addMa
    nagedHost(CapabilitiesHandler.java:1858)
    [tomcat.tomcat] [Thread-296]    at
    com.ibm.si.configservices.api.impl.DeploymentAPIImpl.addManagedH
    ost(DeploymentAPIImpl.java:818
    26 November 2020
    UPGRADE IV90332 APPLYING A PATCH REVISION TO A QRADAR MANAGED HOST IN A DEPLOYMENT PRIOR TO THE CONSOLE IS ALLOWED TO OCCUR CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, or experience this problem, contact support for a possible workaround that might address this issue in some instances.

    Issue
    QRadar's documented patching process steps state that the Console be patched successfully prior to patching any attached Managed Host.

    The patch framework currently allows the install of a QRadar patch revision onto a QRadar Managed Host prior to the Console being patched.

    When this situation occurs, the Managed Host can expereince various states of instability including required processes not starting.
    26 November 2020
    USER ROLES IJ23839 'USER ROLE' PAGE ON THE QRADAR USER INTERFACE CAN BEHAVE DIFFERENTLY DEPENDING ON USER ROLE SELECTED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade or experience this issue, contact support for a possible workaround that might address this issue in some instances.

    Issue
    The QRadar User Roles Admin page can behave differently depending on the first role that is selected when opening the page.

    For example:
    1. Create a user role called AAadmin with Delegated Administration.
    2. Save your changes.
    3. Close the user role interface and reopen it.
    4. Create a second user role called reporttest.
    5. Assign reporttest the Privilege - Distribute Reports via Email
      Note: Maintain Templates and Reports will be selected automatically.
    6. Save and close the screen.
    7. Update user role AAadmin to have Admin - System Administrator privilege.
    8. Save and close the screen.
    9. Navigate back into user roles screen again.
    10. Choose user reporttest.
    11. De-select Reports and all reporting options will be removed.
    12. When Distribute Reports via Email is selected, Maintain Templates and Reports is not.
    26 November 2020
    DATA SYNCHRONIZATION APP IJ29345 SCRIPT REQUIRED FOR A QRADAR DATA SYNCHRONIZATION APP NOTIFICATION MIGHT BE MISSING IN SOME QRADAR PATCH VERSIONS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available.

    APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

    Issue
    It has been identified that an updated script (generate_environment.sh) for the QRadar Data Synchronization App can be missing from some QRadar patch versions.

    The updated generate_environment.sh script alerts if the data sync is on the Destination Site and warns if the process is not started.
    26 November 2020
    REFERENCE DATA IJ28797 REFERENCE DATA API DATA 'ADDS OR UPDATES' INTO REFERENCE SETS CAN BE SLOW OR TIMEOUT OPEN Resolved in
    This issue was resolved with the release of QRadar 7.4.2 (7.4.2.20201113144954), but reopened on 04 March 2021.

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade or experience this issue, contact support for a possible workaround that might address this issue in some instances.

    Issue
    The reference data API can be slow or time out when adding or updating data within QRadar reference sets. This behavior can be observed when using QRadar Apps that use the API for this functionality. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(Nio
    Endpoint.java:1623)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcess
    orBase.java:49)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T
    askThread.java:61)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at java.lang.Thread.run(Thread.java:818)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
    Caused by:
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
    com.q1labs.restapi_annotations.content.exceptions.endpointExcept
    ions.ServerProcessingException: Adding/updating data to Set
    {REFSET NAME} failed
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    com.q1labs.core.api.v3_0.referencedata.ReferenceDataAPI_Sets.add
    DataToSet(ReferenceDataAPI_Sets.java:550)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at sun.reflect.GeneratedMethodAccessor1143.invoke(Unknown
    Source)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at java.lang.reflect.Method.invoke(Method.java:508)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet
    hod(APIRequestHandler.java:1038)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR
    equest(APIRequestHandler.java:406)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       ...
    61 more
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
    Caused by:
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
    org.apache.catalina.connector.ClientAbortException:
    java.io.EOFException
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    org.apache.catalina.connector.InputBuffer.realReadBytes(InputBuf
    fer.java:348)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    org.apache.catalina.connector.InputBuffer.checkByteBufferEof(Inp
    utBuffer.java:663)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    org.apache.catalina.connector.InputBuffer.read(InputBuffer.java:
    370)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
       at
    org.apache.catalina.connector.CoyoteInputStream.read(CoyoteInput
    Stream.java:183)
    [tomcat.tomcat] [x.x.x.x (3730)
    /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
    26 November 2020
    PROTOCOLS IJ26183 ECS-EC-INGRESS PROCESS CAN SOMETIMES GO OUT OF MEMORY WHEN LOG SOURCES ARE USING THE WINDOWS IIS PROTOCOL OPEN Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    In some instances, the ecs-ec-ingress process (required for event collection) can experience out of memory occurences that are caused by Log Sources using the Windows IIS Protocol when an incorrect .jar file is referenced for use. Messages similar to the following that are referencing a Log Source connecting to an SMB Host might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
    [x.x.x.x][smb://x.x.x.x/LogFiles/]]
    com.q1labs.semsources.sources.smbtail.io.SmbFileWithRetries:
    [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/-
    -][smb://x.x.x.x/LogFiles/W3SVC13] exists(): Failed: Access
    error for file W3SVC13 status = -1073741790 (0xc0000022)
    (0xC0000022)
    15 July 2020
    PROTOCOLS IJ26863 THE USE OF MSRPC AND IIS SIMULTANEOULY MIGHT CAUSE POTENTIAL DEADLOCK THREADS CLOSED Resolved in
    PROTOCOL-WindowsEventRPC-7.3-20201028123850.noarch.rpm
    PROTOCOL-WindowsEventRPC-7.4-20201028123859.noarch.rpm

    Workaround
    A weekly auto update is pending for users with the resolved RPM files. If you need assistance to apply a workaround, contact QRadar Support for a possible workaround that might address this issue.

    Issue
    It has been observed that MSRPC and IIS Log Sources cannot be used simultaneously due to a potential thread deadlock.

    Administrators might be required to disable a protocol until a Microsoft Windows Security Event Log over MSRPC protocol update can be delivered. This might be the result of a jar file.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    "RPCEventLogHandler thread" Id=3378 in BLOCKED on
    lock=com.example.common.NamedRepository@abc
     owned by RPCEventLogHandler thread Id=7388
     at
    com.example.client.Server.dispose(Server.java:350)
     at
    com.example.client.Server.disconnect(Server.java:750)
     at
    com.example.client.Server.disconnect(Server.java:702)
     at
    com.example.client.Mount.doMount(Mount.java:521)
     at
    com.example.client.Mount.doMount(Mount.java:483)
     at
    com.example.client.Mount.doMount(Mount.java:479)
     at
    com.example.client.Mount.{init}(Mount.java:280)
     at com.example.
    client.rpc.SmbTransport.{init}(SmbTransport.java:29)
     at
    com.example.client.rpc.Dcerpc.connect(Dcerpc.java:818)
     at
    com.example.client.rpc.Dcerpc.{init}(Dcerpc.java:445)
     at
    com.example.client.rpc.Winreg.{init}(Winreg.java:130)
     at com.q1
    labs.semsources.sources.windowseventrpc.eventsource.common.Event
    LogWinRegistry.connectRemoteRegistry(EventLogWinRegistry.java:58)
     at com.q1labs.semsources.sources.windowseventrpc.eventsource.
    RPCSession.queryRemoteHostInfo(RPCSession.java:80)
     at com.q1lab
    s.semsources.sources.windowseventrpc.eventsource.RPCSession.{ini
    t}(RPCSession.java:53)
     at com.q1labs.semsources.sources.windows
    eventrpc.eventsource.RPCEventLogHandler.connect(RPCEventLogHandl
    er.java:129)
     at com.q1labs.semsources.sources.windowseventrpc.e
    ventsource.RPCEventLogHandler.run(RPCEventLogHandler.java:372)
    at java.lang.Thread.run(Thread.java:818)
    "RPCEventLogHandler thread" Id=7388 in TIMED_WAITING on
    lock=java.util.concurrent.locks.ReentrantLock$NonfairSync@bxyz
    (running in native)
     owned by RPCEventLogHandler thread Id=3378
     at sun.misc.Unsafe.park(Native Method)
     at java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java)
     at java.util.concurrent.locks.AbstractQueuedSynchronizer.doAcquireNa
    nos(AbstractQueuedSynchronizer.java)
     at java.util.concurren
    t.locks.AbstractQueuedSynchronizer.tryAcquireNanos(AbstractQueue
    dSynchronizer.java:1258)
     at java.util.concurrent.locks.Reentran
    tLock.tryLock(ReentrantLock.java:453)
     at
    com.example.client.Server.tryLock(Server.java:1528)
     at
    com.example.client.Server.waitTryLock(Server.java:1542)
     at
    com.example.client.Server.disconnect(Server.java:739)
     at
    com.example.client.Server.disconnect(Server.java:714)
     at
    com.example.client.Server.checkTimeouts(Server.java:665)
     at
    com.example.client.Server.findOrCreate(Server.java:965)
     -
    locked com.example.common.NamedRepository@a2d539c5
     at
    com.example.client.Mount.doMount(Mount.java:498)
     at
    com.example.client.Mount.doMount(Mount.java:483)
     at
    com.example.client.Mount.doMount(Mount.java:479)
     at
    com.example.client.Mount.{init}(Mount.java:280)
     at com.example.
    client.rpc.SmbTransport.{init}(SmbTransport.java:29)
     at
    com.example.client.rpc.Dcerpc.connect(Dcerpc.java:818)
     at
    com.example.client.rpc.Dcerpc.{init}(Dcerpc.java:445)
     at
    com.example.client.rpc.Lsar.{init}(Lsar.java:118)
     at com.q1labs
    .semsources.sources.windowseventrpc.util.SIDCache.{init}(SIDCach
    e.java:40)
     at com.q1labs.semsources.sources.windowseventrpc.eve
    ntsource.RPCEventLogHandler.connect(RPCEventLogHandler.java:127)
     at com.q1labs.semsources.sources.windowseventrpc.eventsource.R
    PCEventLogHandler.run(RPCEventLogHandler.java:372)
     at
    java.lang.Thread.run(Thread.java:818)
    13 August 2020
    UPGRADE IJ29294 PATCHING A DETACHED 1599 APPLIANCE CAN COMPLETE BUT WITH AN ERROR THAT IS BENIGN OPEN Workaround
    This error message is caused by the /opt/qradar/bin/generate_cert_from_csr.sh attempting to access files if it was part of a QRadar deployment instead of detached. The error is therefore benign, and can be safely ignored.

    Issue
    Patching a detached 1599 appliance type to QRadar 7.4.1 FP2 can complete with an error similar to the following:
    Patch Report for xxx.xxx.xxx.xxx, appliance type: 1599
    hostname :  patch test succeeded.
    Error running 209: /media/updates/scripts/QRADAR-2072.install
    --mode mainpatch
    hostname :  patch successful with errors.

    Messages similar to the following might be visible in the /var/log/setup-7.4.1.xxxxxx/patches.log file when this issue occurs:
    Nov 10 14:48:29 2020: Nov 10 14:48:29
    2020:[DEBUG](-i-patchmode) Running script
    /media/updates/scripts/QRADAR-2072
    .install --mode mainpatch
    Nov 10 14:48:30 2020: [QRADAR-2072] [mainpatch:Run]
    /opt/qradar/bin/generate_cert_from_csr.sh
    cat: /opt/qradar/conf/host.token: No such file or directory
    Exception in thread "main"
    java.lang.ArrayIndexOutOfBoundsException: Array index out of
    range: 1
            at com.ibm.si.mks.Util.main(Util.java:352)
    grep:
    /store/configservices/deployed/globalconfig/deployment.xml: No
    such file or directory
    Nov 10 14:48:30 2020: Nov 10 14:48:30
    2020:[DEBUG](-i-patchmode) Error running 209:
    /media/updates/scripts/QRADAR-
    2072.install --mode mainpatch; Got error code of 1.
    Nov 10 14:48:30 2020: Nov 10 14:48:30
    2020:[ERROR](-i-patchmode) Error running 209:
    /media/updates/scripts/QRADAR-
    2072.install --mode mainpatch
    16 November 2020
    API / RULES IJ25486 INCORRECT SYSTEM RULE NAME CAN BE RETURNED FROM AN API QUERY AFTER THE RULE HAS BEEN RENAMED AND TOMCAT HAS BEEN RESTARTED CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    Use the QRadar user interface to perform the required search. This issue appears to only affect API searches.

    Issue
    Ariel query via API that makes use of rulename function returns incorrect name for system rules where the name has been changed AND tomcat has been restarted. For example:
    1. User modifies the name of a system rule.
    2. Via the QRadar API, execute an AQL query that returns rulename(creeventlist) as a column.
    3. The data returned shows the updated rule name.

      Results
      After a restart of the tomcat service and the above steps are repeated, the data returned from the API call shows the original name of the system rule, despite the fact that this was modified to a new name.
    16 November 2020
    CONTENT MANAGEMENT TOOL (CMT) IJ27031 CONTENT MANAGEMENT TOOL IMPORT DEOPTIMIZES CUSTOM PROPERTIES REFERENCED IN A SEARCH FILTER TEST, REDUCING RULE PERFORMANCE CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Workaround
    No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue.

    Issue
    When using the Content Management Tool (CMT) to import a deoptimized property where the property already exists and is optimized, QRadar checks to see if there is anything on the system which needs it to be optimized, and if so, does not update it as it would negatively impact rule processing performance.

    This check works for some rule tests, but does not work if the custom property is referenced in a search filter test or AQL test. The CMT allows the property to be deoptimized despite there being an active rule using it.

    This can introduce performance issues for affected rules when this issue occurs.
    16 November 2020
    RULES IJ27238 OFFENSE RULE SNMP TRAP RESPONSE FOR 'TOP 5 TARGETS' ONLY DISPLAYS 1 IP ADDRESS (THE TOP TARGET) INSTEAD OF TOP 5 CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)

    No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue.

    Issue
    When using the Content Management Tool (CMT) to import a deoptimized property where the property already exists and is optimized, QRadar checks to see if there is anything on the system which needs it to be optimized, and if so, does not update it as it would negatively impact rule processing performance.

    This check works for some rule tests, but does not work if the custom property is referenced in a search filter test or AQL test. The CMT allows the property to be deoptimized despite there being an active rule using it.

    This can introduce performance issues for affected rules when this issue occurs.
    16 November 2020
    INSTALLATION IJ27831 'FAILED TO MODIFY RX AND TX VALUE FOR ETH0' WHEN INSTALLING QRADAR ON A KVM THAT IS USING VIRTIO_NET DRIVER CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    1. Using the vi command, edit the /sbin/ifup-local file.
    2. Change the vale of ETHTOOL_ENABLED=1 to ETHTOOL_ENABLED=0.

    Your file should match the code snippet provided in this ifup-local example:
    if [[ "${DEVICE}" =~ ^bond.* ]]; then
           ETHTOOL_ENABLED=0
    else
           ethtool -g "${DEVICE}" 2&>1 > /dev/null
           if [ "$?" -ne 1 ] ; then
                   ETHTOOL_ENABLED=0
           else
                    ETHTOOL_ENABLED=1
           fi
    fi
    
    Change to:
    if [[ "${DEVICE}" =~ ^bond.* ]]; then
           ETHTOOL_ENABLED=0
    else
           ethtool -g "${DEVICE}" 2&>1 > /dev/null
           if [ "$?" -ne 1 ] ; then
                   ETHTOOL_ENABLED=0
           else
                    ETHTOOL_ENABLED=0
           fi
    fi


    Issue
    During the Network Information setup page of a QRadar installation, a message similar to "failed to modify rx and tx value for eth0" can sometimes be observed. This occurs when QRadar is installed on a KVM with the Virtio_Net driver and the ring buffer settings are attempted to be applied by the install, but fail.

    Attempting to manually configure the ring buffer settings with the ifup-local command fails with a similar error message. On this type of KVM installation, the QRadar installation should not be attempting to apply ring buffer settings. On this type of KVM installation, the QRadar installation should not be attempting to apply ring buffer settings for network interfaces.

    To verify if the Virtio_Net driver is in use, the following can be run from a command line:
    ethtool -i eth0 | grep -i driver
    The following output indicates the virtio_net driver is installed:
    driver:virtio_net
    16 November 2020
    RULE RESPONSE IJ27086 'THIS INFORMATION SHOULD CONTRIBUTE TO THE NAME OF THE ASSOCIATED OFFENSE' RULE RESPONSE NOT WORKING AS EXPECTED CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    Where possible, change option 5 in the example to use "This information should set or replace the name of the associated offense(s)" configured within in the Rule Response.

    Issue
    When selecting 'This information should contribute to the name of the associated offense(s)' in a Rule Reponse for an offense generated by a rule testing the building block 'when the event(s) have not been detected by one or more of these log sources for this many seconds', the description of the offense is not set to the event description.

    For example:
    1. Create a new rule that tests this building block: "when the event(s) have not been detectedby one or more of these log sources for this many seconds".
    2. In the rule response, check the "Dispatch New Event" box.
    3. Give the event a descriptive name.
    4. In the section that appears after checking this box, check "Ensure the dispatched event is part of an offense" under "Event Details".
    5. Under "Offense Naming", check "This information should contribute to the name of the associated offense(s)".
    6. Wait for the rule to be triggered and observe that the Description field of the offense generated is not set to the name of the event that was specified, but is instead "Log source 'xxxx' has stopped emitting events".
    16 November 2020
    ASSETS IJ24031 QRADAR ASSET CLEANUP PROCESS CAN FAIL AND GENERATE A PSQLEXCEPTION WHEN ATTEMPTING TO RUN CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Workaround
    No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue.

    Issue
    When the QRadar Asset Cleanup attempts to run, it can sometimes fail with a PSQL Exception generated in QRadar logging. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [assetprofiler.assetprofiler] [AssetCleanupThread]
    com.q1labs.assetprofile.cleanup.AssetCleanupWorker: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Following message
    suppressed 633 times in 300000 milliseconds
    [assetprofiler.assetprofiler] [AssetCleanupThread]
    com.q1labs.assetprofile.cleanup.AssetCleanupWorker: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/-
    -]AssetCleanupWorker.run(): Unable to cleanup asset. Skipping
    to next...
    [assetprofiler.assetprofiler] [AssetCleanupThread]
    com.q1labs.assetprofile.cleanup.AssetCleanupException:
    org.postgresql.util.PSQLException: This statement has been
    closed.
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    com.q1labs.assetprofile.cleanup.AssetCleanupWorker.createCleanup
    Updates(AssetCleanupWorker.java:614)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    com.q1labs.assetprofile.cleanup.AssetCleanupWorker.cleanupAssetC
    omponents(AssetCleanupWorker.java:172)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    com.q1labs.assetprofile.cleanup.AssetCleanupWorker.cleanAsset(As
    setCleanupWorker.java:405)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    com.q1labs.assetprofile.cleanup.AssetCleanupWorker.walkAssetMode
    lAndClean(AssetCleanupWorker.java:260)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    com.q1labs.assetprofile.cleanup.AssetCleanupWorker.run(AssetClea
    nupWorker.java:99)
    [assetprofiler.assetprofiler] [AssetCleanupThread] Caused by:
    [assetprofiler.assetprofiler] [AssetCleanupThread]
    org.postgresql.util.PSQLException: This statement has been
    closed.
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.postgresql.jdbc2.AbstractJdbc2Statement.checkClosed(Abstract
    Jdbc2Statement.java:2637)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.postgresql.jdbc2.AbstractJdbc2Statement.getResultSet(Abstrac
    tJdbc2Statement.java:830)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.getResultSet(
    NewProxyPreparedStatement.java:1408)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.getResul
    tSet(DelegatingPreparedStatement.java:202)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.getResul
    tSet(DelegatingPreparedStatement.java:200)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.apache.openjpa.jdbc.sql.PostgresDictionary$PostgresPreparedS
    tatement.executeQuery(PostgresDictionary.java:1026)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ
    uery(DelegatingPreparedStatement.java:265)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedSt
    atement.executeQuery(JDBCStoreManager.java:1774)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ
    uery(DelegatingPreparedStatement.java:265)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ
    uery(DelegatingPreparedStatement.java:255)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    at
    com.q1labs.assetprofile.cleanup.AssetCleanupWorker.createCleanup
    Updates(AssetCleanupWorker.java:568)
    [assetprofiler.assetprofiler] [AssetCleanupThread]    ... 4 more
    16 November 2020
    REPORTS IJ25351 ATTACHMENTS IN REPORT MAIL CAN BE CORRUPTED AFTER A QRADAR PATCH HAS BEEN APPLIED CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    Use a short report name. As an example, for Japanese locale, using a report name of less than 10 characters fixed the issue. This issue may also occur when using languages with UTF-8 multibyte characters.

    Issue
    Mail attachments from QRadar Reports can be corrupted after smtp jar files have been upgraded within a QRadar patch (7.3.3 Fix Pack 2 or later).

    For example: The Mail attachment is split into filename*0= and filename*1=.
    16 November 2020
    QRADAR NETWORK INSIGHTS IJ22720 QRADAR NETWORK INSIGHTS (QNI) PERFORMANCE DEGRADATION CAUSED BY YAHOO MAIL INSPECTOR COMPONENT CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    If experiencing QNI performance degradation, contact Support for assistance with a system thread dump examination to determine if this issue is the cause.

    Issue
    When using the Yahoo Mail inspector component (libymailinsp.so), QNI decapper processes can be working as expected and then begin to drop packets leading to flows stopping.

    QNI cannot process flow traffic as expected while the decapper service is in this thread bound condition.
    16 November 2020
    OFFENSE MANAGER IJ24634 QRADAR VERSIONS 7.3.2 OR LATER DO NOT INCLUDE THE "REPLY-TO:" FIELD WITHIN GENERATED NOTIFICATION EMAILS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue.

    Issue
    Notification emails no longer include the "Reply-To:" field in email headers. QRadar versions pre-7.3.2 are not affected. Example of pre-7.3.2 QRadar:
    From: "QRADAR@localhost.localdomain"
    {QRADAR@localhost.localdomain}
    Reply-To: "root@localhost" {root@localhost.test.com}
    To: "root@localhost" {root@localhost.test.com}
    Subject: Offense #1
    MIME-Version: 1.0
    Content-Type: text/plain; charset=UTF-8
    Content-Transfer-Encoding: 7bit
    16 November 2020
    ROUTING RULES IJ27022 LARGE AMOUNTS OF REVERSE DNS LOOKUPS CAN BE GENERATED WHEN OFFLINE ROUTING RULES ARE CONFIGURED IN QRADAR CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 or 7.3.3 Fix Pack 6 to resolve this issue.

    Issue
    When offline routing rules have been configured within QRadar (Admin -> System Configuration -> Routing Rules), large amounts of reverse DNS lookups can be generated. This can cause issues in some customer environments with their DNS server load.

    The issue described only occurs when forwarding "normalized' data, not raw payloads.
    16 November 2020
    FLOWS IJ28601 DEFAULT NETFLOW FLOW SOURCE DOES NOT WORK ON NEWLY ADDED FLOW PROC AND GENERATES 'NO FLOW SOURCE DEFINED' ERROR IN LOGGING CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)

    Workaround
    Performing a remove and re-add of the flow processor appliance from the QRadar Deployment corrects this issue. For more information, see steps 3 and 5 from the documentation.

    Issue
    The default netflow is not working as expected on a newly added Flow Processor. During the initial add process, the FLOWSOURCE_LIST under nva.qflow.qflow*.conf is not populated, causing qflow to not work as expected and no flows are received. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext] [Thread-1803]
    com.q1labs.hostcontext.processmonitor.ProcessManager: [INFO]
    [NOT:0000006000][172.18.142.131/- -] [-/- -]Starting process
    qflow.qflow102
    [QRADAR] [23524] qflow: [INFO] Reading in application
    signatures from file: /opt/qradar/conf/signatures.xml
    [QRADAR] [23524] qflow: [INFO] Application Signatures
    successfully read in from file: /opt/qradar/conf/signatures.xml
    [QRADAR] [23524] qflow: [INFO] Application mapper loading
    /opt/qradar/conf/user_application_mapping.conf
    [QRADAR] [23524] qflow: [INFO] Flow Buffer Size = 100000
    [QRADAR] [23524] qflow: [INFO] Connecting to
    172.18.142.131:32010
    [QRADAR] [23524] qflow: [INFO] Initializing qflow: 23524
    [QRADAR] [23524] qflow: [INFO] Packet Source Multi threading:
    disabled
    [QRADAR] [23524] qflow: [INFO] The Flow Governor flow limit is
    set to: 176508 based on DEPLOYMENT_FLOW_LIMIT: 1500000,
    HARDWARE_FLOW_LIMIT: 176508 and QF_GOVERNOR (user flow limit): 0
    [QRADAR] [23524] qflow: [INFO] Flow De-Duplication: enabled
    [QRADAR] [23524] qflow: [INFO] TLVFlowFields: parse and
    processing of /opt/qradar/conf/flowFieldsDataType-conf.xml
    completed successfully
    [QRADAR] [23524] qflow: [INFO] Initializing Flow Aggregator
    [QRADAR] [23524] qflow: [INFO] The host.token file is encrypted
    on disk, decrypting for use.
    [QRADAR] [23524] qflow: [INFO] Initializing Packet Aggregator
    [QRADAR] [23524] qflow: [INFO] Flow debug log level set to 0
    [QRADAR] [23524] qflow: [ERROR] No flow sources defined -
    sleeping until signal
    16 November 2020
    LOG SOURCES IJ29030 LOG SOURCES DELETED FROM WITHIN LOG SOURCE GROUPS CAN STILL APPEAR IN THE QRADAR USER INTERFACE OPEN Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    When a Log Source (that is assigned to a Log Source group) is deleted, that Log Source can sometimes continue to be displayed in the Log Source group. For example:
    1. Admin > Log Source groups > Have a Log Source group (Test LSG).
    2. Create a Log Source using the Log Source Management app (Test1) assign (Test1 to TEST LSG).
    3. Create a Log Source using the QRadar legacy User Interface (Test2) assign (Test2 to TEST LSG).
    4. Deploy Changes.
    5. Delete the Log Sources (Test1 and Test2) from Log Source Management app.
    6. Open Log Source groups and check the "Test LSG" Result: Test1 and Test2 are still displayed in the group.
    03 November 2020
    MANAGED HOST IJ29041 REMAP (COMPONENT ID) OPTION CAN FAIL TO BE DISPLAYED DURING ADD HOST FUNCTION OPEN Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    When adding a Managed Host to a QRadar Deployment, if the deployment model contains a connection where the target/source ID is invalid (a component with that ID does not exist in deployment.xml) the remap host model does not pop-up in the User Interface.

    When this issue occurs, it prevents the ability to perform the remap of component IDs on the Managed Host being added. The Managed Host add function completes, but an error is written to /var/log/qradar.error stating 'unable to add managed host' similar to the following:
    [tomcat.tomcat] [Thread-140205]
    com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI:
    [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -] unable to add
    managed host: Unable to marshal deployment to staging while
    adding conection: Connection source contains an invalid
    component id 102
    03 November 2020
    CUSTOM EVENT PROPERTIES IJ29043 LARGE AMOUNT OF COLON " : " SYMBOLS GENERATED DURING JSON PARSING FOR WINDOWS EVENT LOG IN CUSTOM EVENT PROPERTIES OPEN Workaround
    No workaround available.

    APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums: https://ibm.biz/qradarforums

    Issue
    When attempting to use the JSON parser in Custom Event Properties to parse Windows Event Logs, a large amount of colon " : " symbols are generated and incorrect parser results are output. For example:
    1. Navigate to Admin tab, and open Custom Event Properties.
    2. Click Add in title bar.
    3. Have a test payload, enter it into Test Field.
    4. In Property Expression Definition section, Extraction using JSON key path.
    5. In JSON keypath field, enter /"event_data"
    6. In test field, large amounts of colon " : " symbols are generated and highlighted, and not ALL event_data elements are parsed
    7. Continue updating JSON keypath field, enter /"event_data"/"CommandLine"
    8. Cannot obtain the CommandLine output.
    03 November 2020
    SECURITY PROFILES IJ29042 USERS CREATED USING LDAP USER ATTRIBUTES CAN HAVE NO ADMIN ROLE SECURITY PROFILES FOR ADMIN ROLES OPEN Workaround
    Configure the LDAP server so that users that have an Admin role get a Admin Security Profile.

    Issue
    Users created via LDAP User attributes can have Non Admin security profiles for Admin Roles.

    If accounts are configured via the User Interface, and a user has an Admin Role, they have to have Admin Security Profile. For example:
    1. Have two Admin Roles and two security profiles.
    2. Have an LDAP server and setup LDAP User Attributes making the User Role Attribute return Admin.
    3. Have the Security Profile Attribute return a Security Profile that is not Admin.
    4. Log in and have a User created with a User Role of Admin but not a Security Profile of Admin.

      Result
      When attempting to change that User in the Qradar User Interface: You can only select Admin for the security profile or if a new user is created with an Admin role they can only have Admin as the Security Profile.
    03 November 2020
    SECURITY BULLETIN CVE-2019-13232 UNZIP AS USED BY IBM QRADAR SIEM IS VULNERABLE TO DENIAL OF SERVICE CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4

    Issue
    Info-ZIP UnZip is vulnerable to a denial of service, caused by mishandling the overlapping of files inside a ZIP container. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause resource consumption. CVSS Base score: 3.3
    13 October 2020
    SECURITY BULLETIN CVE-2018-1313 APACHE DERBY AS USED BY IBM QRADAR SIEM IS VULNERABLE TO IMPROPER INPUT VALIDATION CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4

    Issue
    Apache Derby could allow a remote attacker to bypass security restrictions, caused by improper validation of network packets received. By sending a specially-crafted network packet, an attacker could exploit this vulnerability to boot a database whose location and contents are under the user's control. CVSS Base score: 7.5
    13 October 2020
    RULES IJ28759 RULE RESPONSE EMAILS CONTAINING CUSTOM EVENT PROPERTIES DISPLAY THOSE PROPERTIES AS "N/A" IN THE RULE RESPONSE/td> CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 Intern Fix 1 (7.4.1.20201018191117)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    No workaround available. APARs identified with no workaround typically require a software update to resolve. Administrators with QRadar 7.4.1 Fix Pack 1 can install the associated interim fix as recommended by QRadar Support. The Interim Fix 1 can only install on QRadar 7.4.1 Fix Pack 1.

    Issue
    Rule responses that use email templates containing Custom Event Properties do not populate the properties correctly in the response.

    When this issue occurs, those properties display as "N/A" in the response.
    26 November 2020
    SERVICES / ADD HOST IJ25854 "SOFTWARE INSTALL" QRADAR EVENT COLLECTOR OR DATANODE CAN FAIL TO START REQUIRED SERVICES AFTER ADDED TO DEPLOYMENT OPEN Workaround
    Perform a full replication on the affected Managed Host from a command line prompt:
    1. Log in to the QRadar Console as the root user.
    2. Open an SSH session to the Event Collector or Data Node appliance.
    3. Type the following command to force a full replication:
      /opt/qradar/bin/replication.pl -full

      Results
      Wait for the replication to complete. If you experience errors when this command is run or want assistance verifying this issue, contact QRadar Support
    Issue
    Required services on a "software install" Event Collector or DataNode fail to start after they are added to the QRadar deployment.
    27 June 2020
    OFFENSES IJ25797 NULLPOINTEREXCEPTION WRITTEN TO QRADAR LOGGING WHEN VIEWING EVENTS ASSOCIATED TO AN OFFENSE CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    No workaround available, this issue requires a software release to resolve.

    Issue
    A Null Pointer Exception is written to Qradar logging when attempting to view Events associated with Offense. To replicate this issue:
    1. Log in to QRadar.
    2. Click the Offenses tab.
    3. Select All Offenses.
    4. Double click on an offense to view the offense details.
    5. From the Last 10 offenses section, click the Events button.

      Results
      An NullPointerException error is displayed in the QRadar logs.

    Messages similar to the following might then be visible in /var/log/qradar.log:
    [tomcat.tomcat] [ArielQueryManager]
    com.q1labs.ariel.ui.bean.EventSearchDelegate: [ERROR] [127.0.0.1/- -] 
    [-/- -]Error processingoffenseId parameter for offense EQ 1
    [tomcat.tomcat] [ArielQueryManager]
    java.lang.NullPointerException
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.IUIArielSearchDelegate$OffenseProcessor
    .addOffenseSearchCriteria(IUIArielSearchDelegate.java:106)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.EventSearchDelegate.prepareQuery(EventS
    earchDelegate.java:265)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.
    java:965)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.
    java:790)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.
    java:746)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.
    java:740)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.QueryHandleSerializer.deserialize(Query
    HandleSerializer.java:191)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.QueryHandleSerializer.deserialize(Query
    HandleSerializer.java:34)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.google.gson.internal.bind.TreeTypeAdapter.read(TreeTypeAdapter.java:69)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.google.gson.Gson.fromJson(Gson.java:887)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.google.gson.Gson.fromJson(Gson.java:852)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.google.gson.Gson.fromJson(Gson.java:801)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.bean.EventSearchDelegate.deserialize(EventSe
    archDelegate.java:433)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.core.dao.ariel.ArielQueryHandle.getQueryHandle(ArielQ
    ueryHandle.java:158)
    [tomcat.tomcat] [ArielQueryManager]    at
    com.q1labs.ariel.ui.ArielQueryManager.run(ArielQueryManager.java:594)
    27 June 2020
    SECURITY BULLETIN CVE-2020-13934
    CVE-2019-17566
    CVE-2019-4378
    CVE-2020-1945
    CVE-2020-0543
    CVE-2020-0548
    CVE-2020-0549
    CVE-2010-4710
    CVE-2020-5408
    CVE-2019-13990
    CVE-2020-13935
    CVE-2019-10241
    CVE-2019-10247
    CVE-2020-11022
    CVE-2020-11023
    CVE-2018-15494
    CVE-2020-5398
    180875
    IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4
    Issue
    The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools.
    07 October 2020
    SECURITY BULLETIN CVE-2020-4280 IBM QRADAR SIEM IS VULNERABLE TO DESERIALIZATION OF UNTRUSTED DATA CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4
    Issue
    IBM QRadar could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker could exploit this vulnerability to execute arbitrary commands on the system. CVSS Base Score: 6.3
    07 October 2020
    SECURITY BULLETIN CVE-2018-12545
    CVE-2017-9735
    CVE-2017-7658
    CVE-2017-7656
    CVE-2017-7657
    CVE-2019-10241
    CVE-2019-10247
    CVE-2018-12536
    CVE-2019-0222
    CVE-2020-1941
    CVE-2018-8006
    CVE-2018-11775
    CVE-2017-15709
    CVE-2015-7559
    CVE-2019-12423
    CVE-2019-17573
    CVE-2019-12419
    CVE-2020-1954
    CVE-2019-12406
    IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4
    Issue
    The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools.
    07 October 2020
    SECURITY BULLETIN CVE-2019-4545 IBM QRADAR SIEM IS VULNERABLE TO KDC SPOOFING CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4
    Issue
    IBM QRadar SIEM when configured to use Active Directory Authentication may be susceptible to spoofing attacks. CVSS Base Score: 7.5
    07 October 2020
    SECURITY BULLETIN CVE-2018-8009
    CVE-2018-15494
    CVE-2020-9489
    CVE-2020-11023
    CVE-2020-11022
    IBM QRADAR INCIDENT FORENSICS IS VULNERABLE TO USING COMPONENT WITH KNOWN VULNERABILITIES CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Affected versions
    • IBM QRadar Incident Forensics 7.4.0 to 7.4.1 GA
    • IBM QRadar Incident Forensics 7.3.0 to 7.3.3 Patch 4
    Issue
    The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools.
    07 October 2020
    DATA OBFUSCATION IJ26220 DATA DEOBFUSCATION KEYS CAN FAIL TO WORK AS EXPECTED IN SOME QRADAR DOMAIN ENVIRONMENTS CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 4 (7.3.3.20200629201233)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    No workaround available.

    Issue
    Data deobfuscation fails when using the correct deobfuscation key for events that are tagged to an Event Collector domain where the Event Collector is connected to an Event Processor. The data deobfuscation keys created can sometimes fail with a message similar to "Deobfuscation fail". Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1 (2367)
    /console/do/obfuscation/obfuscationdecryption]
    com.q1labs.obfuscation.ui.action.ObfuscationDecryptionAction:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
    -]qradar.obfuscation.ui.obfuscationdecryption.error.CORRESPONDIN
    G_DECRYPTION_KEY_FOUND_IN_SESSION_BUT_DECRYPTION_FAIL,
    javax.crypto.BadPaddingException: decryption fail.
    javax.crypto.BadPaddingException: Given final block not
    properly padded
    17 July 2020
    SEARCH IJ25350 SAVED SEARCHES CAN GENERATE AN APPLICATION ERROR WHEN A CUSTOM EVENT PROPERTY USES A RESERVED AQL KEY NAME CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Delete the Custom Event Property as disabling the property does not resolve the search errors.

    Issue
    When a custom event property is named using a reserved AQL name in QRadar, such as 'searchName', the user interface can generate an Application Error in the user interface when the search run.

    Note: This issue can be reproduced with the following steps, but it is not recommended as creating the custom property value as described can cause searches from running as documented in the error logs.
    1. Log in to the Console as an administrator.
    2. Click the Admin tab.
    3. Click the Custom Event Properties icon.
    4. Click Add.
    5. In the New Property field, type searchName
    6. Click the Log Activity tab.
    7. From the Quick Search menu, select any saved search.

      Results
      Expected result: Load saved search successfully.
      Actual result: "Application Error" is displayed.
    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch] Caused by:
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch] java.lang.RuntimeException:
    Error processing criteria searchName
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.cve.utils.CriteriaBuilder.getCriteria(CriteriaBuilder
    .java:1517)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.cve.utils.CriteriaBuilder.getQueryParams(CriteriaBuil
    der.java:386)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:927)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    ... 81 more
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch] Caused by:
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]
    java.lang.IllegalArgumentException: Operation Event is not
    valid. Should be one of [EQ, LT, LE, GT, GE, NEQ]
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.cve.utils.CriteriaBuilder.updateCriteria_Expression(C
    riteriaBuilder.java:1047)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.cve.utils.CriteriaBuilder.updateCriteria(CriteriaBuil
    der.java:1316)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.cve.utils.CriteriaBuilder.getCriteria(CriteriaBuilder
    .java:1424)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    ... 83 more
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]
    org.apache.jsp.qradar.jsp.ArielSearch_jsp: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Could not forward to
    exception page, possibly an included JSP?
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]
    com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
    while executing the remote method 'getGlobalViewDetails'
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails] java.lang.RuntimeException:
    java.lang.RuntimeException: Error processing criteria searchName
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:1007)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:790)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    com.q1labs.ariel.ui.UIArielServices.getGlobalViewID(UIArielServi
    ces.java:12530)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    com.q1labs.ariel.ui.UIArielServices.getGlobalViewDetails(UIAriel
    Services.java:12253)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    12 June 2020
    UPGRADE IJ22566 QRADAR PATCHING CAN FAIL AND ROLLBACK ON BLANK TABLES IN A QVM FUSION DATABASE CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    If you are unable to upgrade, contact Support for a possible workaround that might address this issue in some instances.

    Issue
    The QRadar patching process can fail and rollback when there are unexpected blank tables within the QRadar Vulnerability Manager (QVM) fusion database. Messages similar to the following might be visible during the patch process and also within the most recent /var/log/setup-7.3.3.xxxxxxxxx/patches.log
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG]
    ip={host_ipaddress}
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] starting
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] Found 0 patch
    report files.
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG]
    Patch Report for 172.16.77.26, appliance type: 1202
    {hostname}: patch test succeeded.
    1 SQL script errors were detected; Error applying script [3/3]
    '/media/updates/opt/qvm/db/sql/functions/all_functions.sql' for
    Test_fusionvm database.; details:
    WARNING: SET TRANSACTION can only be used in transaction blocks
    ERROR: insert or update on table "toolsuitecomponents" violates
    foreign key constraint
    "fk_toolsuitecomponents_toolsuite_l7protocolcodes"
    DETAIL: Key (l7protocolcode)=(18) is not present in table
    "toolsuite_l7protocolcodes".
    CONTEXT: SQL statement "INSERT INTO ToolSuiteComponents VALUES
    (10001,5,'netbios -
    ports','/bin/netbios/netbios_ports.pl','1.0',TRUE,TRUE,18,'','',
    1,5,10000,2,10,2)"
    PL/pgSQL function enable_netbios_ports() line 4 at SQL statement
    {hostname} : patch rolled back.
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] pr=
    Patch Report for , appliance type: 1202
    {hostname} : patch test succeeded.
    1 SQL script errors were detected; Error applying script [3/3]
    '/media/updates/opt/qvm/db/sql/functions/all_functions.sql' for
    Test_fusionvm database.; details:
    WARNING: SET TRANSACTION can only be used in transaction blocks
    ERROR: insert or update on table "toolsuitecomponents" violates
    foreign key constraint
    "fk_toolsuitecomponents_toolsuite_l7protocolcodes"
    DETAIL: Key (l7protocolcode)=(18) is not present in table
    "toolsuite_l7protocolcodes".
    CONTEXT: SQL statement "INSERT INTO ToolSuiteComponents VALUES
    (10001,5,'netbios -
    ports','/bin/netbios/netbios_ports.pl','1.0',TRUE,TRUE,18,'','',
    1,5,10000,2,10,2)"
    PL/pgSQL function enable_netbios_ports() line 4 at SQL statement
    {hostname} : patch rolled back.
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] non console;
    interactive end.
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] complete
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] finishing up
    and restarting services.
    Mon Dec 2 11:57:21 AST 2019: ./patchInstaller.pl -patchfile
    /storetmp/2019140_QRadar_patchupdate-2019.14.0.20191031163225.sf
    s -p ./superpatches.manifest.xml completed with result 1
    05 February 2020
    SECURITY BULLETIN CVE-2019-0201 APACHE ZOOKEEPER AS USED BY IBM QRADAR SIEM IS VULNERABLE TO INFORMATION DISCLOSURE CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Affected versions
    • IBM QRadar SIEM 7.4.1 General Availability (GA)
    • IBM QRadar Risk Manager 7.4.1 General Availability (GA)
    • IBM QRadar Vulnerability Manager 7.4.1 General Availability (GA)
    • IBM QRadar Incident Forensics 7.4.1 General Availability (GA)
    • IBM QRadar Network Insights 7.4.1 General Availability (GA)

    Issue
    Apache ZooKeeper could allow a remote attacker to obtain sensitive information, caused by the failure to check permissions by the getACL() command. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 7.5
    21 September 2020
    OFFENSES IJ27346 OFFENSE API CALLS CAN CAUSE A HOSTCONTEXT TXSENTRY TO OCCUR AS NO LIMIT IS APPLIED TO THE NUMBER OF FIELDS TO BE RETURNED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue reported by users with QRadar 7.4.1 (GA) General Availability installed.

    Issue
    The hostcontext process can experience a TxSentry (process is killed when taking too long to complete) that is caused by the Offense API not having limits set on the number of fields that it can return.

    This behavior can be observed during the usage of some QRadar apps that use Offense API calls (eg. Incident Overview app). Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext]
    [baa9069a-d7b2-48bf-ab9b-32962f1f8055/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][X.X.X.X/- -] [-/- -] Lock acquired on host
    X.X.X.X: rel=offense_device_link_pkey age=638 granted=t
    mode=AccessShareLock query='SELECT DISTINCT (CASE WHEN
    offense_properties.user'
    [hostcontext.hostcontext]
    [baa9069a-d7b2-48bf-ab9b-32962f1f8055/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][X.X.X.X/- -] [-/- -] Lock acquired on host
    X.X.X.X: rel=sensordevicetype age=638 granted=t
    mode=AccessShareLock query='SELECT DISTINCT (CASE WHEN
    offense_properties.user'
    [hostcontext.hostcontext]
    [baa9069a-d7b2-48bf-ab9b-32962f1f8055/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][X.X.X.X/- -] [-/- -] Lock acquired on host
    X.X.X.X: rel=sensordevice_eccomponentid_idx age=638 granted=t
    mode=AccessShareLock query='SELECT DISTINCT (CASE WHEN
    offense_properties.user'
    31 August 2020
    HIGH AVAILABILITY (HA) IJ18179 LOG COLLECTION ON A HIGH AVAILABILITY SECONDARY CAN FAIL TO OCCUR AFTER INITIAL FAILOVER DUE TO MISSING JAR FILES CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    1. Click the Admin tab.
    2. From the Advanced menu, select Deploy Full Configuration.
    3. Wait for the full deploy to complete.
    4. Select Advanced, and click Restart Event Collection Services.
    Issue
    It has been identified that some required jar files are not copied to opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs on a High Availability (HA) secondary appliance until a Deploy Full Configuration is performed after the HA secondary becomes active.
    18 October 2019
    HISTORICAL CORRELATION IJ26306 EVENT/FLOW WINDOW IS BLANK FOR HISTORICAL CORRELATION OFFENSES AND VIEWING 'LAST 10 EVENTS/FLOWS' GENERATES ERROR CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)

    Workaround
    No workaround available. This issue was reopend as the error was reported again after users by users at QRadar 7.4.2 and 7.4.1 Fix Pack 2 and closed with the release of QRadar 7.4.2 Fix Pack 3.

    Issue
    While attempting to view Events or Flows associated with a Historical Correlation Offense, the Event/Flow List window displays a blank page.

    When attempting to view the "Last 10 Events/Flows" for a Historical Correlation Offense, a message similar to the following is generated:
    An error occurred while fetching the Events for this offense
    or
    An Error occurred while fetching the Flows for this offense

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    tomcat[44128]: Caused by:
    tomcat[44128]: java.lang.NoSuchMethodError:
    com/ibm/si/core/offensemapper/OffenseMapperFactory.getOffenseMap
    perType(ILjava/lang/String;Ljava/lang/String;)Lcom/ibm/si/core/o
    ffensemapper/OffenseMapperType; (loaded from file:
    /opt/qradar/webapps/console/WEB-INF/lib/q1labs_core.jar by
    PluginClassLoader
    tomcat[44128]: context: console
    tomcat[44128]: delegate: false
    tomcat[44128]: ---------- Parent Classloader:
    tomcat[44128]: java.net.URLClassLoader@17b2c16d
    tomcat[44128]: ) called from class
    com.ibm.si.hc.HistoricalCorrelationProcessor (loaded from
    file:/opt/qradar/webapps/console/WEB-INF/lib/q1labs_hc.jar by
    PluginClassLoader
    tomcat[44128]: context: console
    tomcat[44128]: delegate: false
    tomcat[44128]: ---------- Parent Classloader:
    tomcat[44128]: java.net.URLClassLoader@17b2c16d
    tomcat[44128]: ).
    tomcat[44128]: at
    com.ibm.si.hc.HistoricalCorrelationProcessor.transformQueryParam
    s(HistoricalCorrelationProcessor.java:2538)
    12 April 2021
    REPORTS IJ26071 CSV REPORTS CAN FAIL TO GENERATE WHEN THERE IS NO ACCUMULATED DATA CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Use the .pdf report output for reports. The PDF option allows the report to be created and no error to be generated in the QRadar logs. Administrators who require CSV reports can install QRadar 7.4.1 Fix Pack 1. This issue was reported by users at QRadar 7.3.2 Patch 6.

    Issue
    When a report is configured for .csv output and that report has no accumulated data, the report fails to generate and an error is logged to QRadar logging.

    Messages similar to the folllowing might be visible in /var/log/qradar.log when this issue occurs:
    [report_runner] [main] com.q1labs.reporting.ReportRunner:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error
    initializing ReportRunner
    [report_runner] [main] java.lang.Throwable:
    java.lang.RuntimeException: REPORT
    [MONTHLY#^#e028752#$#c64ac148-b504-4918-9fe3-76a4fba6c7f6#^#1583
    161424583]: Failed to run using template
    [e028752#$#c64ac148-b504-4918-9fe3-76a4fba6c7f6.xml]
    [report_runner] [main]    at
    com.q1labs.reporting.ReportRunner.main(ReportRunner.java:300)
    [report_runner] [main] Caused by:
    [report_runner] [main] java.lang.RuntimeException: REPORT
    [MONTHLY#^#e028752#$#c64ac148-b504-4918-9fe3-76a4fba6c7f6#^#1583
    161424583]: Failed to run using template
    [e028752#$#c64ac148-b504-4918-9fe3-76a4fba6c7f6.xml]
    [report_runner] [main]    at
    com.q1labs.reporting.Report.process(Report.java:623)
    [report_runner] [main]    at
    com.q1labs.reporting.ReportRunner.main(ReportRunner.java:246)
    [report_runner] [main] Caused by:
    [report_runner] [main] java.lang.RuntimeException: REPORTING
    CSV builder: More than on table header found. This is invalid
    for single table report
    [report_runner] [main]    at
    com.q1labs.reporting.csv.ReportCSVBuilder.buildColumnRecord(Repo
    rtCSVBuilder.java:100)
    [report_runner] [main]    at
    com.q1labs.reporting.csv.ReportCSVBuilder.buildCsvFile(ReportCSV
    Builder.java:177)
    [report_runner] [main]    at
    com.q1labs.reporting.Report.process(Report.java:520)
    [report_runner] [main]    ... 1 more
    14 July 2020
    SYSTEM NOTIFICATIONS IJ22900 NOTIFICATION TABLE CONTAINS DUPLICATE ROWS FOR THE SAME EVENT CAUSING DISCREPANCY IN NOTIFICATION DATA DISPLAYED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue.

    Issue
    When opening a Notification for, “An invalid protocol source configuration may be stopping event collection.” there is an incorrect number of events displayed that does not match the number of notifications.

    For example, the Notification displays (6 events), but when clicking on “view all” there are only 3 events.
    09 October 2020
    QRADAR VULNERABILITY MANAGER / EXPORT IJ25880 AN EXCEPTION IS THROWN WHEN ATTEMPTING AN EXPORT FROM THE SCAN RESULTS VULNERABILITIES LIST CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve issues when exporting scan results from the Vulnerabilities tab. This issue was reported by users at QRadar Vulnerability Manager 7.4.0 (GA) General Availability and later.

    Issue
    An Export error pop up exception is generated when attempting to export the list of vulerabilities from the Scan Results user interface. For example:
    1. Log in to the QRadar user interface.
    2. click the Vulnerabilities tab.
    3. Select Scan Results and highlight the vulnerabilities to export.
    4. Select one of the following options:
      • Actions > Export to CSV
      • Actions > Export to XML

      Results
      The error exception popup is generated in the user interface:
      There was a problem completing your export. Please try again later.

      Optionally, administrators can review the logs to determine if a NoSuchMethodException is generated in the logs:
      java.lang.NoSuchMethodException:
      com.sun.proxy.$Proxy182.getVulnerabilities(java.lang.String,
      java.lang.String, int, int, java.lang.String, java.lang.String,
      int, int, java.lang.String) at
      java.lang.Class.newNoSuchMethodException(Class.java:562) at
      java.lang.Class.throwExceptionOrReturnNull(Class.java:1195) at
      java.lang.Class.getMethodHelper(Class.java:1259) at
      java.lang.Class.getMethod(Class.java:1187) at
      com.q1labs.core.ui.coreservices.export.ExportJobProcessor.export
      VulnerabilityTabJDBCSearchFusionVMQuery(ExportJobProcessor.java:
      703) at
      com.q1labs.core.ui.coreservices.export.ExportJobProcessor.run(Ex
      portJobProcessor.java:196)
    27 June 2020
    LOG ACTIVITY IJ26129 EVENTS COPIED FROM ONE QRADAR DEPLOYMENT TO ANOTHER CANNOT BE OPENED IF THE COMPONENT ID DOES NOT EXIST IN THE NEW ONE CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve issues when copying event data between appliances. This issue was reported by users at QRadar 7.4.0 Fix Pack 1 and later.

    Issue
    When events are copied from one QRadar deployment to another and the component id associated to those events does not exist within the data on the new QRadar deployment, those events cannot be opened.

    An "Application Error" is generated in the QRadar User Interface when these affected events are attempted to be opened.

    Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    {timetstamp}18:14:55.738727 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]
    com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
    while processing the request:
    {timetstamp}18:14:55.739787 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]
    java.lang.NullPointerException
    18:14:55.739968 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]    at
    com.q1labs.events.ui.bean.EventForm.copyFromDAO(EventForm.java:919)
    {timetstamp}18:14:55.739968 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.ui.UIArielServices.getRecordBean(UIArielService
    s.java:5873)
    {timetstamp}18:14:55.739968 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.ui.action.ArielDetails.viewDetails(ArielDetails
    .java:36)
    {timetstamp}18:14:55.739968 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]    at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    {timetstamp}18:14:55.739968 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]    at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
    {timetstamp}18:14:55.740992 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    {timetstamp}18:14:55.740992 ::ffff:127.0.0.1 [tomcat.tomcat]
    [user@host (8302) /console/do/ariel/arielDetails]    at
    java.lang.reflect.Method.invoke(Method.java:508)
    15 July 2020
    QRADAR NETWORK INSIGHTS / UPGRADE IJ22448 PATCH OF A QNI APPLIANCE CAN FAIL WHEN THE NAPATECH SERVICE FAILS TO START CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve Napatech service issues related to software upgrades. This issue might be experienced by users at QRadar Network Insights 7.3.2 (GA) General Availability or later.

    Issue
    QRadar patching fails on a QNI appliance that has a failed Napatech card and/or the required napatech3 service is not able to be started.
    09 October 2020
    QFLOW IJ25317 QFLOW MEMORY USAGE CAN CONTINUALLY GROW AS ADDITIONAL UNIQUE TEMPLATES ARE USED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue might be experienced by users with memory issues related to QFlow with QRadar 7.3.2 Fix Pack 7 or later installed.

    Issue
    The QRadar qflow process currently does not flush any of its templates from memory when they have been inactive for a period of time.

    As more unique templates are used by the qflow process (eg. QNI/third party exporter restarts cause a "new" template to be stored in QFlow memory), the memory used by qflow continually grows.
    12 June 2020
    LICENSING IJ23772 AVERAGE EPS REPORTED FOR A MANAGED HOST CAN REPORT ZERO (0) DUE TO NULL VALUES LISTED IN A GLOBAL VIEW (GV) CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue might be experienced by users with memory issues related to QFlow with QRadar 7.3.2 Fix Pack 7 or later installed.

    Issue
    The Average EPS in the table License_pool_allocation for some Managed Hosts is not updated due to a NullPointerException that occurs in a Global View (GV).

    When this occurs, the Average EPS for affected Managed Hosts can display as zero (0) EPS.
    19 September 2020
    REPORTS IJ10609 "NO DATA FOR CHART" IN TIMESERIES REPORT WHEN 'TIME' VARIABLE IS THE HORIZONTAL AXIS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    No workaround available.

    Issue
    It has been identified that timeseries reports with the Time variable configured for the X-Axis display "No data for Chart". For example, to replcate this issue:
    1. Click the Reports tab and create a weekly report.
    2. In the Chart Type, select Events/Logs.
    3. In the Container Details, select a pre-configured aggregated search (timeseries).
    4. Under Additional Details, select:
      • Graph Type: Bar
      • Limit Events/Logs to Top: 5
      • Horizontal (X) Axis: Time
      • Vertical (Y) Axis: Count
      • Timeline Interval: 1 day
    5. Save the report.
    6. Verify the data is being accumulated for the search.

      Results
      When the report runs as scheduled, it is generated with the "No Data for Chart" in the container message. The report is successfully generated when the user specifies any other variable in the Horizontal (X) axis instead of the "Time" variable.
    09 October 2020
    TELNET FLOW INSPECTOR IJ18004 QRADAR NETWORK INSIGHTS (QNI) TELNET INSPECTOR CAN INCORRECTLY CLASSIFY SOME LDAP FLOW TRAFFIC AS TELNET TRAFFIC CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue reported by users with QRadar 7.4.1 (GA) General Availability installed.

    Issue
    It has been identified that in some instances, the QRadar Network Insights (QNI) Telnet Inspector can incorrectly classify LDAP flow traffic as Telnet traffic. When this occurs, false positives can sometimes occur within rule functionality.
    09 October 2020
    DEPLOY CHANGES IJ25798 DEPLOY FUNCTION CAN FAIL DUE TO AN INCONSISTENT INDEX FROM THE CONSOLE VS MANAGED HOSTS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue reported by users with QRadar 7.4.1 (GA) General Availability installed.

    Issue
    A QRadar deploy function can fail when there is inconsistency in an index (reference_data_element_data1) from what is on the Console vs what is on a Managed Host.

    Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication:
    psql:/store/replication/tx0000000000000302764.sql:220939:
    ERROR:  index row size 2928 exceeds maximum 2712 for index
    "reference_data_element_data1"
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: HINT:  Values larger than 1/3 of a buffer page
    cannot be indexed.
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: Consider a function index of an MD5 hash of the
    value, or use full text indexing.
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: CONTEXT:  SQL statement "INSERT INTO
    public.reference_data_element SELECT * FROM
    rep.public_reference_data_element"
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: PL/pgSQL function
    replicate_restore_dump(text,text) line 24 at EXECUTE
    {hostname}-primary replication[197954]: Could not apply
    /store/replication/tx0000000000000302764.sql.
    27 June 2020
    LICENSE IJ13317 LICENSE POOL MANAGEMENT CAN DISPLAY "N/A" FOR THE EPS RATE FOR SOME HOSTS WITH A NULL POINTER EXCEPTION IN THE LOGS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Workaround
    Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve issues where the the System and License Management user interface displays N/A.

    Issue
    It has been identifed that in some instances the EPS rate for a host can display as "N/A" in the License Pool Management window. This has most often been observed with High Availability hosts. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occuring.

    Note: The the GV number can vary in the log instances. For example, GV_{Number}_HOURLY:
    {hostname}[hostcontext.hostcontext]
    [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
    com.q1labs.hostcontext.licensing.LicenseMonitor: [INFO]
    [NOT:0000006000][Con.sol.eIP.20/- -] [-/- -]Following message
    suppressed 1 times in 300000 milliseconds
    {hostname}[hostcontext.hostcontext]
    [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
    com.q1labs.hostcontext.licensing.LicenseMonitor: [ERROR]
    [NOT:0000003000][Con.sol.eIP.20/- -] [-/- -]Cannot retrieve
    data for GV_{Number}_HOURLY
    {hostname}[hostcontext.hostcontext]
    [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
    java.lang.NullPointerException
    {hostname}[hostcontext.hostcontext]
    [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.licensing.Statistics.getIP(Statistics.jav
    a:243)
    {hostname}[hostcontext.hostcontext]
    [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.licensing.Statistics.updateEPSorFPS(Stati
    stics.java:186)
    {hostname}[hostcontext.hostcontext]
    [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.licensing.Statistics.getEpsFps(Statistics
    .java:127)
    {hostname}[hostcontext.hostcontext]
    [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.licensing.Statistics.update(Statistics.ja
    va:49)
    {hostname}[hostcontext.hostcontext]
    [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.licensing.LicenseMonitor.timeExpired(Lice
    nseMonitor.java:239)
    {hostname}[hostcontext.hostcontext]
    [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.timer.TimerEventGenerator$TimerEven
    tInfo.dispatchEvent(TimerEventGenerator.java:234)
    {hostname}[hostcontext.hostcontext]
    [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java:129)
    06 February 2019
    DEPLOY CHANGES IJ15527 DEPLOY FUNCTION CAN TIMEOUT WHEN A REQUIRED PROCESS IS UNABLE TO CONNECT TO QRADAR APPS CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Workaround
    No workaround available.

    Issue
    It has been identified that when QRadar Apps do not respond to a required process during a Deploy function, the Deploy can timeout. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
    com.q1labs.hostcontext.configuration.ConfigSetUpdater: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to execute db app
    sync post deploy action
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
    com.q1labs.configservices.process.ProcessException: Unable to
    execute platform app sync.
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
    com.q1labs.hostcontext.action.DBAppSyncPostDeployAction.executeA
    ction(DBAppSyncPostDeployAction.java)
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
    com.q1labs.hostcontext.configuration.ConfigSetUpdater.postDownlo
    adAndApply(ConfigSetUpdater.java)
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
    com.q1labs.hostcontext.configuration.ConfigSetUpdater.downloadAn
    dApplyConfiguration(ConfigSetUpdater.java)
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
    com.q1labs.hostcontext.configuration.ConfigSetUpdater.startDownl
    oadAndApplyConfiguration(ConfigSetUpdater.java)
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
    com.q1labs.hostcontext.configuration.ConfigChangeObserver.update
    Configuration(ConfigChangeObserver.java)
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
    com.q1labs.hostcontext.configuration.ConfigChangeObserver.update
    (ConfigChangeObserver.java)
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
    com.q1labs.hostcontext.observer.Subject.updateNotify(Subject.java)
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
    com.q1labs.hostcontext.observer.JMSMessageSubject.messageReceive
    d(JMSMessageSubject.java)
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
    com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
    MSMessageEvent.java)
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
    com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java)
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
    Caused by:
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
    com.ibm.si.application.conman.sync.ApplicationSyncException: An
    error occurred while attempting to sync apps on host
    [e7979a607d5e320f8c98.localdeployment]
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
    com.ibm.si.application.conman.sync.DBConmanSyncService.syncAppsO
    nHost(DBConmanSyncService.java)
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
    com.ibm.si.application.conman.sync.DBConmanSyncService.performMa
    nagedHostAppSync(DBConmanSyncService.java)
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
    com.ibm.si.application.conman.sync.DBConmanSyncService.performSy
    nc(DBConmanSyncService.java)
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
    com.q1labs.hostcontext.action.DBAppSyncPostDeployAction.executeA
    ction(DBAppSyncPostDeployAction.java)
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
       ... 9 more
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
    Caused by:
    [hostcontext.hostcontext]
    [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
    com.ibm.si.application.platform.exception.ApplicationPlatformSer
    viceException: 20 attempts across 10 minutes failed to connect
    to these apps: 1004:[Reference Data Import - LDAP]
    16 May 2019
    MICROSOFT OFFICE 365 MESSAGE TRACE IJ26483 ECS-EC-INGRESS SERVICE CAN EXPERIENCE OUT OF MEMORY OCCURRENCES WHEN MICROSOFT OFFICE 365 MESSAGE TRACE LOG SOURCE IS ENABLED OPEN Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    The QRadar ecs-ec-ingress service (used to collect events) can experience Out Of Memory occurrences when Microsoft Office 365 Message Trace log sources are in use (enabled) and large volumes of events are being ingested by the log source at initial startup.
    25 July 2020
    WINCOLLECT IJ27064 WINCOLLECT CAN CAPTURE RANDOM IP ADDRESSES FOR POPULATING THE 'ORIGINATING COMPUTER' FIELD IN EVENTS CLOSED Resolved in
    WinCollect 7.3.0 Fix Pack 1 (Build 41) (7.3.0.41)

    Workaround
    No workaround available. Administrators must upgrade to a version where this issue is resolved.

    Issue
    WinCollect can capture random IP addresses to populate the 'OriginatingComputer=ipaddress' field in event payloads when the events are being generated by WinCollect.

    Example payload generated:
    <13>Jul 22 18:35:43 ip_address AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.2.9.105
    Source=Microsoft-Windows-Security-Auditing Computer=hostnameFQDN OriginatingComputer=random_ip_address
    28 October 2020
    DEPLOY CHANGES IJ25798 DEPLOY FUNCTION CAN FAIL DUE TO AN INCONSISTENT INDEX FROM THE CONSOLE VS MANAGED HOSTS OPEN Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    A QRadar deploy function can fail when there is inconsistency in an index (reference_data_element_data1) from what is on the Console vs what is on a Managed Host.

    Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication:
    psql:/store/replication/tx0000000000000302764.sql:220939:
    ERROR:  index row size 2928 exceeds maximum 2712 for index
    "reference_data_element_data1"
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: HINT:  Values larger than 1/3 of a buffer page
    cannot be indexed.
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: Consider a function index of an MD5 hash of the
    value, or use full text indexing.
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: CONTEXT:  SQL statement "INSERT INTO
    public.reference_data_element SELECT * FROM
    rep.public_reference_data_element"
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: PL/pgSQL function
    replicate_restore_dump(text,text) line 24 at EXECUTE
    {hostname}-primary replication[197954]: Could not apply
    /store/replication/tx0000000000000302764.sql.
    27 June 2020
    LOG SOURCE MANAGEMENT APP IJ27045 UNABLE TO ADD MULTIPLE LOG SOURCES AT A TIME TO A LOG SOURCE GROUP USING THE LOG SOURCE MANAGEMENT APP OPEN Workaround
    Moving the Log Sources one at a time to Log Source groups works as expected.

    Issue
    Attempting to add multiple Log Sources at a time to a Log Source Management Group using the Log Source Management app does not work as expected.

    When selecting multiple Log Sources and then selecting “add to group”, a loading bar is displayed indicating the move process is occurring and a completion/success message is generated. Despite the appearance of success of the Log Sources being moved, the selected Log Sources have not been added to the group.
    24 August 2020
    LOG ACTIVITY IJ27199 ‘DEVICE STOPPED EMITTING EVENTS’ EVENT CAN DISPLAY INCORRECT LOG SOURCE TIME OF EPOCH 0 CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

    Workaround
    No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue.

    Issue
    The event ‘Device Stopped Emitting events’ details page can display an incorrect Log Source Time of EPOCH 0 (i.e. Jan 1 1970) due to the device sending the event’s “time” value not being set correctly.

    This can cause unexpected rule behavior due to the incorrect value for the Log Source Time.
    16 November 2020
    DSM EDITOR IJ26226 DSM EDITOR FAILS TO PREVIEW CUSTOM PROPERTY OVERRIDE OF ‘ANY’ ‘ANY’ FOR HIGH AND LOW LEVEL CATEGORY BUT PARSES IT CORRECTLY OPEN Workaround
    No workaround available.

    Issue
    When adding selectivity to a custom property override in the DSM Editor page and using “any” for both High Level Category and Low Level Category, nothing is displayed in the DSM Editor preview, but it parses as expected in the pipline if it is applied.
    22 July 2020
    EXTENSION MANAGEMENT IJ26462 ‘FAILED EXTENSION INSTALLATION TASK FOR EXTENSION ID ‘ WHEN PERFORMING A DSM IMPORT CLOSED Workaround
    No workaround available. This issue is closed as permanent restriction.

    This scenario is one that we will not resolve through the legacy import process. The newer import process in development will support a resolution (by the user) of these conflict cases during the installation process; so it should be able to fix this issue.

    Issue
    Performing a DSM Import from within the QRadar User Interface can fail with the error “Failed Extension installation task for extension id XX”.

    For example:
    1. Log in to QRadar as an administrator.
    2. Click the Admin tab > Extension Management > Add.
    3. Browse to the location of the DSM zip file that had been previously exported.
    4. Select the Install immediately check box click Add.
    5. Click OK.

      Results Error pop up is generated:
      "Failed Extension installation task for extension id XX"
    24 July 2020
    DASHBOARD IJ26192 RSS FEED DASHBOARDS DO NOT WORK WHEN QRADAR IS BEHIND A PROXY CLOSED Workaround
    No workaround available. This issue is closed as permanent restriction.

    Issue
    When QRadar is behind a proxy, RSS feed dashboard items cannot connect and report an error. Example error meesage in the Dashboard:
    Unable to view rss feed of url http://feeds.feedburner.com/SecurityIntelligence.
    14 July 2020
    OFFENSES / REPORTS IJ25398 THERE ARE DISCREPANCIES IN THE COLUMNS INCLUDED WITHIN THE OFFENSE SEARCH AND OFFENSE DETAILS REPORT CLOSED Workaround
    No workaround available. Closed as suggestion for future release.

    Issue
    There are discrepancies in the columns included within the Offense search and Offense details report.
    For example:
    1. In the QRadar User Interface, go to Offense tab.
    2. Create a offense search with the filter contributing rule and offense type.
    3. Save the search.
    4. Go to the Report tab.
    5. Create a new Offense Details report based on offense search.
    6. Run the report.

      Results
      There is a discrepancy in the columns included in the Offense search and Offense details report.

    Comments
    Unfortunately, there will be no work done on the existing Offense Screen/Searches or Reporting that will allow the user to refine the offense details.

    The user may use the Offense API, which will have significant performance improvements in 7.4.1, to retrieve the information that they are looking for.
    14 July 2020
    DASHBOARD IJ26192 RSS FEED DASHBOARDS DO NOT WORK WHEN QRADAR IS BEHIND A PROXY CLOSED Workaround
    No workaround available. This issue is closed as permanent restriction.

    Issue
    When QRadar is behind a proxy, RSS feed dashboard items cannot connect and report an error. Example error meesage in the Dashboard:
    Unable to view rss feed of url http://feeds.feedburner.com/SecurityIntelligence.
    14 July 2020
    REPORTS IJ26321 REPORTS CAN FAIL TO COMPLETE DUE TO A LOCK ON THE QRADAR DATABASE PREVENTING REPORT TEMPLATES FROM LOADING OPEN Workaround
    Administrators can restart the reporting executor service, which allows the report templates to reload and creates a new transaction session.
    1. Log in to the QRadar Console as the root user.
    2. To restart the reporting executor, type:
      systemctl restart reporting_executor
    3. To verify the issue, manually start the report in the QRadar interface.

    Issue
    In some instances, QRadar report templates can fail to load due to a lock that is applied to the QRadar database preventing the database transaction from retrieving report templates. The database fails to connect as the session connection is already considered dead or previously used and closed. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [reporting_executor.reporting_executor] [Report Queue]
    com.q1labs.reporting.ReportServices: [INFO]
    [NOT:0000006000][xx.xx.xx.xx/- -] [-/- -]Reporting Scheduler is enabled
    [reporting_executor.reporting_executor] [Report Queue]
    com.q1labs.reporting.ReportServices: [ERROR]
    [NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]Lock to templates
    folder is acquired by another process, skipping templates reload.
    [reporting_executor.reporting_executor] [Report Queue]
    com.q1labs.core.shared.ariel.CustomKeyCreator: [ERROR]
    [NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]Exception loading
    custom property ID ed1cbe38-1f8a-4621-a838-8a6400c61384
    [reporting_executor.reporting_executor] [Report Queue]
    {openjpa-2.4.3-r422266:1833086 fatal general error}
    org.apache.openjpa.persistence.PersistenceException: This
    connection has been closed. {SELECT t0.id, t0.autodiscovered,
    t0.creationdate, t0.database, t0.datepattern, t0.description,
    t0.description_id, t0.editdate, t0.forceparse, t0.languagetag,
    t0.propertyname, t0.sequenceid, t0.tenant_id, t0.propertytype,
    t0.username FROM ariel_regex_property t0 WHERE (t0.id = ?)}
    {code=0, state=08003}
    FailedObject: SELECT a FROM ArielRegexProperty a WHERE a.id =
    ?1 [java.lang.String]
    [reporting_executor.reporting_executor] [Report Queue]    at
    org.apache.openjpa.jdbc.sql.DBDictionary.narrow(DBDictionary.jav
    a:5003)
    ..
    [reporting_executor.reporting_executor] [Report Queue] Caused
    by:
    [reporting_executor.reporting_executor] [Report Queue]
    org.apache.openjpa.lib.jdbc.ReportingSQLException: This
    connection has been closed. {SELECT t0.id, t0.autodiscovered,
    t0.creationdate, t0.database, t0.datepattern, t0.description,
    t0.description_id, t0.editdate, t0.forceparse, t0.languagetag,
    t0.propertyname, t0.sequenceid, t0.tenant_id, t0.propertytype,
    t0.username FROM ariel_regex_property t0 WHERE (t0.id = ?)}
    
    25 July 2020
    UPGRADE / HIGH AVAILABILITY (HA) IJ12252 QRADAR PATCH FAILS WHEN MORE THAN ONE .SFS IS MOUNTED CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    To resolve the issue, remove the deleted mounts by typing umount /media/updates as many times as needed, or until all /media/updates mount references are removed.

    Type the command mount | grep media to verify the all volumes mounted to /media/updates are removed.

    Remount the .SFS file you need to patch or update your system. Check for deleted mounts on both Primary and Secondary HA nodes. For more information, see the following technical note.

    Issue
    It has been identified that when two sfs files are mounted, the QRadar patch test is successful, but the patch fails with an error similar to “Original patch sfs file, ‘{patch_file_path}’ not found, please verify and restore the file.”

    Look for similar messages in /var/log/setup-/patches.log:
    Copying file
    /storetmp/732_QRadar_interimfix-7.3.2.20190522204210-IF02-201907
    10135412.sfs to host
    /storetmp:/storetmp/732_QRadar_interimfix-7.3.2.20190522204210-I
    F02-20190710135412.sfs
    cp: cannot create regular file
    'root@/storetmp:/storetmp/732_QRadar_interimfix-7.3.2.2019052220
    4210-IF02-20190710135412.sfs/732_QRadar_interimfix-7.3.2.2019052
    2204210-IF02-20190710135412.sfs': No such file or directory
    [ERROR] Couldn't copy patch file FILE to host /storetmp.
    [ERROR] Copied patch file to standby host, but MD5 sums do not match.
    [ERROR](a-i-has-testmode) HOSTNAME-secondary : patch test
    failed.
    [ERROR](a-i-has-testmode) Patching can not continue
    Patch Report for IP-ADDRESS, appliance type: 1828
    HOSTNAME-primary : patch test succeeded.
    Copied patch file to standby host, but MD5 sums do not match.
    See the following Technote for additional information:
    https://www.ibm.com/support/pages/node/1072998
    22 November 2019
    LOG SOURCE MANAGEMENT APP IJ24187 TESTING A CONFIGURATION IN THE LOG SOURCE MANAGEMENT APP CAN FAIL FOR SOME PROTOCOLS WHILE THE CONFIGURED LOG SOURCE WORKS OPEN Workaround
    No workaround available.

    Issue
    Testing a configuration using the Log Source Management App can fail with an unknown error on some protocols. Regular operation of the configured Log Source to collect data can function properly in some instances where the testing function fails.
    08 April 2020
    DATA OBFUSCATION / DOMAINS IJ24467 DOMAIN OBFUSCATION PROFILE CAN FAIL TO BE COPIED CORRECTLY TO EVENT COLLECTOR CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    A Domain Obfuscation profile can fail to be applied to the correct domain due to obfuscation_field_expression_domain and obfuscation_reg_expression_domain failing to be added to the Event Collector replication profile sent from the QRadar Console.
    24 April 2020
    LOG SOURCE MANAGEMENT APP IJ25871 BULK EDIT > ADD TO GROUP FOR LOG SOURCES USING THE LOG SOURCE MANAGEMENT APP V6 DOES NOT WORK AS EXPECTED CLOSED Resolved in
    This issue was resolved in Log Source Management App version 6.1.0. Users who experience with bulk editing log sources can update to the latest version of the app or use the QRadar Assistant to upgrade their applications. Workaround
    No workaround available.

    Issue
    Performing a Bulk Edit > Add to Group function for log sources using the Log Source Managment (LSM) app v6 displays as successful but does not add the log sources to the group. The LSM app v5 does not experience this issue.
    06 February 2021
    SEARCH / HIGH AVAILABILITY (HA) IJ07275 ARIEL CURSOR FILES (USED FOR SAVED SEARCHES) ARE LOST AFTER A HIGH AVAILABILITY CONSOLE FAILOVER OCCURS CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)

    Workaround
    No workaround available.

    Issue
    It has been identified that the Ariel cursor files, which are created and used for saved searches, are not being copied to the Standby HA console appliance. When a High Availability (HA) console failover occurs, the Saved Searches no longer appear in the QRadar User Interface as the required cursor files are not present.
    07 March 2019
    AMAZON AWS REST API PROTOCOL IJ26748 AMAZON AWS S3 REST API PROTOCOL CAN POLL FOR PREVIOUSLY PROCESSED EVENTS DUE TO AN AWS API CHANGE OPEN Workaround
    No workaround available.

    Issue
    It has been identified that when using the Amazon AWS S3 REST API protocol that the QRadar appliance can poll for older events. This causes Amazon AWS S3 and Cisco Umbrella log sources to poll for events that were previously processed by QRadar. Previously, QRadar used a marker file to determine the last polling interval to ensure that the AWS S3 buckets polled did not request older events in the API query. This functionality has changed recently in the Amazon AWS REST API. The root cause of this issue is a transition of the Amazon AWS REST API to use a new startAfter key value in API queries.

    This issue is reported in the following protocol versions:
    • AmazonAWSRESTAPI-7.3-20200618175646.noarch.rpm AmazonAWSRESTAPI
    • 7.4-20200619004601.noarch.rpm
    An update is in progress for the Amazon AWS S3 REST API protocol to include a new startAfter key in event queries. A protocol RPM update is required to resolve this issue.To determine your current Amazon AWS S3 REST API protocol version, use the Admin > Auto Update icon in QRadar user interface or yum info PROTOCOL-AmazonAWS from the command line. Administrators with impacted protocol versions can subscribe to this APAR or open a case for QRadar Support and reference the APAR number.
    02 August 2020
    SYSTEM NOTIFICATIONS IJ26134 SYSTEM NOTIFICATIONS FOR ‘PROCESS TUNNEL.TUNNEL{XXX} HAS FAILED TO START…” CAN BE CAUSED BY DUPLICATE OFFSITE TUNNEL CREATION CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    QRadar System Notifications relating to tunnels not starting can be observed when duplicate tunnels for encrypted offsite targets are created by QRadar within the deployment.xml configuration file. Additional duplicate tunnels can be generated after each subsequent Deploy function when this issue occurs.

    Event name: “Error: Process monitor application has failed to startup multiple times”

    Payload:
    Apr 8 23:48:58 127.0.0.1 [ProcessMonitor]
    com.q1labs.hostcontext.processmonitor.ProcessManager: [ERROR]
    [NOT:0150114103][x.x.x.x/- -] [-/- -]Process tunnel.tunnel293
    has failed to start for 6828 intervals. Continuing to try to
    start...
    15 July 2020
    SYSTEM NOTIFICATIONS IJ26118 QRADAR SYSTEM NOTIFICATIONS THAT CONTAIN QIDS WITH URL LINKS CAN DISPLAY INCORRECTLY AFTER PATCHING QRADAR CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    No workaround available.

    Issue
    QRadar System Notifications that contain QIDs with URL links can fail to display correctly after patching. (e.g. assetprofiler QID – 38750073)
    14 July 2020
    DEPLOY CHANGES IJ25798 DEPLOY FUNCTION CAN FAIL DUE TO AN INCONSISTENT INDEX FROM THE CONSOLE VS MANAGED HOST(S) CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    A QRadar deploy function can fail when there is inconsistency in an index (reference_data_element_data1) from what is on the Console vs what is on a Managed Host. Messages similar to the following might be visible in /var/log/qradar.error when this issue is occurs:
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication:
    psql:/store/replication/tx0000000000000302764.sql:220939:
    ERROR: index row size 2928 exceeds maximum 2712 for index
    "reference_data_element_data1"
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: HINT: Values larger than 1/3 of a buffer page
    cannot be indexed.
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: Consider a function index of an MD5 hash of the
    value, or use full text indexing.
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: CONTEXT:  SQL statement "INSERT INTO
    public.reference_data_element SELECT * FROM
    rep.public_reference_data_element"
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: PL/pgSQL function
    replicate_restore_dump(text,text) line 24 at EXECUTE
    hostname-primary replication[197954]: Could not apply
    /store/replication/tx0000000000000302764.sql.
    27 June 2020
    LICENSE / QRADAR NETWORK INSIGHTS IJ25793 LICENSE CANNOT BE APPLIED SUCCESSFULLY TO QNI APPLIANCE TYPES 6500 ON PATCHED DEPLOYMENTS OPEN Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)

    Workaround
    Note: This commannd can take a couple minutes before it returns to the shell prompt as the Tomcat restart may take a couple minutes.

    Run the following command:
    sed -i.install
    's/^forensicsRealtime=.*/forensicsRealtime=6200,6300,6400,6500,0
    ,software/g'
    /opt/qradar/conf/templates/deployments/applianceTypes.properties
    ; systemctl restart tomcat
    Note: Formatting on this page may result in the command to be wrapped. Please note the format example below: sed -i.install ‘text’ /filepath ; systemctl restart tomcat

    Issue
    In some instances, licenses cannot be successfully applied to QRadar Network Insight (QNI) appliance types 6500. This behavior has been observed in QRadar deployments that have been patched (i.e., not fresh installs).
    29 July 2020
    CUSTOM PROPERTIES / DATA OBFUSCATION IJ19993 CUSTOM PROPERTY IS NOT PROPERLY PARSED FROM EVENT PAYLOAD WHEN EXPRESSION BASED DATA OBFUSCATION HAS BEEN IN USE CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    No workaround available.

    Issue
    It has been identified that a correctly configured Custom Property does not properly parse event data when expression based Data Obfuscation has been configured and is in use. When this occurs, the expected event payload data is not parsed for use and display by QRadar.
    07 October 2019
    QRADAR VULNERABILITY MANAGER IJ22496 ‘{PROFILENAME} CANNOT BE RAN AS IT HAS ON DEMAND SCANNING ENABLED’ WHEN SCAN NAME CONTAINS ‘RC’ OR CRE’ CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    No workaround available.

    Issue
    Scan profiles cannot be run from the Scan Results screen when a scan name contains ‘RC’ or ‘CRE’.

    A message similar to: “{ProfileName} cannot be ran as it has On Demand Scanning enabled” is generated in the QRadar User Interface when this issue is occurring.
    10 February 2020
    SEARCH / SHOW AQL IJ21226 ‘SHOW AQL’ BUTTON DISPLAYS “NULL” OUTPUT FOR A SAVED SEARCH USING ‘PAYLOAD MATCHES REGULAR EXPRESSION’ FILTER CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    No workaround available.

    Issue
    It has been identified that using the “Show AQL” button for a saved search using the “Payload Matches Regular Expression” filter displays “null” in the text field where the AQL should display. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]
    com.q1labs.cve.api.v10_0.ariel.ArielAPI_v10: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Error occurred while
    returning the saved search
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]
    java.lang.RuntimeException: Predicate
    'com.q1labs.core.types.event.NormalizedEventPredicate$PayloadMat
    ches@34bf9463' [class: class
    com.q1labs.core.types.event.NormalizedEventPredicate$PayloadMatc
    hes] doesn't implement I2AQL
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.ariel.ql.I2AQL.aql(I2AQL.java:142)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.ariel.ql.I2AQL.aql(I2AQL.java:147)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.cve.utils.CriteriaBuilder.buildAql(CriteriaBuilder.ja
    va:512)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.cve.utils.ArielSearchForm2AQL.convert(ArielSearchForm
    2AQL.java:143)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.cve.utils.ArielSearchForm2AQL.convert(ArielSearchForm
    2AQL.java:105)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.cve.api.impl.ariel.ArielAPIImpl.convertToAQL(ArielAPI
    Impl.java:1112)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.cve.api.impl.ariel.ArielAPIImpl.buildArielSavedSearch
    DTO(ArielAPIImpl.java:1091)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.cve.api.impl.ariel.ArielAPIImpl.getSavedSearch(ArielA
    PIImpl.java:1123)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.cve.api.v10_0.ariel.ArielAPI_v10.getSavedSearch(Ariel
    API_v10.java:199)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    java.lang.reflect.Method.invoke(Method.java:508)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet
    hod(APIRequestHandler.java:1031)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR
    equest(APIRequestHandler.java:399)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.restapi.servlet.utilities.APIRequestHandler.handleReq
    uest(APIRequestHandler.java:239)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.restapi.servlet.apidelegate.APIDelegate.handleRequest
    (APIDelegate.java:303)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.restapi.servlet.apidelegate.APIDelegate.service(APIDe
    legate.java:221)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:231)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.ja
    va:52)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.uiframeworks.auth.EulaFilter.doFilter(EulaFilter.java
    :141)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    27 November 2019
    AUTO UPDATE IJ21293 AUTOUPDATE AND CRON NOT RUNNING ON 7.3.2 QRADAR IMAGES INSTALLED ON GOOGLE CLOUD PLATFORM AND AMAZON WEB SERVICES CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Performing the following commands from a command line on the system after it’s built corrects the issue outlined in the APAR.
    $ sudo su -
    $ pwck
    $ systemctl start crond.service

    Issue
    It has been identified that 7.3.2 QRadar Images installed on Google Cloud Platform and Amazon Web Services (AWS) do not have Automatic Updates and the cron service does not run.
    09 December 2019
    BACKUP AND RESTORE IJ21230 CONFIG BACKUP CAN TAKE LONGER THAN EXPECTED TO COMPLETE IF A MANAGED HOST TIMEOUT OCCURS CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that the script update-remote-certs.sh does not have an SSH connection timeout configured for the rsync command.

    This can result in a longer than expected time to restore a config backup if Managed Host connections experience a timeout.
    29 July 2020
    REFERENCE DATA IJ21228 TOMCAT OUT OF MEMORY CAN OCCUR DURING AUTOMATED REFERENCE DATA CLEANUP BY QRADAR CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that in some instances, the tomcat process can experience an Out of Memory occurance during QRadar’s automated cleanup of reference data. The QRadar User Interface is unavailable during a tomcat Out Of Memory occurance until the affected services recover.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    com.q1labs.core.shared.referencedata.ReferenceDataManager:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
    -]ReferenceDataManager.deleteFromReferenceDataCollection() -
    SQLException caught while trying to delete from Reference Data
    Collection : UBA : User Accounts, Successful, Recent
    com.q1labs.core.shared.referencedata.ReferenceDataManager:
    [ERROR] Chained SQL Exception [1/2]: Batch entry 0 delete from
    reference_data_element rde where rde.rdk_id = (select id from
    reference_data_key where rd_id = 53 and domain_info =
    2147483647) and data= ? was aborted: An I/O error occurred
    while sending to the backend. Call getNextException to see
    other errors in the batch.
    com.q1labs.core.shared.referencedata.ReferenceDataManager:
    [ERROR] Chained SQL Exception [2/2]: An I/O error occurred
    while sending to the backend.
    com.q1labs.core.shared.referencedata.ReferenceDataManager:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
    -]ReferenceDataManager.deleteFromReferenceDataCollection()
    getNextException():
    java.sql.BatchUpdateException: Batch entry 0 delete from
    reference_data_element rde where rde.rdk_id = (select id from
    reference_data_key where rd_id = 53 and domain_info =
    2147483647) and data = ? was aborted: An I/O error occurred
    while sending to the backend. Call getNextException to see
    other errors in the batch.
    at org.postgresql.jdbc.BatchResultHandler.handleError(BatchResultHa
    ndler.java:148)
    at org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.java)
    at org.postgresql.jdbc.PgPreparedStatement.executeBatch(PgPreparedS
    tatement.java:1556)
    at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeBatch(
    NewProxyPreparedStatement.java:1723)
    at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeB
    atch(DelegatingPreparedStatement.java:250)
    at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingCo
    nnection$LoggingPreparedStatement.executeBatch(LoggingConnection
    Decorator.java:1149)
    at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeB
    atch(DelegatingPreparedStatement.java:250)
    at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeB
    atch(DelegatingPreparedStatement.java:250)
    at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeB
    atch(DelegatingPreparedStatement.java:250)
    at org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedSt
    atement.executeBatch(JDBCStoreManager.java:1809)
    at com.q1labs.frameworks.session.PreparedStatementWrapper.executeBa
    tch(PreparedStatementWrapper.java:265)
    at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet.ru
    nSqlStatement(ReferenceDataCacheSet.java:494)
    at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet.de
    leteData(ReferenceDataCacheSet.java:576)
    at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet.ac
    cess$800(ReferenceDataCacheSet.java:36)
    at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet$5.
    call(ReferenceDataCacheSet.java:273)
    at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet$5.
    call(ReferenceDataCacheSet.java:251)
    at com.q1labs.core.dao.referencedata.light.RefDataCacheLock.writeCa
    cheAccess(RefDataCacheLock.java:125)
    at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet.de
    leteElement(ReferenceDataCacheSet.java:250)
    at com.q1labs.core.dao.referencedata.light.RefDataDomainProtection.
    deleteElement(RefDataDomainProtection.java:83)
    at com.q1labs.core.shared.referencedata.ReferenceDataManager.delete
    FromReferenceDataCollection(ReferenceDataManager.java:885)
    at com.q1labs.core.shared.referencedata.ReferenceDataManager.delete
    FromReferenceDataCollection(ReferenceDataManager.java:946)
    at com.q1labs.core.shared.referencedata.ReferenceDataTimer.expireDa
    ta(ReferenceDataTimer.java:186)
    at com.q1labs.core.shared.referencedata.ReferenceDataTimer.timeExpi
    red(ReferenceDataTimer.java:68)
    at com.q1labs.frameworks.events.timer.TimerEventGenerator$TimerEven
    tInfo.dispatchEvent(TimerEventGenerator.java:234)
    at com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java:129)
    Caused by:
    org.postgresql.util.PSQLException: An I/O error occurred while
    sending to the backend.
    at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorIm
    pl.java:333) 
    at org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.java:81
    6)... 23 more
    Caused by:
    java.net.SocketException: Socket closed
    at java.net.SocketInputStream.socketRead0(Native Method)
    at java.net.SocketInputStream.socketRead(SocketInputStream.java:127)
    at java.net.SocketInputStream.read(SocketInputStream.java:182)
    at java.net.SocketInputStream.read(SocketInputStream.java:152)
    06 December 2019
    RULES IJ20895 PARSING RULE 'WHEN THE EVENT MATCHES THIS SEARCH FILTER' CAN GENERATE A NUMBERFORMATEXCEPTION CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Attempt to use different test conditon(s) for achieving the same expected output as the failing rule set.

    Issue
    It has been identified that a "NumberFormatException" is generated when Rules using the following conditions are executed:
    • When the event matches this search filter
    • Custom rule equals any of 'Rule A', 'Rule B', 'Rule C'.
    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    com.q1labs.semsources.cre.tests.ArielFilterTest: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Error parsing parameters
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    java.lang.NumberFormatException: For input string: "100003 100033 100001"
    [ecs-ep.ecs-ep][27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at java.lang.NumberFormatException.forInputString(NumberFormatExcep
    tion.java:76)
    [ecs-ep.ecs-ep] [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at java.lang.Integer.parseInt(Integer.java:592) [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at java.lang.Integer.parseInt(Integer.java:627)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.semsources.cre.tests.ArielFilterTest.createArielTest(
    ArielFilterTest.java:49)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.semsources.cre.tests.ArielFilterTest.setParms(ArielFi
    lterTest.java:90)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.semsources.cre.tests.CREEventTest.init(CREEventTest.j
    ava:121)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.semsources.cre.CustomRule.(CustomRule.java:178)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.semsources.cre.CustomRuleReader.preProcessNewRules(Cu
    stomRuleReader.java:742)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleR
    eader.java:332)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.semsources.cre.CustomRuleReader.objectChanged(CustomR
    uleReader.java:1114)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.frameworks.events.config.ConfigurationChangeEvent.dis
    patchEvent(ConfigurationChangeEvent.java:125)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java:129)
    13 November 2019
    RULES IJ20631 RULES WITH CONDITIONS THAT SPAN ACROSS MIDNIGHT DO NOT WORK AS EXPECTED CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Separate conditions in two different rules one that involves the required time frame (example: 18:00 to midnight and midnight to 03:00). Create two building blocks and include them in a rule that use the filter "and when the event match any of the following {building blocks}"

    Issue
    It has been identified that rules created with conditions that span across midnight, do not fire as expected. Example of rule conditions within a rule that does not fire:
    • and when event(s) occur after 18:00
    • and when event(s) occur before 03:00
    13 November 2019
    RULES IJ20762 RULES WITH CONDITIONS THAT SPAN ACROSS MIDNIGHT DO NOT WORK AS EXPECTED CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Separate conditions in two different rules one that involves the required time frame (example: 18:00 to midnight and midnight to 03:00). Create two building blocks and include them in a rule that use the filter "and when the event match any of the following {building blocks}"

    Issue
    It has been identified that rules created with conditions that span across midnight, do not fire as expected. Example of rule conditions within a rule that does not fire:
    • and when event(s) occur after 18:00
    • and when event(s) occur before 03:00
    13 November 2019
    RULES IJ20328 'WHEN THE EVENT(S) HAVE NOT BEEN DETECTED BY ONE OR MORE OF THESE LOG SOURCE GROUPS' TEST ALLOWS RULE ACTIONS TO BE SET CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Do not set rule actions for these tests.

    Issue
    It has been identified that when setting a rule with "when the event(s) have not been detected by one or more of these log source groups for this many seconds", rule actions can be set. However, for the other rules of the type "have not been detected", rule actions are disabled with a statement:
    No action(s) available with the 'event(s) have not been detected' test
    A rule action should not be able to be configured on a non existing event.
    16 October 2019
    SERVICES / BACKUP AND RESTORE IJ20760 HOSTCONTEXT FAILS TO START WHEN A CONFIG PRIOR TO 7.1MR2 IS RESTORED ON A NEW INSTALL OF 7.3.1 CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    If you cannot upgrade to a version where this issue is resolved, contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that hostcontext fails to start after a config has been restored on a new install of 7.3.x with a backup taken from a system originally installed prior to version 7.1MR2.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext] [main]
    com.ibm.si.application.platform.AppPlatformManager: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An error occurred while
    refreshing platform selection.
    [hostcontext.hostcontext] [main] java.lang.Exception: Failed to
    read workloads host from database using cached id [53].
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.createConManC
    lient(AppPlatformManager.java:330)
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.initLocal(App
    PlatformManager.java:209)
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.refresh(AppPl
    atformManager.java:175)
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.onInit(AppPla
    tformManager.java:94)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:916)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop
    edComponent(FrameworksNaming.java:897)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc
    e(FrameworksContext.java:1404)
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.getInstance(A
    ppPlatformManager.java:80)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.app.LocalApplicationSentry.onInit(LocalAp
    plicationSentry.java:156)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:916)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop
    edComponent(FrameworksNaming.java:897)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc
    e(FrameworksContext.java:1404)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.app.LocalApplicationSentry.getInstance(Lo
    calApplicationSentry.java:68)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.HostContext.init(HostContext.java:336)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.HostContext.main(HostContext.java:1300)
    [hostcontext.hostcontext] [main]
    com.ibm.si.application.platform.AppPlatformManager: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An error occurred
    initializing app platform manager.
    [hostcontext.hostcontext] [main]
    com.q1labs.frameworks.exceptions.FrameworksNamingException:
    Failed to initialize component: AppPlatformManager
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:920)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop
    edComponent(FrameworksNaming.java:897)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc
    e(FrameworksContext.java:1404)
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.getInstance(A
    ppPlatformManager.java:80)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.app.LocalApplicationSentry.onInit(LocalAp
    plicationSentry.java:156)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:916)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop
    edComponent(FrameworksNaming.java:897)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc
    e(FrameworksContext.java:1404)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.app.LocalApplicationSentry.getInstance(Lo
    calApplicationSentry.java:68)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.HostContext.init(HostContext.java:336)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.HostContext.main(HostContext.java:1300)
    [hostcontext.hostcontext] [main] Caused by:
    [hostcontext.hostcontext] [main]
    com.ibm.si.application.platform.exception.ApplicationPlatformSer
    viceException: java.lang.Exception: Failed to read workloads
    host from database using cached id [53].
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.refresh(AppPl
    atformManager.java:193)
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.onInit(AppPla
    tformManager.java:94)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:916)
    [hostcontext.hostcontext] [main]    ... 10 more
    [hostcontext.hostcontext] [main] Caused by:
    [hostcontext.hostcontext] [main] java.lang.Exception: Failed to
    read workloads host from database using cached id [53].
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.createConManC
    lient(AppPlatformManager.java:330)
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.initLocal(App
    PlatformManager.java:209)
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.refresh(AppPl
    atformManager.java:175)
    [hostcontext.hostcontext] [main]    ... 12 more
    [hostcontext.hostcontext] [main]
    com.q1labs.hostcontext.app.LocalApplicationSentry: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An error occurred
    initializing application sentry.
    [hostcontext.hostcontext] [main]
    com.q1labs.frameworks.exceptions.FrameworksNamingException:
    Failed to initialize component: LocalApplicationSentry
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:920)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop
    edComponent(FrameworksNaming.java:897)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc
    e(FrameworksContext.java:1404)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.app.LocalApplicationSentry.getInstance(Lo
    calApplicationSentry.java:68)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.HostContext.init(HostContext.java:336)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.HostContext.main(HostContext.java:1300)
    [hostcontext.hostcontext] [main] Caused by:
    [hostcontext.hostcontext] [main] java.lang.NullPointerException
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.app.LocalApplicationSentry.onInit(LocalAp
    plicationSentry.java:157)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:916)
    [hostcontext.hostcontext] [main]    ... 5 more
    [hostcontext.hostcontext] [main]
    com.q1labs.hostcontext.HostContext: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]error occured while
    initializing hostcontext
    [hostcontext.hostcontext] [main] java.lang.NullPointerException
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.HostContext.init(HostContext.java:343)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.HostContext.main(HostContext.java:1300)
    [hostcontext.hostcontext] [main]
    com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught
    in thread: main
    08 November 2019
    FLOWS IJ18233 A MANUALLY ADDED OR EDITED FLOW SOURCE ALIAS DOES NOT WORK AS EXPECTED CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that a manually added or edited Flow Source alias does not work as expected.

    When a flow source alias is manually created or edited, the flow collector component is not being properly populated on the associated managed host and the edited alias is not listed in the search filter for the flow interface. Associated flows are not received when this issue occurs.
    19 August 2019
    FLOWS IJ20453 REFERENCE DATA CAN FAIL TO BE UPDATED WHEN REFERENCEDATA.TIMETOLIVE.PERIOD IS SET TO 0 CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that in some instances referencedata.timetolive.period is set to 0 in /opt/qradar/conf/frameworks.properties. When this issue occurs, a failed reference data manager initialization can be experienced causing reference data not tobe updated. This can also affect some application functionality (eg. Reference data not being updated by UBA as expected).

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [ReferenceDataUpdateServiceThread_1]
    com.q1labs.core.shared.referencedata.ReferenceDataUpdateServiceT
    hread: [ERROR] [NOT:0000003000][xxxxx/- -] [-/-
    -]ReferenceDataUpdateServiceThread An unexpected exception was
    encountered processing name=UBA : User Accounts, Successful,
    Recent size=6 {shared:[host/xxxxxxxxxxxxxx]} Jun 11 14:04:59
    ::ffff: [tomcat.tomcat] [ReferenceDataUpdateServiceThread_1]
    java.lang.NullPointerException Jun 11 14:04:59 ::ffff:xxxxxxx
    [tomcat.tomcat] [ReferenceDataUpdateServiceThread_1] at
    com.q1labs.core.shared.referencedata.ReferenceDataUpdateServiceT
    hread.run(ReferenceDataUpdateServiceThread.java:100)
    tomcat[5690]: 11-Jun-2019 14:09:13.428 WARNING [xxxxxx(7157925)
    /console/do/rulewizard]
    com.sun.messaging.jmq.jmsclient.ExceptionHandler.logCaughtExcept
    ion [I500]: Caught JVM Exception: com.s
    un.messaging.jms.JMSException: [ADD_PRODUCER_REPLY(19)]
    [C4036]: A broker error occurred. :[409] [B4183]: Producer can
    not be added to destination ReferenceDataUpdates [Topic], limit
    of 100 producers would be exceeded user=qradar, broker
    =127.0.0.1:7676(7677) Jun 11 14:09:13
    ::ffff:xxxxxxx[tomcat.tomcat] [xxxx@xxxxx (7157925)
    /console/do/rulewizard]
    com.q1labs.core.shared.referencedata.ReferenceDataManager:
    [ERROR] [NOT:0000003000][xxxxxxx/- -] [-/- -]Unable to initiali
    ze Reference Data Manager
    [tomcat.tomcat] [Token: SIRT_Script_access@xxxxx(519)
    /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit
    ives_IP] Caused by:
    Jun 28 08:59:34 ::ffff:xxxxxxx [tomcat.tomcat] [Token:
    SIRT_Script_access@xxxxx(519)
    /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit
    ives_IP] java.lang.IllegalArgumentException: Non-positive
    period.
    [tomcat.tomcat] [Token: SIRT_Script_access@xxxx(519)
    /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit
    ives_IP]    at java.util.Timer.schedule(Timer.java:297)
    [tomcat.tomcat] [Token: SIRT_Script_access@xxxx (519)
    /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit
    ives_IP]    at
    com.q1labs.frameworks.events.timer.TimerEventGenerator.addListen
    er(TimerEventGenerator.java:102)
    [tomcat.tomcat] [Token: SIRT_Script_access@xxxx(519)
    /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit
    ives_IP]    at
    com.q1labs.frameworks.session.SessionContext.addTimerEventListen
    er(SessionContext.java:778)
    [tomcat.tomcat] [Token: SIRT_Script_access@xxxx(519)
    /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit
    ives_IP]    at
    com.q1labs.core.shared.referencedata.ReferenceDataManager.onInit
    (ReferenceDataManager.java:136)
    [tomcat.tomcat] [Token: SIRT_Script_access@xxxx(519)
    /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit
    ives_IP]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:916)
    29 October 2019
    QRADAR RISK MANAGER IJ12227 RISK_MANAGER_BACKUP.SH CREATES TARBALL FILES IN /STORE/QRM_BACKUPS/ DIRECTORY ON QRADAR CONSOLE CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that /opt/qradar/bin/dbmaint/risk_manager_backup.sh runs on the QRadar Console when it should only run on the QRadar Risk Manager (QRM) managed host.

    When the script runs (daily), it produces tarball files in /store/qrm_backups.

    Example output when running the following command on the QRadar Console:
    # ls -l /store/qrm_backups
    -rw-r--r-- 1 root root 245 Dec 12 04:01 backup-2018-11-25-04-00-58.tgz
    02 January 2019
    DEPLOY CHANGES IJ11784 DEPLOY FULL CONFIGURATION FUNCTION DOES NOT PROGRESS PAST "PREPARING FOR DEPLOYMENT" MESSAGE CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that a Deploy Full Configuration function (Admin > Advanced drop down) can sometimes stall at the message "Preparing for deployment".
    31 December 2018
    UPGRADE IJ11530 DRACUT ERROR 'WARNING:DRACUT-INITQUEUE TIMEOUT STARTING TIMEOUT SCRIPTS' DURING UPGRADE CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    To workaround this issue, add rd.bootif=0 to /etc/default/grub For example:
    # cat /etc/default/grub
    GRUB_CMDLINE_LINUX="biosdevname=0 ethdevice-timeout=60
    nicdelay=30 linksleep=30 console=ttyS0,9600 console=tty1
    rd.bootif=0 ip=dhcp BOOTIF=MAC_address"

    Issue
    It has been identified that in some instances, a dracut error similar to the following can be observed during a QRadar upgrade.

    "Warning : dracut-initqueue timeout starting timeout scripts" The upgrade then fails and kicks out to a dracut emergency shell.

    This has been observed on appliances that were initally built/configured using PXE boot with a DHCP server that is no longer reachable.
    31 December 2018
    QRADAR NETWORK INSIGHTS / DISK SPACE IJ10391 [QNI] THE /TMP PARTITION CAN RUN OUT OF FREE SPACE DUE TO THE IMGCTR.LOG FILE CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Moving the imgctr.log file out of the /tmp directory to a directory with more available free space addresses this issue until this APAR is addressed.

    Issue
    It has been identified that the /tmp partition can run out of free disk space due to the imgctr.log file growing too large in size.
    31 October 2018
    FIREWALL / ADMINISTRATION IJ05865 FIREWALL RULE CHANGES PERFORMED IN THE UI WHEN IPV6 IS ENABLED GENERATE AN ERROR: 'UNEXPECTED SERVER ERROR OCCURS.' CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that attempting to make Firewall changes using the QRadar User Interface (System and License Management), when IPv6 is enabled, can generate an error: "Unexpected server error occurs. Try at later time."

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    lsdep1 [IPTABLES] [17677] ERROR: Failed to apply ip6tables
    rules! The offending line is 34 or: -A QChain -m udp -p udp
    --dport 512:65535 --sport 3333 ! --syn -j ACCEPT
    [hostcontext.hostcontext] [pool-1-thread-4]
    com.ibm.si.hostcontext.task.SetAccessControlIptableRulesTask:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to run
    /bin/bash -c echo "QRADAR=ANY : UDP : 3333"
    >/opt/qradar/conf/access.conf ;
    /opt/qradar/bin/iptables_update.pl
    [hostcontext.hostcontext] [pool-1-thread-4]
    com.ibm.si.hostcontext.task.SetAccessControlIptableRulesTask:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to update
    access control iptable rules
    [hostcontext.hostcontext] [pool-1-thread-4]
    java.lang.Exception: Failed to run /bin/bash -c echo
    "QRADAR=ANY : UDP : 3333" >/opt/qradar/conf/access.conf ;
    /opt/qradar/bin/iptables_update.pl
    [hostcontext.hostcontext] [pool-1-thread-4] at
    com.ibm.si.hostcontext.task.SetAccessControlIptableRulesTask.run
    Task(SetAccessControlIptableRulesTask.java:154)
    [hostcontext.hostcontext] [pool-1-thread-4] at
    com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
    [hostcontext.hostcontext] [pool-1-thread-4] at
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.java)
    [hostcontext.hostcontext] [pool-1-thread-4] at
    java.util.concurrent.FutureTask.run(FutureTask.java:277)
    [hostcontext.hostcontext] [pool-1-thread-4] at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [hostcontext.hostcontext] [pool-1-thread-4] at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    [hostcontext.hostcontext] [pool-1-thread-4] at
    java.lang.Thread.run(Thread.java:785)
    31 October 2018
    HISTORICAL CORRELATION RULES IJ05099 HISTORICAL CORRELATION CAN COMPLETE WITH ERRORS WHEN USING 'COMMON RULES' CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    No workaround available.

    Issue
    It has been identified that Historical Correlation using 'Common Rules' can sometimes use tests that are not applicable to the database that the Historical Correlation is being run against. When this occurs, the Historical Correlation being run fails to complete successfully (completes with errors).Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061] com.q1labs.semsources.cre.CustomRuleReader:
    [ERROR] [NOT:0040023100][127.0.0.1/- -] [-/- -]Unknown
    exception occurred while reading CRE rules. To see the
    exceptions which caused this, view the error log. If this
    problem persists, please contact customer support.
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061] com.q1labs.semsources.cre.CustomRuleReader:
    [ERROR] [NOT:0000003000][9.180.225.71/- -] [-/-
    -]Historical::Real exception
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061] java.util.ConcurrentModificationException
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061]    at
    java.util.ArrayList$Itr.checkForComodification(ArrayList.java:91)
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061]    at
    java.util.ArrayList$Itr.next(ArrayList.java:862)
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061]    at
    com.q1labs.semsources.cre.CustomRuleReader.setListenerRules(Cust
    omRuleReader.java:591)
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061]    at
    com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleR
    eader.java:353)
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061]    at
    com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleR
    eader.java:288)
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061]    at
    com.q1labs.semsources.cre.CustomRuleReader.run(CustomRuleReader.
    java:213)
    23 March 2018
    FLOWS IJ25586 'QFLOW: [ERROR] NETFLOW V9 FLOW SET HAS A LENGTH OF STARTING AT OFFSET ' BUFFER ERRORS IN QRADAR LOGGING CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Reported in
    QRadar 7.2.8 and later.

    Workaround
    No workaround available.

    Issue
    Changes have been made to the IPFIX code path to correctly handle padding at the end of flow sets. Netflow v9 records do not have these same changes, and therefore Netflow v9 errors similar to the following might be observed in /var/log/qradar.log:
    [QRADAR] [10831] qflow: [WARNING] default_Netflow: Missed 224
    flows from 127.0.0.1:6 (794335908,794336132)
    [QRADAR] [10831] qflow: [ERROR] NetFlow v9 flow set 0 has a
    length of 256 starting at offset 249 which exceeds the length
    of the buffer 250. Skipping flow set.
    [QRADAR] [10831] qflow: [ERROR] NetFlow v9 flow set 53 has a
    length of 47620 starting at offset 139 which exceeds the length
    of the buffer 140. Skipping flow set.
    [QRADAR] [10831] qflow: [ERROR] NetFlow v9 flow set 160 has a
    length of 256 starting at offset 127 which exceeds the length
    of the buffer 128. Skipping flow set.
    [QRADAR] [10831] qflow: [ERROR] NetFlow v9 flow set 0 has a
    length of 4416 starting at offset 139 which exceeds the length
    of the buffer 140. Skipping flow set.
    26 November 2020
    ADAPTER / QRADAR RISK MANAGER IJ24757 CISCO ASA ADAPTER BACKUP FAILS WITH 'CAN'T MIX 128 AND 32 BIT ADDRESSES' CLOSED Resolved in
    QRadar Risk Manager Adapter Bundle 13.1 (2019.06-20000000)

    Workaround
    No workaround available.

    Issue
    A Cisco ASA device backup can fail when a crypto map references an access control list rule that contains an IPv6 address. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    Caused by: javax.xml.ws.soap.SOAPFaultException: Can't mix 128 and 32 bit addresses at
    /usr/share/ziptie-server/adapters/ziptie.adapters.cisco.security
    appliance_2019.06.17062537/scripts/ZipTie/Adapters/Cisco/SecurityAppliance/AclToRoute.pm line 47.
    at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java)
    at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java)
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java)
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java)
    at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java)
    at com.sun.proxy.$Proxy95.backup(Unknown Source)
    at org.ziptie.server.job.backup.BackupTask.performTask(BackupTask.java)
    at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java) 
    
    07 July 2020
    ADAPTER / QRADAR RISK MANAGER IJ23722 CISCO IOS RULES CONTAINING MULTIPLE PORTS OR SERVICES ARE NOT PROCESSED CORRECTLY CLOSED Resolved in
    QRadar Risk Manager Adapter Bundle 13.1 (2019.06-20000000)

    Workaround
    No workaround available.

    Issue
    A Cisco IOS rule that contains multiple ports or services is not processed correctly. The rule is incorrectly displayed on the Configuration Monitor > Device List > Rules screen. Path searches that involve the rule do not work as expected. The device backup log on the Recent Activity screen might contain entries similar to the following when this issue occurs:
    FAILED to process rule - skipping rule with error [ FAILED to
    parse host address - 443 ]
    07 July 2020
    ADAPTER / QRADAR RISK MANAGER IJ20463 IP ADDRESS CAN SOMETIMES NOT BE ASSIGNED TO A CHECK POINT HTTPS DEVICE CLOSED Resolved in
    QRadar Risk Manager Adapter Bundle 13.1 (2019.06-20000000)

    Workaround
    No workaround available.

    Issue
    It has been identified that in some instances an IP address might not be assigned to an interface on a Check Point HTTPS device.

    This can result in the Topology screen displaying an unclassified device against other devices that have a route to the IP address, path searches through the Check Point device failing, and interfaces not being displayed when attempting to create a network link between the Check Point device and another device.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    Jul 18 12:20:37 ::ffff:127.0.0.1 [tomcat-rm.tomcat-rm]
    [nobody@xx.xx.xx.xx (6683080)
    /console/JSON-RPC/SRM.getDeviceInterfacesByAdminIpSRM.getDeviceInterfacesminIp]
    com.q1labs.simulator.util.model.TopologyService: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Device [x.x.x.x] is an
    unclassified device - not fetching ifaces
    07 July 2020
    ADAPTER / QRADAR RISK MANAGER IJ18490 BACKUP OF CISCO NEXT-GENERATION INTRUSION PREVENTION SYSTEM DEVICE CAN FAIL DUE TO A COMMAND TIMEOUT CLOSED Resolved in
    QRadar Risk Manager Adapter Bundle 13.1 (2019.06-20000000)

    Workaround
    No workaround available.

    Issue
    A Cisco Next-Generation Intrusion Prevention System device backup can fail with the following error appearing on the Configuration Source Management User Interface window:
    IPC::Run: timeout on timer #1 at
    /usr/share/perl5/vendor_perl/IPC/Run.pm line 2956.
    at /usr/share/ziptie-server/core/org.ziptie.adapters.common_2019.06
    _04-17062537/scripts/ZipTie/SSH.pm line 473.
    at org.ziptie.server.job.PerlErrorParserElf.parse(PerlErrorParserElf.java)
    at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java)
    at org.ziptie.server.dispatcher.Operation.execute(Operation.java)
    at org.ziptie.server.dispatcher.OperationExecutor$JobThread.runJob(
    OperationExecutor.java)
    at org.ziptie.server.dispatcher.OperationExecutor$JobThread.run(Ope
    rationExecutor.java)

    This occurs when the adapter receives a response that ends with the "--More--" prompt and it fails to recognize the format of the control characters that are embedded within the "--More--" prompt. This results in a command timing out, and the backup failing.
    07 July 2020
    SECURITY BULLETIN CVE-2020-4510 IBM QRADAR SIEM IS VULNERABLE TO AN XML EXTERNAL ENTITY INJECTION (XXE) ATTACK CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.0 Patch 2
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 3
    Issue
    IBM QRadar is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. CVSS Base score: 7.6
    13 July 2020
    SECURITY BULLETIN CVE-2020-4511 IBM QRADAR SIEM IS VULNERABLE TO DENIAL OF SERVICE CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.0 Patch 2
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 3
    Issue
    IBM QRadar could allow an authenticated user to cause a denial of service of the qflow process by sending a malformed sflow. CVSS Base score: 7.6
    13 July 2020
    SECURITY BULLETIN CVE-2020-4513 IBM QRADAR SIEM IS VULNERABLE TO CROSS-SITE SCRIPTING CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.0 Patch 2
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 3
    Issue
    IBM QRadar is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 6.1
    13 July 2020
    SECURITY BULLETIN CVE-2020-4364 IBM QRADAR SIEM IS VULNERABLE TO CROSS-SITE SCRIPTING CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.0 Patch 2
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 3
    Issue
    IBM QRadar is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 5.4
    13 July 2020
    SECURITY BULLETIN CVE-2020-1951
    CVE-2020-1950
    APACHE TIKA AS USED BY IBM QRADAR SIEM IS VULNERABLE TO A DENIAL OF SERVICE CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.0 Patch 2
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 3
    Issue
    • CVE-2020-1951: Apache Tika is vulnerable to a denial of service, caused by an error in the PSDParser. By persuading a victim to open a specially-crafted PSD file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 3.3
    • CVE-2020-1950: Apache Tika is vulnerable to a denial of service, caused by an excessive memory usage flaw in the PSDParser. By persuading a victim to open a specially-crafted PSD file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
    13 July 2020
    SECURITY BULLETIN CVE-2019-15090
    CVE-2019-15098
    CVE-2019-15099
    CVE-2019-15117
    CVE-2019-15118
    IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.0 Patch 2
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 3
    Issue
    • CVE-2019-15090: Linux Kernel could allow a local attacker to obtain sensitive information, caused by an out-of-bounds read in the drivers/scsi/qedi/qedi_dbg.c. A local attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 4
    • CVE-2019-15098: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in drivers/net/wireless/ath/ath6kl/usb.c. By using an incomplete address in an endpoint descriptor, a local attacker could exploit this vulnerability to cause the system/software/application to crash. CVSS Base score: 4
    • CVE-2019-15099: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in drivers/net/wireless/ath/ath10k/usb.c. By using an incomplete address in an endpoint descriptor, a local attacker could exploit this vulnerability to cause the system/software/application to crash. CVSS Base score: 4
    • CVE-2019-15117: Linux Kernel could allow a local attacker to obtain sensitive information, caused by an out-of-bounds memory access flaw in the parse_audio_mixer_unit function in mixer.c. By using a short descriptor, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition. CVSS Base score: 7.7
    • CVE-2019-15118: Linux Kernel is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the check_input_term function in mixer.c. By sending a specially-crafted request, a local attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base score: 8.4
    13 July 2020
    SECURITY BULLETIN CVE-2020-4512 IBM QRADAR SIEM IS VULNERABLE TO COMMAND INJECTION CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.0 Patch 2
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 3
    Issue
    IBM QRadar SIEM could allow a remote privileged user to execute commands. CVSS Base score: 9.1
    13 July 2020
    UPGRADE / APPS IJ25734 QRADAR APP VERSIONS CAN DOWNGRADE DURING A QRADAR PATCH CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Verify you have the latest app versions installed after the patch is completed by navigating to Admin tab > Extensions Management.
    Issue
    After installing a QRadar patch, any QRadar Apps already installed and that are included by default within the QRadar patch (eg. Log Source Managment App) should be verified for it's version and updated (if needed) as the QRadar patch can downgrade installed Apps to the version contained within the patch.
    12 August 2020
    SYSTEM NOTIFICATIONS IJ25886 QRADAR SYSTEM NOTIFICATIONS THAT CONTAIN QIDS WITH URL LINKS CAN DISPLAY INCORRECTLY AFTER PATCHING QRADAR CANCELLED This QRadar System Notification APAR is replaced with IJ26118.
    27 June 2020
    PROTOCOL IJ22340 THE REST API WITHIN QRADAR-PROTOCOL-OKTARESTAPI CAN HANG CAUSING OKTA LOG SOURCES TO STOP RECEIVING EVENTS OPEN Workaround
    Disable and enable any Okta Identity Management log sources that stop receiving events.

    Issue
    Okta Log Sources can stop receiving events due to the Okta Rest API experiencing a hang condition when calling executeMethod for HTTPClient.
    18 March 2020
    AQL / REPORTS IJ25142 SOME REPORTS GENERATED FROM AN ADVANCED SEARCH (AQL) THAT USES A MATHEMATICAL EXPRESSION DISPLAY INCORRECT OUTPUT OPEN Technical write-up available
    A technical write-up is included for IJ25142 to assist administrators further. Workaround
    The issue described above is caused by a failure with aggregated data. Reports run manually or hourly, or on raw data should not be affected.

    Issue
    Daily, Weekly, or Monthly (aggregated data) reports generated from an Advanced Search (AQL) that uses mathematical expressions can ignore the calculations and instead display the data for each property on a separate column. The name of the column is the alias given to the calculated value. To replicate this issue:
    1. Create an AQL based search that uses mathematical functions, such as:
      SELECT sourceip, (AVG(magnitude) - MIN(magnitude)) AS MAGDIFF
      FROM events GROUP BY sourceip
    2. Use the search in a report and set the report to run either Daily, Weekly, or Monthly.
    3. Check the generated report.

      Results
      Report shows data for AVG(magnitude) and MIN(magnitude) and the column name will be MAGDIFF for both of them.
    24 June 2020
    UPGRADE / KERNEL BOOT IJ25612 KERNEL 3.10.0-1127.EL7.X86_64 CAN CAUSE FILESYSTEM MOUNT FAILURE AND THE QRADAR APPLIANCE WILL FAIL TO BOOT CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.0 Fix Pack 4 (7.4.0.20200629201233)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Tools available
    A troubleshooting tool is available to help administrators identify IJ25612. Workaround
    At the grub prompt, choose the previous kernel version.

    For more information, see: https://www.ibm.com/support/pages/node/6235774

    Issue
    Upgrade or patch to QRadar 7.4.0 Fix Pack 3 can result in failure to mount filesystem and cause the QRadar appliance to fail to boot. This is due to the use of kernel 3.10.0-1127.el7.x84_64 as identified in the following note: https://access.redhat.com/solutions/5075561
    17 June 2020
    RULES / IBM X-FORCE IJ25352 QRADAR CUSTOM RULE ENGINE CAN EXPERIENCE PERFORMANCE DEGRADATION WHEN USING X-FORCE RULES' CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)

    Workaround
    No workaround available.

    Issue
    The QRadar custom rule engine (CRE) can experience performance degradation when X-Force rules are in use. When this occurs, System Notification messages similar to 'Performance degradation has been detected in the event pipeline. Event(s) were routed directly to storage' can sometimes be observed if the CRE can no longer keep up with the processing of events due. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep] [CRE Processor [5]]
    java.nio.BufferUnderflowException
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    java.nio.DirectByteBuffer.get(DirectByteBuffer.java:271)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    java.nio.ByteBuffer.get(ByteBuffer.java:715)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.GenericSerializer.objectFromByteBuff
    er(GenericSerializer.java:33)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali
    zer.java:74)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali
    zer.java:17)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.ChainAppendCache$InsertionChainEntry
    .deserialize(ChainAppendCache.java:320)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.ChainAppendCache$ChainEntry.read(Cha
    inAppendCache.java:241)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.ChainAppendCache.readChainEntry(Chai
    nAppendCache.java:1211)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.ChainAppendCache.findOnDisk(ChainApp
    endCache.java:1162)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.ChainAppendCache.findOnDisk(ChainApp
    endCache.java:1148)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.ChainAppendCache.get(ChainAppendCach
    e.java:1000)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.core.aql.XForceFunctions.getCategorization(XForceFunc
    tions.java:278)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.core.aql.XForceManager.getCategorization(XForceManage
    r.java:268)
    AND
    [ecs-ep.ecs-ep] [CRE Processor [0]]
    java.lang.NegativeArraySizeException
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.GenericSerializer.objectFromByteBuff
    er(GenericSerializer.java:32)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali
    zer.java:74)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali
    zer.java:17)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.ChainAppendCache$InsertionChainEntry
    .deserialize(ChainAppendCache.java:320)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.ChainAppendCache$ChainEntry.read(Cha
    inAppendCache.java:241)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.ChainAppendCache.readChainEntry(Chai
    nAppendCache.java:1211)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.ChainAppendCache.findOnDisk(ChainApp
    endCache.java:1162)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.ChainAppendCache.findOnDisk(ChainApp
    endCache.java:1148)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.ChainAppendCache.get(ChainAppendCach
    e.java:1000)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.core.aql.XForceFunctions.getCategorization(XForceFunc
    tions.java:278)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.core.aql.XForceManager.getCategorization(XForceManage
    r.java:268)
    16 November 2020
    UPGRADE IJ25396 PATCHING CAN SUCCEED ON THE CONSOLE BUT FAIL AND ROLL BACK ON MANAGED HOSTS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances if you cannot upgrade to QRadar 7.4.0 Fix Pack 3.

    Issue
    Patching to QRadar 7.4 can succeed on the Console appliance but fail on Managed Hosts due to the patch not finding some database columns and also failing to remove duplicates. Messages similar to the following might be visible in the associated /var/log/setup-#####/patches.log when this issue occurs:
    4 SQL script errors were detected; Error applying script [38/53]
    '/media/updates/opt/qradar/conf/templates/db_update_offense.inet
    .1.sql' for Test_qradar database.; details:
    WARNING:  SET TRANSACTION can only be used in transaction blocks
    ERROR:  could not create unique index "attacker_ipaddress_key"
    16 June 2020
    DASHBOARD IJ24884 DASHBOARD DATA (INCLUDING TIME SERIES) CAN FAIL TO LOAD CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances if you cannot upgrade to QRadar 7.4.0 Fix Pack 3.

    Issue
    Dashboard data (including time series) can fail to load after patching to QRadar 7.4.0 FP1 or higher. This behavior has been identified as being caused by incompatible changes within a jar file contained in the patching process.

    Messages similar to the following might be visible within /var/log/qradar.log when this issue occurrs:
    [accumulator_rollup.accumulator_rollup] [main]
    com.q1labs.frameworks.core.JMSFactory: [WARN]
    [NOT:0000004000][x.x.x.x/- -] [-/- -]message.queue.serviceport
    property not found, defaulting to 7677
    [accumulator_rollup.accumulator_rollup] [main]
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration:
    [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Unable to read
    Global View Definitions.
    [accumulator_rollup.accumulator_rollup] [main]
    com.thoughtworks.xstream.converters.ConversionException: 
    Failed calling method
    27 May 2020
    OFFENSES IJ24819 OFFENSE PURGING CAN FAIL IN QRADAR 7.4.0 FP1 IF01 OR 7.4.0 FP2 WHEN THE PATCHING PATH BEGAN AT QRADAR 7.3.3 FP3 CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    No workaround available.

    Issue
    The purging (removal) of Offenses within QRadar fails when QRadar has been patched to version 7.4.0 FP1 IF01 or 7.4.0 FP2 from QRadar 7.3.3 FP3 specificallly due to an issue with database column ordering.

    Upgrade paths affected: 1) QRadar 7.3.3 FP3 upgraded to 7.4.0 FP2 2) QRadar 7.3.3 FP3 upgraded to 7.4.0 FP1 and applied IF01

    Note: Customers who patch from QRadar versions prior to 7.3.3 FP3 (eg. 7.3.3 FP2) to 7.4.0 FP1 IF01 or 7.4.2 FP2 should not be affected by this Offense purging failure issue.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]
    com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: 
    [INFO] [NOT:0000006000][x/- -] [-/- -]Found 100 offense to
    purge in this transaction. The specified transaction size is
    100 and retention period is 2592000 seconds.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]
    com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: 
    [ERROR] Chained SQL Exception [1/2]: Batch entry 0 select *
    from purge_offense(10499) as result was aborted: ERROR: column
    "first_target_ipaddress" is of type inet but expression is of
    type bigint
      Hint: You will need to rewrite or cast the expression.
      Where: PL/pgSQL function purge_offense(bigint) line 6 at SQL
    statement  Call getNextException to see other errors in the
    batch.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]
    com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: 
    [ERROR] [NOT:03000][-/- -] [-/- -]database executing purge command failed.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]
    java.sql.BatchUpdateException: Batch entry 0 select * from
    purge_offense(10499)  as result was aborted: ERROR: column
    "first_target_ipaddress" is of type inet but expression is of
    type bigint
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    Hint: You
    will need to rewrite or cast the expression.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    Where:
    PL/pgSQL function purge_offense(bigint) line 6 at SQL statement
    Call getNextException to see other errors in the batch.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.jdbc.BatchResultHandler.handleError(BatchResultHa
    ndler.java:148)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExe
    cutorImpl.java:2184)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorIm
    pl.java:481)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.java:840)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.jdbc.PgPreparedStatement.executeBatch(PgPreparedS
    tatement.java:1538)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.commands.base.BasePurgeCommand.execu
    te(BasePurgeCommand.java:93)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model
    Persister.java:2528)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model
    Persister.java:2492)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.executePurgeCommands(
    ModelPersister.java:833)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersiste
    r.java:1258)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrentTransac
    tion(ModelPersister.java:579)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model
    Persister.java:453)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersiste
    r.java:293)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.TxStateManager.playCurrent(TxStateMa
    nager.java:259)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.playCurrent
    (ModelPersister.java:2918)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.run(ModelPe
    rsister.java:2874)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] Caused by:
    org.postgresql.util.PSQLException: ERROR: column
    "first_target_ipaddress" is of type inet but expression is of
    type bigint
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    Hint: You
    will need to rewrite or cast the expression.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    Where:
    PL/pgSQL function purge_offense(bigint) line 6 at SQL statement
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(Qu
    eryExecutorImpl.java:2440)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExe
    cutorImpl.java:2183)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    ... 14 more
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]
    com.ibm.si.mpc.magi.contrib.ModelPersister: [WARN]
    [NOT:0180002100][x/- -] [-/- -]Exception encounted when
    executing transaction 54069.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]
    com.ibm.si.mpc.magi.contrib.PersistenceException: Failed to
    persist sem model
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrentTransac
    tion(ModelPersister.java:676)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model
    Persister.java:453)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersiste
    r.java:293)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.TxStateManager.playCurrent(TxStateMa
    nager.java:259)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.playCurrent
    (ModelPersister.java:2918)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.run(ModelPe
    rsister.java:2874)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] Caused by:
    java.sql.BatchUpdateException: Batch entry 0 select * from
    purge_offense(10499)  as result was aborted: ERROR: column
    "first_target_ipaddress" is of type inet but expression is of
    type bigint
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    Hint: You
    will need to rewrite or cast the expression.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    Where:
    PL/pgSQL function purge_offense(bigint) line 6 at SQL statement
     Call getNextException to see other errors in the batch.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.jdbc.BatchResultHandler.handleError(BatchResultHa
    ndler.java:148)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExe
    cutorImpl.java:2184)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorIm
    pl.java:481)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.java:840)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.jdbc.PgPreparedStatement.executeBatch(PgPreparedS
    tatement.java:1538)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.commands.base.BasePurgeCommand.execu
    te(BasePurgeCommand.java:93)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model
    Persister.java:2528)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model
    Persister.java:2492)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.executePurgeCommands(
    ModelPersister.java:833)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersiste
    r.java:1258)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrentTransac
    tion(ModelPersister.java:579)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    ... 5 more
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] Caused by:
    org.postgresql.util.PSQLException: ERROR: column
    "first_target_ipaddress" is of type inet but expression is of
    type bigint
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    Hint: You
    will need to rewrite or cast the expression.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    Where:
    PL/pgSQL function purge_offense(bigint) line 6 at SQL statement
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(Qu
    eryExecutorImpl.java:2440)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExe
    cutorImpl.java:2183)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    ... 14 more
    08 May 2020
    UPGRADE / APPLICATION FRAMEWORK IJ24903 QRADAR APPLICATIONS CAN BE MISSING AFTER PATCHING QRADAR TO 7.4.0 FP1 OR NEWER CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    After patching QRadar to 7.4.0 FP1 or newer, some QRadar applications can be missing in the User Interface.
    27 May 2020
    APPLICATION FRAMEWORK / DISK SPACE IJ23680 QRADAR APP INSTALLATION OR REMOVAL CAN GENERATE REPEATED LOG WRITES 'USING GETRESPONSEBODYASSTREAM INSTEAD IS RECOMMENDED' CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    No workaround available.

    Issue
    When QRadar Apps are installed or uninstalled, repeated messages similar to the following can sometimes be continually written to the QRadar log. This issue is benign and only writes data to the logs, but these repeated messages and consume extra isk space. When this issue occurs, the following message is displayed in /var/log/qradar.log:
    tomcat[14713]: 2019-12-11 10:26:09,615 [QRADAR]
    [admin@127.0.0.1] org.apache.commons.httpclient.HttpMethodBase:
    [WARN] Going to buffer response body of large or unknown size.
    Using getResponseBodyAsStream instead is recommended.
    23 March 2020
    AQL / ADVANCED SEARCH IJ23387 AQL QUERIES WITH SUBQUERIES CAN CAUSE A FILE HANDLE LEAK THAT LEADS TO ARIEL SERVICE OUTAGES CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    A restart of the ariel_proxy_server on the QRadar console can temporarily alleviate this issue, but the issue can re-occur.
    systemctl restart ariel_proxy_server


    Issue
    AQL Queries with subqueries can result in a file handle leak which can cause ariel process to run out of file handles over time.

    When there are no more available file handles, ariel outages can occur over a period of time when the handles exceed the maximum for that process until the process is restarted.

    For example, the following sample AQL query can cause this file handle leak to occur in QRadar:
    select qid from events where username in (select username from
    events limit 3) limit 3
    18 March 2020
    OFFENSES / DASHBOARD IJ23415 'APPLICATION ERROR' WHEN ATTEMPTING TO CLOSE OPEN OFFENSES USING DASHBOARD WIDGET CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    Close the Offense through the QRadar Offenses tab in the user interface.

    Issue
    'Application Error' can occur when attempting to close open offenses using Dashboard widget. Application Error example

    For Example:
    1. Navigate to Dashboard tab.
    2. In the Show dashboard menu, select Threat and Security Monitoring.
    3. Select any offense from a Dashboard widget, such as Most recent/Most severe offenses (example).
      The Offense details are displayed.
    4. Select Actions > Close (image).
    5. Provide an offense closing reason.
    6. Click OK.
    7. An application error is displayed to the user.

    Messages similar to the following might be visible in /car/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]
    com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
    while processing the request:
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]
    com.ibm.si.content_management.utils.ApplicationErrorStateException
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.sem.ui.action.MaintainProperties.findNextForward(Main
    tainProperties.java:230)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.sem.ui.action.MaintainProperties.updatePropertiesSecu
    re(MaintainProperties.java:80)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.sem.ui.action.MaintainProperties.updateProperties(Mai
    ntainProperties.java:213)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    java.lang.reflect.Method.invoke(Method.java:508)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.struts.actions.DispatchAction.dispatchMethod(Dispatch
    Action.java:280)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.struts.actions.DispatchAction.execute(DispatchAction.java)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.actions.DispatchAction.execute(DispatchA
    ction.java:64)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.struts.action.RequestProcessor.processActionPerform(R
    equestProcessor.java:484)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.action.RequestProcessor.processActionPer
    form(RequestProcessor.java:101)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.struts.action.RequestProcessor.process(RequestProcess
    or.java:275)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.struts.action.ActionServlet.process(ActionServlet.java)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.action.ActionServlet.process(ActionServl
    et.java:122)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.struts.action.ActionServlet.doPost(ActionServlet.java)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:231)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.servlet.AddUserHeaderFilter.doFilter(Add
    UserHeaderFilter.java:86)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.servlet.ThreadNameFilter.doFilter(Thread
    NameFilter.java:53)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.core.ui.filters.StrutsParamFilter.doFilter(StrutsPara
    mFilter.java:41)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.postauthredirect.PostLoginRedirectFilter
    .doFilter(PostLoginRedirectFilter.java:70)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.auth.AuthenticationVerificationFilter.do
    Filter(AuthenticationVerificationFilter.java:304)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.auth.PersistentSessionFilter.doFilter(Pe
    rsistentSessionFilter.java:89)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.auth.SecAuthenticationFilter.doFilter(Se
    cAuthenticationFilter.java:132)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.ibm.si.console.cors.ProcessCorsFilter.doFilter(ProcessCorsFi
    lter.java:159)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.encoding.AddEncodingToRequestFilter.doFi
    lter(AddEncodingToRequestFilter.java:56)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.servlet.DestroySessionFilter.doFilter(De
    stroySessionFilter.java:26)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.servlet.AddHSTSHeaderFilter.doFilter(Add
    HSTSHeaderFilter.java:22)
    11 March 2020
    DSM EDITOR IJ25156 'NO EVENTS WERE PARSED' MESSAGE AND BLANK LOG ACTIVITY PREVIEW WHEN USING THE DSM EDITOR TO CONFIGURE EVENT PARSING CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    No workaround available.
    systemctl restart ariel_proxy_server

    Issue
    When using the DSM Editor to configure event parsing, a message similar to "No events were parsed" can be generated and the Log Activity Preview window remains blank. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    com.q1labs.restapi.servlet.apidelegate.APIDelegate:  
    [ERROR] Request Exception [tomcat.tomcat] [/console/restapi/api/application/ 
    data_ingestion/simulate] com.q1labs.restapi_annotations.content.exceptions. 
    APIMappedException: Unable to complete parsing simulation
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
     at com.q1labs.restapi_annotations.content.exceptions.APIMappedExcep
    tion.{init}(APIMappedException.java:131)
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    Caused by:
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    java.lang.IllegalArgumentException: Comparison method violates
    its general contract!
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    at java.util.TimSort.mergeLo(TimSort.java:788)
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    at java.util.TimSort.mergeAt(TimSort.java:525)
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    at java.util.TimSort.mergeCollapse(TimSort.java:452)
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    at java.util.TimSort.sort(TimSort.java:256)
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    at java.util.Arrays.sort(Arrays.java:1856)
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    at java.util.ArrayList.sort(ArrayList.java:1473)
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    at com.ibm.si.data_ingestion.dsm_simulator.ParserSimulator.setPrope
    rtyParsers(ParserSimulator.java:112)
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    at com.ibm.si.data_ingestion.api.impl.application.ApplicationAPIImp
    l.simulateParse(ApplicationAPIImpl.java:1060)
    27 May 2020
    OFFENSES IJ24334 OFFENSE PURGING CAN SOMETIMES FAIL WITH A BATCHUPDATEEXCEPTION CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.4.0 Fix Pack 2(7.4.0.20200426161706)
    QRadar 7.4.0 Fix Pack 1 Interim Fix 01(7.4.0.20200424160445)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)
    QRadar 7.3.3 Fix Pack 3 Interim Fix 01(7.3.3.20200427135149)

    Workaround
    No workaround available.

    Issue
    In some instances, Offense purging (removal) can fail with an BatchUpdateException being written to QRadar logging. The Offense model within QRadar can experience unnecessary bloat as offenses are unable to be removed from the system. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]
    com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: 
    [ERROR] Chained SQL Exception [1/2]: Batch entry 0 select *
    from purge_offense(1338)  as result was aborted: ERROR: INSERT
    has more expressions than target columns
    Where: PL/pgSQL function purge_offense(bigint) line 6 at SQL
    statement  Call getNextException to see other errors in the batch.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]
    com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: 
    [ERROR] Chained SQL Exception [2/2]: ERROR: INSERT has more
    expressions than target columns
    Where: PL/pgSQL function purge_offense(bigint) line 6 at SQL
    statement
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]
    com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: 
    [ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -]database
    executing purge command failed.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]
    java.sql.BatchUpdateException: Batch entry 0 select * from
    purge_offense(1338)  as result was aborted: ERROR: INSERT has
    more expressions than target columns
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] Where: 
    PL/pgSQL function purge_offense(bigint) line 6 at SQL statement
     Call getNextException to see other errors in the batch.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at 
    org.postgresql.jdbc.BatchResultHandler.handleError
    (BatchResultHandler.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at 
    org.postgresql.core.v3.QueryExecutorImpl.processResults
    (QueryExecutorImpl.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at 
    org.postgresql.core.v3.QueryExecutorImpl.execute
    (QueryExecutorImpl.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at 
    org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.
    java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    org.postgresql.jdbc.PgPreparedStatement.executeBatch(PgPrepared 
    Statement.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.commands.base.BasePurgeCommand. 
    execu te(BasePurgeCommand.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands 
    (Model Persister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands 
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.executePurgeCommands 
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersister 
    .java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrent 
    Transaction(ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands 
    (Model Persister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.process 
    (ModelPersister.java) 
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.TxStateManager.playCurrent 
    (TxStateManager.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]  at
    com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.playCurrent 
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.run 
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] Caused by:
    org.postgresql.util.PSQLException: ERROR: INSERT has more 
    expressions than target columns
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]    Where:
    PL/pgSQL function purge_offense(bigint) line 6 at SQL statement 
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    org.postgresql.core.v3.QueryExecutorImpl.receiveError 
    Response(QueryExecutorImpl.java:2440)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    org.postgresql.core.v3.QueryExecutorImpl.processResults 
    (QueryExecutorImpl.java:2183)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]... 14 more
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]
    com.ibm.si.mpc.magi.contrib.ModelPersister: [WARN]
    [NOT:0180002100][X.X.X.X/- -] [-/- -]Exception encounted when
    executing transaction 753127.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]
    com.ibm.si.mpc.magi.contrib.PersistenceException: Failed to  
    persist sem model
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrent 
    Transaction(ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model 
    Persister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.TxStateManager.playCurrent
    (TxStateManager.java:259)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.play 
    Current(ModelPersister.java:2918)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.run 
    (ModelPersister.java:2874)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] Caused by:
    java.sql.BatchUpdateException: Batch entry 0 select * from
    purge_offense(1338)  as result was aborted: ERROR: INSERT has
    more expressions than target columns
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]    Where:
    PL/pgSQL function purge_offense(bigint) line 6 at SQL statement 
    Call getNextException to see other errors in the batch.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]    at
    org.postgresql.jdbc.BatchResultHandler.handleError(BatchResult 
    Handler.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    org.postgresql.core.v3.QueryExecutorImpl.processResults(Query 
    ExecutorImpl.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutor 
    Impl.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    org.postgresql.jdbc.PgPreparedStatement.executeBatch 
    (PgPreparedStatement.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.commands.base.BasePurgeCommand. 
    execute(BasePurgeCommand.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands 
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands 
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.executePurgeCommands 
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.process 
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrentTransac
    tion(ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]    ... 5 more
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] Caused by:
    org.postgresql.util.PSQLException: ERROR: INSERT has more
    expressions than target columns
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]    Where:
    PL/pgSQL function purge_offense(bigint) line 6 at SQL statement
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]    at
    org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(Qu
    eryExecutorImpl.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]    at
    org.postgresql.core.v3.QueryExecutorImpl.processResults 
    (QueryExecutorImpl.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]... 14 more
    23 May 2020
    UPGRADE IJ24630 PATCHING PROCESS TO QRADAR 7.4 CAN FAIL WHEN ATTACKER_HISTORY DATABASE TABLE CONTAINS DUPLICATE VALUES CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.4.0 Fix Pack 2 (7.4.0.20200426161706)

    Workaround
    No workaround available.

    Issue
    QRadar patching process on Consoles and Managed Hosts can fail if the database attacker_history table has duplicate values. Messages similar to the following might be visible during the patching process when this issue occurs:
    ERROR: could not create unique index
    "attacker_history_ipaddress_key"
    DETAIL: Key (ipaddress, domain_id)=(X.X.X.X, 0) is duplicated.
    CONTEXT: SQL statement "ALTER TABLE public.attacker_history ADD
    CONSTRAINT attacker_history_ipaddress_key UNIQUE(ipaddress,
    domain_id) WITH (fillfactor='50');"
    PL/pgSQL function create_inet_index(character varying,character
    varying,character varying,character varying,character varying)
    line 12 at EXECUTE
    SQL statement "SELECT create_inet_index(
    'attacker_history_ipaddress_key', 'attacker_history', 'public',
    'ipaddress', 'domain_id')"
    PL/pgSQL function create_offense_inet_indexes() line 6 at
    PERFORMError applying script [70/87]
    '/media/updates/opt/qradar/conf/templates/db_update_offense.inet
    .2.sql' for Test_qradar database.; details:
    02 May 2020
    SCAN TOOLS / QRADAR VULNERABILITY MANAGER IJ24430 QRADAR VULNERABILITY MANAGER SCANNER REVERSE TUNNELS ARE NOT BEING CREATED WHEN THE QVM PROCESSOR IS LOCATED ON THE QRADAR CONSOLE CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 2 (7.4.0.20200426161706)

    Workaround
    Where possible, disable encryption to QVM hosts and perform a Deploy Full Configuration.

    Issue
    QRadar Vulnerability Manager reverse tunnels are not being created to QVM scanners when the QVM processor is located on the QRadar Console.

    No scan tools will run when this issue is occurring. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [7171]: WARNING: Interceptor for
    {http://processor.workflow.qvm.q1labs.com/}IProcessorEndpointSer
    vice#{http://processor.workflow.qvm.q1labs.com/}getScans has
    thrown exception, unwinding now
    [7171]: org.apache.cxf.interceptor.Fault: Could not send Message.
    [7171]: at
    org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende
    rEndingInterceptor.handleMessage(MessageSenderInterceptor.java)
    [7171]: at
    org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInte
    rceptorChain.java:308)
    [7171]: at
    org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531)
    [7171]: at
    org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
    [7171]: at
    org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:355)
    [7171]: at
    org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
    [7171]: at
    org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java)
    [7171]: at
    org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java)
    [7171]: at com.sun.proxy.$Proxy59.getScans(Unknown Source)
    [7171]: at
    com.q1labs.qvm.workflow.scan.gateway.ws.ProcessorServiceGatewayW
    ebServiceImpl.getQueuedJobs(ProcessorServiceGatewayWebServiceImp
    l.java:53)
    [7171]: at
    com.q1labs.qvm.workflow.scan.ScanToolProcess.exec(ScanToolProcess.java)
    [7171]: at
    com.q1labs.qvm.workflow.AbstractWorkflowProcess.run(AbstractWork
    flowProcess.java:160)
    [7171]: at java.lang.Thread.run(Thread.java:818)
    [7171]: Caused by: java.net.ConnectException: ConnectException
    invoking https://127.0.0.1:9999/processor: Connection refused
    (Connection refused)
    [7171]: at
    sun.reflect.GeneratedConstructorAccessor59.newInstance(Unknown
    Source)
    [7171]: at
    sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delega
    tingConstructorAccessorImpl.java:57)
    [7171]: at
    java.lang.reflect.Constructor.newInstance(Constructor.java:437)
    [7171]: at
    org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.ma
    pException(HTTPConduit.java:1402)
    [7171]: at
    org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.cl
    ose(HTTPConduit.java:1386)
    [7171]: at
    org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java)
    [7171]: at
    org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java)
    [7171]: at
    org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende
    rEndingInterceptor.handleMessage(MessageSenderInterceptor.java)
    [7171]: ... 12 more
    [7171]: Caused by: java.net.ConnectException: Connection
    refused (Connection refused)
    [7171]: at
    java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java)
    [7171]: at
    java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainS
    ocketImpl.java:236)
    [7171]: at
    java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java)
    [7171]: at
    java.net.SocksSocketImpl.connect(SocksSocketImpl.java:374)
    [7171]: at java.net.Socket.connect(Socket.java:666)
    [7171]: at
    sun.net.NetworkClient.doConnect(NetworkClient.java:187)
    [7171]: at
    sun.net.www.http.HttpClient.openServer(HttpClient.java:494)
    [7171]: at
    sun.net.www.http.HttpClient.openServer(HttpClient.java:589)
    [7171]: at
    com.ibm.net.ssl.www2.protocol.https.c.(c.java:56)
    [7171]: at com.ibm.net.ssl.www2.protocol.https.c.a(c.java:222)
    [7171]: at
    com.ibm.net.ssl.www2.protocol.https.d.getNewHttpClient(d.java:25)
    [7171]: at
    sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpUR
    LConnection.java:1217)
    [7171]: at
    sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURL
    Connection.java:1068)
    [7171]: at
    com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:78)
    [7171]: at
    sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Htt
    pURLConnection.java:1352)
    [7171]: at
    sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Http
    URLConnection.java:1327)
    [7171]: at
    com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:87)
    [7171]: at
    org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnec
    tionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPCond
    uit.java:275)
    [7171]: at
    org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.ha
    ndleHeadersTrustCaching(HTTPConduit.java:1345)
    [7171]: at
    org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.on
    FirstWrite(HTTPConduit.java:1306)
    [7171]: at
    org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnec
    tionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.ja
    va:307)
    [7171]: at
    org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrap
    pedOutputStream.java:47)
    [7171]: at
    org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractTh
    resholdOutputStream.java:69)
    [7171]: at
    org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.cl
    ose(HTTPConduit.java:1358)
    [7171]: ... 15 more
    02 May 2020
    OFFENSES IJ24275 EXPORTING OFFENSES CAN FAIL WITH AN ERROR 'THERE WAS A PROBLEM COMPLETING YOUR EXPORT. PLEASE TRY AGAIN LATER' CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.4.0 Fix Pack 2 (7.4.0.20200426161706)

    Workaround
    No workaround available.

    Issue
    Exporting offenses to .csv or XML can sometimes fail with error "There was a problem completing your export. Please try again later."

    Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [tomcat.tomcat] [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]
    com.q1labs.core.ui.coreservices.export.ExportJobProcessor:
    [ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -]Error invoking
    setFirstTargetIPAddress with data Z.Z.Z.Z
    [tomcat.tomcat]
    [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]
    com.q1labs.core.ui.coreservices.export.ExportJobProcessor:
    [ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -]Error exporting data
    [tomcat.tomcat]
    [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]
    java.lang.IllegalArgumentException:
    java.lang.ClassCastException@70f49eb7
    [tomcat.tomcat]
    [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]    at
    sun.reflect.GeneratedMethodAccessor827.invoke(Unknown Source)
    [tomcat.tomcat]
    [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    [tomcat.tomcat]
    [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]    at
    java.lang.reflect.Method.invoke(Method.java:508)
    [tomcat.tomcat]
    [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]    at
    com.q1labs.core.ui.coreservices.export.ExportJobProcessor.export
    JDBCSearch(ExportJobProcessor.java:1013)
    [tomcat.tomcat]
    [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]    at
    com.q1labs.core.ui.coreservices.export.ExportJobProcessor.run(Ex
    portJobProcessor.java:221)
    [tomcat.tomcat]
    [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]
    com.q1labs.core.ui.coreservices.export.ExportJobProcessor:
    [ERROR] [NOT:0090003100][X.X.X.X/- -] [-/- -]The following
    error was encountered while performing a data export:
    java.lang.IllegalArgumentException:
    java.lang.ClassCastException@70f49eb7
    at sun.reflect.GeneratedMethodAccessor827.invoke(Unknown Source) at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    at java.lang.reflect.Method.invoke(Method.java:508) at
    com.q1labs.core.ui.coreservices.export.ExportJobProcessor.export
    JDBCSearch(ExportJobProcessor.java:1013) at
    com.q1labs.core.ui.coreservices.export.ExportJobProcessor.run(Ex
    portJobProcessor.java:221)
    02 May 2020
    SECURITY BULLETIN CVE-2020-4294 IBM QRADAR SIEM IS VULNERABLE TO SERVER-SIDE REQUEST FORGERY (SSRF) CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar SIEM is vulnerable to Server Side Request Forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
    14 April 2020
    SECURITY BULLETIN CVE-2020-4274 IBM QRADAR SIEM IS VULENRABLE TO AUTHORIZATION BYPASS CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar SIEM could allow an authenticated user to access data and perform unauthorized actions due to inadequate permission checks.
    14 April 2020
    SECURITY BULLETIN CVE-2020-4272 IBM QRADAR SIEM IS VULNERABLE TO INSTANTIATION OF ARBITRARY OBJECTS CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted request specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable server.
    14 April 2020
    SECURITY BULLETIN CVE-2020-4271 IBM QRADAR SIEM IS VULNERABLE TO PHP OBJECT INJECTION CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar could allow an authenticated user to send a specially crafted command which would be executed as a lower privileged user.
    14 April 2020
    SECURITY BULLETIN CVE-2020-4270 IBM QRADAR SIEM IS VULNERABLE TO PRIVILEGE ESCALATION CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar could allow a local user to gain escalated privileges due to weak file permissions.
    14 April 2020
    SECURITY BULLETIN CVE-2020-4269 IBM QRADAR SIEM CONTAINS HARD-CODED CREDENTIALS CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
    14 April 2020
    SECURITY BULLETIN CVE-2020-4151 IBM QRADAR SIEM IS VULNERABLE TO IMPROPER INPUT VALIDATION CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar SIEM is vulnerable to improper input validation, allowing an authenticated attacker to perform unauthorized actions.
    14 April 2020
    SECURITY BULLETIN CVE-2019-2989
    CVE-2019-2975
    CVE-2019-2981
    CVE-2019-2973
    CVE-2019-2964
    MULTIPLE VULNERABILITIES IN IBM JAVA SDK AND IBM JAVA RUNTIME AFFECT IBM QRADAR SIEM CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 1

    Issue
    There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 and IBM® Runtime Environment Java™ Version 8 used by IBM QRadar SIEM. IBM QRadar SIEM has addressed the applicable CVEs.
    14 April 2020
    SECURITY BULLETIN CVE-2019-4654 IBM QRADAR SIEM IS VULNERABLE TO INVALID CERTIFICATE VALIDATION CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar does not validate, or incorrectly validates, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack.
    14 April 2020
    SECURITY BULLETIN CVE-2019-4593 IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar generates an error message that includes sensitive information that could be used in further attacks against the system.
    14 April 2020
    SECURITY BULLETIN CVE-2019-4594 IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 1

    Issue
    IBM QRadar could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
    14 April 2020
    SECURITY BULLETIN CVE-2017-3164 IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 1

    Issue
    Apache Solr is vulnerable to server-side request forgery, caused by not having corresponding whitelist mechanism in the shards parameter. By using a specially-crafted argument, an attacker could exploit this vulnerability to conduct SSRF attack.
    14 April 2020
    RULES IJ20330 RULES THAT COMPARE FIELD 'SOURCE OR DESTINATION IP' AGAINST IP TYPE REFERENCE DATA FOR SUPERFLOWS FAIL CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Use a hard-coded IP in the rule test instead of using a reference set.

    Issue
    It has been identified that a rule that tests for the presence of source/destination IP against an IP type reference set for superflows fails with exception: Failed to parse IP address: Multiple (X)
    13 December 2019
    FLOWS / QRADAR NETWORK INSIGHTS (QNI) IJ20540 QRADAR NETWORK INSIGHTS (QNI) FLOWS INTO QRADAR ARE DECREASED AND/OR STOP SENDING ENTIRELY CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Temporarily change from Advanced (High) inspection to Enriched (Med) inspection.

    Issue
    It has been identified that in some instances QRadar Network Insights can decrease and/or stop sending flows into QRadar when associated decapper/tika threads are in a stuck state.
    27 March 2020
    BACKUP / RECOVERY IJ21252 BACKUP/RESTORE PAGE IN THE QRADAR USER INTERFACE CAN FAIL TO LOAD 'PLEASE WAIT WHILE THE REQUESTED INFORMATION IS GATHERED' CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Reduce the number of backups available to the QRadar system.

    Issue
    It has been identified that the QRadar User Interface "Backup and Recovery" page in environments with a very large number of backups (multiple thousand) hangs while loading for an extended period of time. The page partially loads with a message similar to the following "Please wait while the requested information is gathered...".
    09 December 2019
    INSTALL / UPGRADE IJ23224 IPV6 MANAGED HOSTS DO NOT AUTOMATICALLY PATCH WHEN USING THE "PATCH ALL" OPTION CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    After verifiying the Console is successfully patched, copy the patch SFS to the Managed Host, and perfrom the patch process steps manually on affected Managed Hosts.

    Issue
    Managed Hosts configured with IPV6 addresses fail to patch automatically when the "Patch All" option is selected for the patching process.
    Status Summary of Hosts
    +---------+-------------------+
    |Hostname |Status             |
    |---------+-------------------|
    |{hostname}|No Action Performed|
    |{hostname}|Patch Successful   |
    +---------+-------------------+
    Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost)
    ip=ipv6address
    Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost)
    starting
    Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost)
    Found 0 patch report files.
    Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost)
    Patch Report for ipv6address, appliance type: 3199
    {hostname} :  patch test succeeded.
    {hostname}-secondary :  patch test succeeded.
    {hostname} :  patch succeeded.
    {hostname}-secondary :  patch succeeded.
    Tried 3 times to copy file but md5 sums never matched after
    copy operations.
    Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost) pr=
    Patch Report for (ipv6_address),
    appliance type: 3199
    {hostname} :  patch test succeeded.
    {hostname}-secondary :  patch test succeeded.
    {hostname} :  patch succeeded.
    {hostname}-secondary :  patch succeeded.
    Tried 3 times to copy file but md5 sums never matched after
    copy operations.
    13 March 2020
    INSTALL / UPGRADE IJ23465 PATCH PRETEST VALIDATE_HOSTNAME.SH CAN FAIL ON A SECONDARY MANAGED HOST APPLIANCE CAUSING PATCH PROCESS TO FAIL CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    During the QRadar patch pretest, the validate_hostname.sh script can fail when running on a Secondary Managed Host appliance in a High Availability pair causing the patch to fail. Messages similar to the following might be visible when this issue occurs:
    [INFO](testmode) Running pretest 7/8: Validate deployment
    hostnames
    ERROR: This patch requires SSH access to all Managed Hosts to
    validate hostnames.
    ERROR: The following Managed Hosts are not accessible via SSH:
    - {appliance}
    [ERROR](testmode) Patch pretest 'Validate deployment hostnames'
    failed. (validate_hostname.sh)
    [INFO](testmode) Running pretest 8/8: Check for QIF appliances
    in deployment
    [ERROR](testmode) Failed 1/8 pretests. Aborting the patch.
    [ERROR](testmode) Failed pretests
    [ERROR](testmode) Pre Patch Testing shows a configuration
    issue. Patching this host cannot continue.
    [INFO](testmode) Set ip-135-56 status to 'Patch Test Failed'
    [ERROR](testmode) Patching can not continue
    Status Summary of Hosts
    +----------+-------------------+
    |Hostname  |Status             |
    |----------+-------------------|
    |appliance |Patch Test Failed  |
    |appliance |No Action Performed|
    +----------+-------------------+
    Patch Report for {ipaddress}, appliance type: 500
    Patch pretest 'Validate deployment hostnames' failed.
    (validate_hostname.sh)
    {appliance}:  patch test failed.
    23 March 2020
    RULES IJ23642 PERFORMANCE IMPROVEMENTS WITH REFERENCE DATA AND CUSTOM RULE ENGINE PROCESSING CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    No workaround available.

    Issue
    QRadar requires an improvement with the performance of Custom Rule Engine processing of Reference Data.
    17 March 2019
    INSTALL / UPGRADE IJ23684 QRADAR PATCHING PROCESS CAN FAIL ON DB_UPDATE.187085.HOSTNAMETYPE_UPDATE.SQL CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    QRadar patching process can fail on db_update.187085.hostnametype_update.sql
    23 March 2020
    INSTALL / UPGRADE IJ23685 QRADAR PATCHING PROCESS CAN FAIL ON DB_UPDATE_740.ARIEL_GENERICLIST_PROPERTY_EXPRESSION.SQL CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    QRadar patching process can fail on db_update_740.ariel_genericlist_property_expression.sql
    23 March 2020
    LICENSE IJ21568 NO WARNING OF UPCOMING EPS/FPS LICENSE EXPIRING CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    No warning message for a QRadar license nearing expiration for an Event Processor when the EPS/FPM expires. This causes the license pool to become over-allocated without appropriate notice.

    For example:
    There is no warning message that the license is going to expire soon. Only a message that the license is expired. Current behavior: License "{LicenseIdentity}" allocated to host {IP ADDRESS} has expired.
    20 December 2019
    AUTHENTICATION / LDAP IJ20982 QRADAR LDAP AUTHENTICATION CAN FAIL DUE TO SHA1 CERTIFICATES BEING BLOCKED CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that SHA1 certificates can be blocked due to invalid algorithms. QRadar LDAP authentication can fail when this issue occurs. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    tomcat[25530]: at
    org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
    tomcat[25530]: at
    org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java)
    tomcat[25530]: at
    org.apache.coyote.AbstractProcessorLight.process(AbstractProcess
    orLight.java:66)
    tomcat[25530]: at
    org.apache.coyote.AbstractProtocol$ConnectionHandler.process(Abs
    tractProtocol.java:806)
    tomcat[25530]: at
    org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(Nio
    Endpoint.java:1498)
    tomcat[25530]: at
    org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcess
    orBase.java:49)
    tomcat[25530]: at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    tomcat[25530]: at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    tomcat[25530]: at
    org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T
    askThread.java:61)
    tomcat[25530]: at java.lang.Thread.run(Thread.java:812)
    tomcat[25530]: Caused by:
    tomcat[25530]: javax.net.ssl.SSLHandshakeException:
    java.security.cert.CertificateException: Certificates does not
    conform to algorithm constraints
    tomcat[25530]: at com.ibm.jsse2.k.a(k.java:42)
    tomcat[25530]: at com.ibm.jsse2.av.a(av.java:688)
    tomcat[25530]: at com.ibm.jsse2.D.a(D.java:495)
    tomcat[25530]: at com.ibm.jsse2.D.a(D.java:534)
    tomcat[25530]: at com.ibm.jsse2.E.a(E.java:151)
    tomcat[25530]: at com.ibm.jsse2.E.a(E.java:401)
    tomcat[25530]: at com.ibm.jsse2.D.r(D.java:444)
    tomcat[25530]: at com.ibm.jsse2.D.a(D.java:399)
    tomcat[25530]: at com.ibm.jsse2.av.a(av.java:1006)
    tomcat[25530]: at com.ibm.jsse2.av.i(av.java:574)
    tomcat[25530]: at com.ibm.jsse2.av.a(av.java:468)
    tomcat[25530]: at com.ibm.jsse2.i.write(i.java:17)
    tomcat[25530]: at
    java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java)
    tomcat[25530]: at
    java.io.BufferedOutputStream.flush(BufferedOutputStream.java)
    tomcat[25530]: at
    com.sun.jndi.ldap.Connection.writeRequest(Connection.java:455)
    tomcat[25530]: at
    com.sun.jndi.ldap.Connection.writeRequest(Connection.java:428)
    tomcat[25530]: at
    com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:371)
    tomcat[25530]: at
    com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:226)
    tomcat[25530]: ... 84 more
    tomcat[25530]: Caused by:
    tomcat[25530]: java.security.cert.CertificateException:
    Certificates does not conform to algorithm constraints
    tomcat[25530]: at com.ibm.jsse2.aB.a(aB.java:18)
    tomcat[25530]: at com.ibm.jsse2.aB.a(aB.java:82)
    tomcat[25530]: at
    com.ibm.jsse2.aB.checkServerTrusted(aB.java:45)
    tomcat[25530]: at com.ibm.jsse2.E.a(E.java:757)
    tomcat[25530]: ... 97 more
    13 November 2019
    ROUTING RULES / FORWARDED EVENTS IJ22899 OFFLINE FORWARDED NORMALIZED EVENTS DO NOT HAVE ASSOCIATED EVENT PROCESSOR ID IN LOG ACTIVITY OF DESTINATION HOST CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    No workaround available.

    Issue
    Offline forwarded normalized events display unknown Event Processor (EP) in the Log Activity of the destination host. As there is no associated Event Processor ID, this can cause event investigation issues during drill down in Offenses, rule triggering correlation, etc.
    14 February 2020
    QRADAR DEPLOYMENT INTELLIGENCE APP (QDI) IJ22709 QRADAR DEPLOYMENT INTELLIGENCE (QDI) APP ADVANCED HEALTH QUERY DISPLAYS BLANK GRAPHS FOR ENCRYPTED MANAGED HOSTS OPEN: Reported as an issue in QRadar 7.3.2 Patch 6 and later. Workaround
    No workaround available.

    Issue
    The QRadar Deployment Intelligence (QDI) App displays blank graphs when attempting to perform an advanced health query on an encrypted Managed Host.

    This is caused by the advanced health querying using the Managed Host primary IP instead of the VIP (tunnel IP).
    14 February 2020
    SYSTEM NOTIFICATIONS IJ22344 'NO SEARCH WAS FOUND WITH ID SYSTEM-LOGS. DROPPING BACK TO DEFAULT SEARCH' IN SYSTEM NOTIFICATIONS AND LOGGING OPEN: Reported as an issue in QRadar 7.3.2 Patch 5 and later. Workaround
    No workaround available.

    Issue
    Messages similar to the following might be visible in QRadar System Notifications and in /var/log/qradar.error after applying a QRadar patch:
    [tomcat.tomcat] [admin@xx.xx.xx.xx(8380)
    /console/do/ariel/arielSearch]
    com.q1labs.ariel.ui.action.ArielSearch: [WARN]
    [NOT:0000004000][xx.xx.xx.xx/- -] [-/- -]No search was found
    with id SYSTEM-LOGS. Dropping back to default search.
    14 February 2020
    RULES / PEFORMANCE VISUALIZATION IJ22339 RULE PERFORMANCE INFORMATION FOR MODIFIED DEFAULT/SYSTEM RULES IS STORED IN THE ORIGINAL RULE NOT IN THE UPDATED RULE OPEN: Reported as an issue in QRadar 7.3.2 and later. Workaround
    No workaround available.

    Issue
    Rule performance data for modified System/Default Rules is stored in the original rule, not the modified rule. This can lead to incorrect Rule Performance visualization data.
    14 February 2020
    AUDIT LOG IJ22766 EVENT MAPPING ADDS OR EDITS PERFORMED USING THE 'MAP EVENT' BUTTON IN LOG ACTIVITY ARE NOT AUDITED CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    No workaround available.

    Issue
    Event mapping adds or edits performed using Log Activity -> View Event Information -> Click on Map Event are not audited in /var/log/audit/audit.log
    14 February 2020
    JDBC PROTOCOL / LOG SOURCE MANAGEMENT APP IJ20450 LOG SOURCE MANAGEMENT APP IS NOT ABLE TO CREATE JDBC LOG SOURCE WHEN 'NONE' IS CHOSEN FROM THE 'QUERYLIST' CLOSED Resolved in
    PROTOCOL-JDBC-7.3-20200110201324.noarch.rpm or later. This protocol update is available through QRadar weekly auto updates.

    Workaround
    Use the legacy Log Source management user interface to create JDBC log sources where the Predefined Query field must be set to None.

    Issue
    It has been identified that creating a JDBC Log Source using the Log Source Management app fails when 'none' is chosen from the Predefined Query field. Using the legacy Log Source User Interface (UI) to create the same Log Source works as expected.
    23 October 2019
    ORACLE DATABASE LISTENER PROTOCOL IJ22710 REPEATED 'CAUGHT SIGPIPE, RESET CONNECTION' EVENTS BEING GENERATED WHEN USING PROTOCOL ORACLE DATABASE LISTENER OPEN: Reported in QRadar 7.3.1 Patch 8 and later. Workaround
    No workaround available.

    Issue
    When using Log Sources configured with the Oracle Database Listener Protocol, the oracle_osauditlog_fwdr.pl script is causing repeated "caught sigpipe, reset connection" events to be generated.
    19 February 2020
    LOG ACTIVITY IJ22898 POPUP "ERROR! NO NODE SENT TO TREE METHOD'EXPANDNODE()" IN LOG ACTIVITY TAB WHEN USING DOUBLE BYTE CHARACTER SET LOCALE OPEN: Reported in QRadar 7.3.2 Patch 6 and later. Workaround
    No workaround available.
    Note: This does not occur when using the English locale in QRadar.

    Issue
    A Client Exception popup message can occur in the QRadar User Interface on the Log Activity tab when QRadar is configured to use double byte character set locales and attempting a navigation path as follows:
    1. Click the Log Activity tab.
    2. From the navigation menu, select Search > New Search
    3. In the Search Parameters field, select Source Network.
    4. From the Operator drop-down, select Equals.
    5. In the Value drop-down, attempt to select a value entry. Results
      The following error popup is generated:
      Client Exception
      The following client exception occurred while handling the server response:
      {0} Error: ERROR! No node sent to Tree method "expandNode()"
    28 February 2020
    APACHE KAFKA / LOG SOURCE MANAGEMENT APP IJ22711 MULTILINE LOG SOURCE IDENTIFIER PATTERN FOR APACHE KAFKA PROTOCOL NOT WORKING WITH LOG SOURCE MANAGEMENT APP OPEN: Reported in QRadar 7.3.2 Patch 4 and later. Workaround
    Use the legacy Log Sources User Interface instead of the Log Source Management App.

    Issue
    The Log Source Management App saves Multiline Log Source Identifier Pattern without valid line break regex for the Apache Kafka Protocol.
    28 February 2020
    APPLICATION FRAMEWORK / CERTIFICATES IJ23059 APPS CAN FAIL TO LOAD DUE TO CERTIFICATES NOT BEING RENEWED AS EXPECTED WHEN THE QRADARCA-MONITOR SERVICE HANGS CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    A restart of the qradarca-monitor service running on the QRadar Console can often correct the stuck service.
    # systemctl restart qradarca-monitor


    Issue
    QRadar Apps can fail to load due to expired certificates not being renewed if the qradarca-monitor service is in a stuck state. Messages similar to the following might be visible in /var/log/messages when this issue occurs:
    bash[119986]: net.runtime_pollWait(0x7f9c451ffe70, 0x72, 0x8)
    bash[119986]:
    /root/.gradle/go/binary/1.8.3/go/src/runtime/netpoll.go:164 +0x59
    bash[119986]: net.(*pollDesc).wait(0xc4202a81b8, 0x72, 0x8cdfc0, 
    0x8ca560)
    bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/net/fd_poll_
    runtime.go:75+0x38
    bash[119986]: net.(*pollDesc).waitRead(0xc4202a81b8,0xc42028eab8,0x1)
    bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/net/fd_poll_
    runtime.go:80+0x34
    bash[119986]: net.(*netFD).Read(0xc4202a8150, 0xc42028eab8,
    0x1, 0x1, 0x0, 0x8cdfc0, 0x8ca560)
    bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/net/fd_unix.
    go:250 +0x1b7
    bash[119986]: net.(*conn).Read(0xc4202aa038, 0xc42028eab8,
    0x1, 0x1, 0x0, 0x0, 0x0)
    bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/net/net.go:
    181 +0x70
    bash[119986]: io.ReadAtLeast(0x7f9c45200170, 0xc4202aa038,
    0xc42028eab8, 0x1, 0x1, 0x1, 0x6f3a40, 0x1, 0xc42028eab8)
    bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/io/io.go:307 
    +0xa9
    bash[119986]: io.ReadFull(0x7f9c45200170, 0xc4202aa038,
    0xc42028eab8, 0x1, 0x1, 0x40, 0x53c8e0, 0x7f9c45200170)
    bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/io/io.go:325 
    +0x58
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.
    org/x/crypto/s
    sh.readVersion(0x7f9c45200170, 0xc4202aa038, 0xc4202aa038,
    0x7f9c45200170, 0xc4202aa038, 0x0, 0x0)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/
    transport.go:317 +0x101
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org
    /x/crypto/ssh.exchangeVersions(0x8ced40, 0xc4202aa038, 0xc42028ead0,
    0xa, 0x10, 0x10, 0x0, 0x8, 0x5, 0x8)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/
    ssh/transport.go:301 +0x111
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.
    org/x/crypto/ssh.(*connection).clientHandshake(0xc4202a4a80, 
    0xc42028ea80, 0x10, 0xc420322a90, 0x0, 0x0)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/
    ssh/client.go:100 +0xf7
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org
    /x/crypto/ssh.NewClientConn(0x8d2ee0, 0xc4202aa038, 0xc42028ea80, 0x10,
    0xc42016c230, 0x8d2ee0, 0xc4202aa038, 0x0, 0x0, 0xc42028ea80,...)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/
    ssh/client.go:83 +0x103
    bash[119986] q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/
    x/crypto/ssh.Dial(0x764983, 0x3, 0xc42028ea80, 0x10, 0xc42016c230,
    0xc42028ea80, 0x10, 0xc42031e000)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/
    client.go:177 +0xb3
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.connectToHost
    (0x764c0e, 0x4, 0xc42019ca86, 0xd, 0x1, 0xc420292840, 0x31, 0xdd)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/util.go:281 +0x260
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.CheckRemote
    FileExisted(0x764c0e, 0x4, 0xc42019ae80, 0x20, 0xc42019ca86, 0xd,
    0xc42016c400, 0x0, 0x0)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/remote.go:62 +0x136
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.checkCertifi
    cateOnRemote(0xc42019ca86, 0xd, 0xc4201937d0, 0x9, 0xc42019ae60, 0x12,
    0xc4201937e0, 0x9, 0x764b6a, 0x4, ...)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/check.go:94 +0x2a6
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.regenerate
    CertFromCSR(0x3, 0xc4201506b8, 0x6, 0xc4201423c0, 0x29, 0xc4201426f0,
    0x21, 0x2, 0x9211a0, 0x0, ...)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:228 +0x421
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.(*checkmap).
    monitorAndRegenerateCert(0xc42016d978, 0x3, 0xc4201506b8, 0x6,
    0xc4201423c0, 0x29, 0xc4201426f0, 0x21, 0x2, 0x9211a0, ...)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:177 +0x307
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.monitor
    Cert(0xc4201500a0, 0x0, 0x1, 0xc420164000)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:228 +0x421
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.(*checkmap).
    monitorAndRegenerateCert(0xc42016d978, 0x3, 0xc4201506b8, 0x6,
    0xc4201423c0, 0x29, 0xc4201426f0, 0x21, 0x2, 0x9211a0, ...)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:177 +0x307
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.monitor
    Cert(0xc4201500a0, 0x0, 0x1, 0xc420164000)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:197 +0x49e
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.(*monitor).
    MonitorCertificates(0x9211a0, 0xc4201500a0, 0x0, 0xc4201500b0, 0x0)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:46 +0x41
    bash[119986]: main.cmdExecutor(0x4062fc, 0xc4200b2058)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/main.go:462 +0x3d79
    bash[119986]: main.main(
    bash[119986]: goroutine 9 [select, 46859 minutes]:
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/
    x/crypto/ssh.(*handshakeTransport).kexLoop(0xc4200d09a0)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/
    handshake.go:268 +0x823
    bash[119986]: created by
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/
    crypto/ssh.newClientTransport
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/
    handshake.go:135 +0x1c8
    bash[119986]: goroutine 25 [chan receive, 46859 minutes]:
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/
    x/crypto/ssh.(*Client).handleChannelOpens(0xc4201c0580, 0xc4201e8300)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/
    ssh/client.go:147 +0x68
    28 February 2020
    EVENT PIPELINE / DISK SPACE IJ23194 EVENT COLLECTION ON APPLIANCES CAN STOP DUE TO AN INCORRECT PIPELINEDISKMONITOR FREE SPACE CALCULATION CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Run the following from the command line on all QRadar appliances:
    # sed -i.bak 's/du -sB/du -xsB/' /opt/qradar/bin/pipelineDiskMonitor.py

    Issue
    The event collection service ecs-ec-ingress on QRadar appliances can stop sending events as a result of an incorrect calculation performed by the pipelineDiskMonitor.py script not taking into account that there can be filesystems mounted under store.

    Note: Seeing "percents=" in the error message below with a value greater than 100% is an indication that this can be the cause for event collection stopping. Example below: "percents=148%"

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [PipelineDiskMonitor]
    com.ibm.si.ecingress.destinations.SECStoreForwardDestination(ecs
    -ec-ingress/EC_Ingress/TCP_TO_ECParse): [WARN]
    [NOT:0060005100][10.1.17.76/- -] [-/- -]PipelineDiskMonitor has
    detected that spillover queue threshold is crossed
    (total=70252554 MB, used=103749251  MB, free=-33496697  MB,
    percents=148%, ingress=1%, ec=1%). The ecs-ec-ingress starts
    dropping events until disk issue resolved.
    13 March 2020
    OUTPOST24 VULNERABILITY SCANNER IJ23038 LAST SCAN DATE DISPLAYED FOR OUTPOST24 VULNERABILITY SCANNER WITHIN QRADAR CAN BE INCORRECT OPEN: Reported in QRadar 7.3.2 Patch 5 and later. Workaround
    No workaround available.

    Issue
    Incorrect Last Scan date value is displayed in QRadar for an Outpost24 vulnerability scan.

    To replication this reported issue:
    1. Configure Outpost24 to run on date Jan 20, 2020 and get the scan results into QRadar.
    2. Run a new scan on Outpost24 on Feb 20, 2020 and get the scan results in QRadar.

      Results
      QRadar does not update the lastSan date value to the appropriate date.
    06 March 2020
    OFFENSES / EMAIL ALERTS IV49730 IT IS NOT POSSIBLE TO CUSTOMIZE OFFENSE RULE EMAIL ALERTS CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    Install QRadar 7.4 where features added in this version resolve this reported APAR.

    Issue
    Currently you can modify email alerts for event and flow rules using /store/configservices/staging/globalconfig/templates/ custom_alerts/alert-config.xml but it is not possible to customize the email alerts for offense based rules.
    21 April 2015
    CONTENT MANAGEMENT TOOL (CMT) IV80631 CONTENT MANAGEMENT TOOL IMPORTS CAN SOMETIMES TAKE LONGER THAN EXPECTED AND/OR FAIL AFTER RUNNING FOR A LONG PERIOD OF TIME CLOSED Note: This issue is currently tagged closed as a suggestion for a future release.
    In the current implementation we are not looking to maintain the legacy CMT. Performance is a paramount concern in our rewrite of the CMT so this type of issue should not re-occur when support for import is written in the new implementation.

    Workaround
    If possible, do not have Reference Set elements in the Content Management Tool (CMT) export prior to attempting the bundled CMT import.

    Issue
    Content Management Tool imports that include Reference Set elements can sometimes run for an unexpectedly long period of time. In some instances, it has been known cause an Out Of Memory occurance after attempting to complete the import over a period of multiple days.
    03 January 2020
    DEPLOY CHANGES IV87562 A QRADAR 'DEPLOY' FUNCTION CAN RESTART TUNNELS UNEXPECTEDLY CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    No workaround available.

    Issue
    It has been observed that a QRadar 'Deploy' function can sometimes restart tunnels unnecessarily when changes are made in the User Interface that should not require a tunnel restart.

    For example, tunnels restart after a regular 'Deploy Changes with the following user actions':
    1. When adding a new user
    2. After updating the Network Hierarchy
    04 August 2016
    DASHBOARD IV94448 DASHBOARDS ELEMENTS/WIDGETS THAT HAVE BEEN SHARED CAN SOMETIMES FAIL TO LOAD IN THE QRADAR USER INTERFACE CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.2 (7.3.2.20190201201121).

    Issue
    After sharing Dashboards, it has been observed that some of the shared Dashboard elements/widgets can fail to load and exceptions in /var/log/qradar.error similar to the following might be visible upon user login:
    [tomcat] [admin@127.0.0.1 (3814)
    /console/JSON-RPC/QRadar.getDashboardSearch
    QRadar.getDashboardSearch]
    com.q1labs.qradar.ui.widget.graph.ArielSearchGraphWidget:
    [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Could not parse
    'items to graph' from user data:
    [tomcat] admin@127.0.0.1 (3814)
    /console/JSON-RPC/QRadar.getDashboardSearch
    QRadar.getDashboardSearch] java.lang.NumberFormatException: For
    input string: ""
    [tomcat] [admin@127.0.0.1 (3814)
    /console/JSON-RPC/QRadar.getDashboardSearch
    QRadar.getDashboardSearch]    at
    java.lang.NumberFormatException.forInputString(NumberFormatException.java)
    03 January 2020
    DASHBOARD IV96788 SETTING UP DISPLAYED DASHBOARD RESTRICTIONS BY USER ROLE IS NOT HONORED CLOSED Note: This issue is currently tagged closed as a suggestion for a future release.

    When a user is created/deployed, they inherit a copy of the out-of-the-box dashboard templates. These are modifiable because they are a user-owned copy of the template. The User Role dashboard sharing feature only applies to user-created dashboards. When shared using 'Share' option, the dashboards are read-only (if you are not the owner, you should not be able to delete it). In the future dashboard will be moved to Pulse app.

    Issue
    It has been observed after configuring Dashboards for QRadar users, and attempting to restrict the Available Dashboards by User Role, that the Dashboard viewing restrictions are not honored.
    05 June 2018
    QRADAR VULNERABILITY MANAGER / SCAN REPORT IV98492 QRADAR VULNERABILITY MANAGER SCAN CAN SOMETIMES NOT DETECT MS17-010 VULNERABILITY CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    Create a scan policy and include only the netbios tool group.

    Issue
    It has been identified that QVM vulnerability scans do not detect the "CVE-2017-0143 - MS17-010 - Microsoft - Windows - EternalBlue Issue" vulnerability when a scan policy contains only the "smb - EternalBlue - MS17-010" tool.
    31 July 2017
    MANAGED HOST / HOSTCONEXT SERVICES IJ02072 QRADAR LOGGING REPORTS HOSTCONTEXT '...TOO MANY OPEN FILES' MESSAGES CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    No workaround available.

    The file handle issue was partially addressed in APAR IV94782, but an outstanding issue causing the same behavior could still be present.

    Issue
    It has been observed in some customer environments that Hostcontext can run out of available file handles due to code relating to nva.conf.

    Repetitive messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext] [ProcessMonitor] java.io.IOException:
    error=24, Too many open files
    13 December 2017
    DEPLOY CHANGES IJ02476 REMOVING ENCRYPTION FROM A MANAGED HOST CAUSES DEPLOY FUNCTION TO FAIL TO THAT MANAGED HOST CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    From the System and License Management interface, encrypt the host connection on the Managed Host and Deploy changes.

    Issue
    It has been identified that the QRadar deploy function to a Managed Host fails (times out) after removing encryption from that Managed Host (Encrypt Host Connection option).

    To replicate this issue:
    1. Click the Admin tab.
    2. Click the System and License Management icon.
    3. Click on the Managed Host and then Deployment Actions.
    4. Click Edit Host.
    5. Un-check Encrypt Host Connection and save the changes.
    6. Click Deploy Changes.

      Results
      The Deploy Changes function for that Managed Host times out.


    7. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurrs:
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] at
      com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
      hread.run(SequentialEventDispatcher.java)
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
      Caused by:
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
      com.q1labs.hostcontext.exception.HostContextConfigException:
      Failed to download new configuration set
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] at
      com.q1labs.hostcontext.configuration.ConfigSetUpdater.downloadAn
      dProcessGlobalSets(ConfigSetUpdater.java)
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] at
      com.q1labs.hostcontext.configuration.ConfigSetUpdater.prepareNon
      ConsoleGlobalSets(ConfigSetUpdater.java)
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] ... 10 more
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
      Caused by:
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
      com.q1labs.hostcontext.exception.HostContextConfigException:
      Timeout on deployment token synchronization
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] at
      com.q1labs.hostcontext.configuration.ConfigSetUpdater.downloadAn
      dProcessGlobalSets(ConfigSetUpdater.java)
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] ... 11 more
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
      com.q1labs.hostcontext.util.HostContextUtilities: [INFO]
      [NOT:0000006000][127.0.0.1/- -] [-/- -]Removing file hostcontext.NODOWNLOAD
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
      com.q1labs.hostcontext.configuration.ConfigChangeObserver:
      [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Following message
      suppressed 1 times in 300000 milliseconds
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
      com.q1labs.hostcontext.configuration.ConfigChangeObserver:
      [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to
      download and apply new configuration
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
      com.q1labs.hostcontext.exception.HostContextConfigException:
      Unable to create flag file to denote a hostcontext restart to
      create tunneled frameworks connections
    12 December 2017
    OFFENSES IJ02571 OFFENSE RULE SNMP RESPONSES DO NOT REFLECT THE OFFENSE DATA CLOSED This issue has been closed as an expired issue and no fix is planned at this time.

    Workaround
    No workaround available.

    Issue
    It has been observed, that after an offense rule is created and an SNMP response is configured for that rule to modify the offenseCRE.snmp.xml file to configure OIDs (properties) that are sent in the SNMP trap, the response coding in QRadar uses the asset model to attempt to populate these values for the Offense.

    When this occurs, the SNMP trap does not always contain the expected data that is visible in the Offense.
    12 December 2017
    LOG ACTIVITY / SEARCH IJ05192 LOG ACTIVITY SEARCH ERRORS '...PROBLEM CONNECTING TO THE QUERY SERVER' AND '...INVALID WHITE SPACE CHARACTER...' IN THE LOGS CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

    Workaround
    No workaround available.

    Issue
    It has been observed that Log Activity searches can sometimes fail with a message similar to: "There was a problem connecting to the query server. please try again later"

    This error message and coincide with error messages in /var/log/qradar.error:
    [ariel.ariel_proxy_server]
    [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7]
    com.thoughtworks.xstream.io.StreamException:
    [ariel.ariel_proxy_server]
    [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] Caused by:
    [ariel.ariel_proxy_server]
    [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7]
    com.ctc.wstx.exc.WstxIOException: Invalid white space character
    (0x11) in text to output
    [ariel.ariel_proxy_server]
    [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] at
    com.ctc.wstx.sw.BaseStreamWriter.writeCharacters(BaseStreamWriter.java)
    [ariel.ariel_proxy_server]
    [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] at
    com.thoughtworks.xstream.io.xml.StaxWriter.setValue(StaxWriter.java)
    [ariel.ariel_proxy_server]
    [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] ... 77 more
    10 February 2020
    OFFENSES / PERFORMANCE IJ09192 OFFENSE SUMMARY PAGE CAN SOMETIMES TAKE LONGER THAN EXPECTED TO LOAD FOR OFFENSES WITH A LARGE NUMBER OF ATTACKERS CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    No workaround available.

    Issue
    It has been identified that loading the offense summary of a single offense can sometimes take longer than expected (multiple minutes) for Offenses with a large number of attackers.
    04 December 2018
    DEPLOYMENT / REMOVE HOST IJ12277 PROCESSOR MANAGED HOSTS INSTALLED AS TYPE "SOFTWARE" GENERATE ERROR WHEN ATTEMPTING TO BE REMOVED FROM DEPLOYMENT CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    Install the latest software version or contact Support for a possible workaround that might address this issue if you cannot upgrade at this time.

    Issue
    It has been identified that attempting to a remove a QRadar processor (Event or Flow) from a QRadar deployment can fail and generate an error similar to the following if they if was built as type "Software" at version 7.2.x and then upgraded to 7.3.1.

    When this issue occurs, the following error messages can be displayed in the user interface:

    • There are not enough unallocated EPS in the pool to maintain the event rate limits that are assigned to managed hosts
      or
    • There are not enough unallocated FPM in the pool to maintain the flow rate limits that are assigned to managed hosts
    16 September 2019
    VULNERABILITY SCAN / QRADAR VULNERABILITY MANAGER IJ19254 TXSENTRY ERRORS CAN OCCUR DURING VULNERABILITY IMPORTS OF A LARGE NUMBER OF ASSETS WITH VULNERABILITY EXCEPTIONS CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    Avoid importing thousands of assets that require the same vulnerability exception at once by staggering the vulnerability imports.

    Issue
    It has been identified that a TxSentry can occur during vulnerability imports of a large number of assets (multiple thousand) with vulnerability exceptions. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]  Lock acquired on host
    127.0.0.1: rel=vulninstance age=623 granted=t mode=RowShareLock
    query='SELECT exception_rule.config_update();
    16 September 2019
    RULES / RULES WIZARD IJ19268 LOADING RULES FROM EVENTS GENERATES '[UNKNOWN RULE NAME]' AND 'INVALID XML CONTENT' MESSAGES IN QRADAR LOGGING CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    Upgrade to the latest software version or contact Support for a possible workaround that might address this issue in some instances if you are unable to upgrade at this time.

    Issue
    It has been identified that when loading Rules from within events, messages containing "UNKNOWN RULE NAME" might be displayed. These errors have been observed when control characters are present in data within the rule_data database table.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] Caused by:
    [tomcat.tomcat]
    [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] com.q1labs.restapi_annotat
    ions.content.exceptions.endpointExceptions.ServerProcessingExcep
    tion: An error occured while trying to retrieve the
    rule
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at com.q1labs.core.api.imp
    l.customrule.CustomRuleAPIImpl.getCustomRules(CustomRuleAPIImpl.java)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at com.q1labs.core.api.R2_
    2016.customrule.CustomRuleAPI.getCustomRules(CustomRuleAPI.java)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at
    sun.reflect.GeneratedMethodAccessor526.invoke(Unknown Source)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at sun.reflect.DelegatingM
    ethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at
    java.lang.reflect.Method.invoke(Method.java:508)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at com.q1labs.restapi.serv
    let.utilities.APIRequestHandler.invokeMethod(APIRequestHandler.java)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at com.q1labs.restapi.serv
    let.utilities.APIRequestHandler.redirectRequest(APIRequestHandler.java)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] ... 46 more
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] Caused by:
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules]
    [openjpa-2.2.2-r422266:1468616 fatal general error]
    org.apache.openjpa.persistence.PersistenceException: ERROR:
    invalid XML content
     Detail: line 1: xmlParseCharRef: invalid xmlChar value 6
    lt;a href='javascript:editParameter("12", "3")'
    class='dynamic'>metadata
     ^
    line 1: xmlParseCharRef:
    invalid xmlChar value 6
    ns multiselect="false" source="user"
    format="user"/][userSelection]metadata
     ^
    line 1: chunk is
    not well balanced {prepstmnt 1473478204 SELECT * FROM
    custom_rule WHERE (CAST( xpath( '/rule[@buildingBlock="false"]',
    CAST( (encode(rule_data, 'escape')) AS XML)) AS text ARRAY) !=
    '{}' AND rule_type NOT IN (6, 7, 8)) ORDER BY id ASC} 
    
    26 September 2019
    RULES / RULES WIZARD IJ20232 ' ? ' CHARACTERS DISPLAYED AT THE END OF EACH LINE OF "RULE NOTES" THAT CONTAIN LINE BREAKS CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    No workaround available.

    Issue
    It has been identified that when configuring a rule that includes a line break in the "Rule Notes" section, question mark '?' characters are displayed at the end of each line.
    17 October 2019
    ROUTING RULES IJ20466 EVENTS CONFIGURED TO BE DROPPED BY ROUTING RULES ARE NOT BEING DROPPED DURING A HOSTCONTEXT RESTART OPEN: Reported in QRadar 7.3.2 versions Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that Events which are configured to be dropped by routing rules are not being dropped during a hostcontext restart.
    08 November 2019
    RULES / RULES WIZARD IJ20767 'AN ERROR HAS OCCURRED SAVING YOUR RULE. PLEASE TRY AGAIN LATER' WHEN ATTEMPTING TO SAVE A RULE CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    No workaround available.

    Issue
    It has been identified that when saving a Rule, the following message might be observed due to rule_data not being validated prior to persisting it to the database: "An error has occurred saving your rule. Please try again later."

    To replicate this issue:
    1. Use "sss" as a rule's Annotate event under Rule Action.
    2. Click Next until the Summary page, and click Finish.

      Results
      The save rule error is displayed in the user interface and the following messages are /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] com.q1labs.sem.ui.action.RuleWizard: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable to save rule. Reason: Invalid control character(s) found in the xml object representing the rule sss. This will prevent the rule from being loaded to CRE. [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] com.q1labs.sem.ui.action.RuleWizard: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to Save rule [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] java.lang.RuntimeException: Invalid control character(s) found in the xml object representing the rule sss. This will prevent the rule from being loaded to CRE. [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.core.shared.cre.CREServices.validateRuleData(CREServi ces.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.core.shared.cre.CREServices.updateRule(CREServices.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.core.shared.cre.CREServices.updateRule(CREServices.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.sem.ui.action.RuleWizard.saveWizard(RuleWizard.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.sem.ui.action.RuleWizard.executeAction(RuleWizard.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.uiframeworks.actions.WizardAction.execute(WizardActio n.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at org.apache.struts.action.RequestProcessor.processActionPerform(R equestProcessor.java)
    13 November 2019
    API IJ20152 NETWORK ID FETCHED BY API '/ASSET_MODEL/ASSETS" AND 'CONFIG/NETWORK_HIERARCHY/NETWORKS' ARE DIFFERENT CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    No workaround available.

    Issue
    It has been identified that the network id fetched by the API /asset_model/assets and /config/network_hierarchy/networks are different. This can produce unexpected or incorrect data being returned for queries using the API.
    17 October 2019
    DISK SPACE IJ20632 A QRADAR APP BACKUP SCRIPT CAN SOMETIMES FAIL CAUSING /STORE PARTITION FREE SPACE ISSUES CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Workaround
    No workaround available.

    Issue
    It has been identified that in some instances the app-volume-backup.py does not clean up failed/incomplete backups. When this issue occurs, it is possible that the /store partition can fill.
    12 November 2019
    MANAGED HOST / ADD HOST IJ22140 ADD HOST CAN FAIL WITH PASSWORD DECODING ERROR CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    The QRadar Add Host process can fail due to a password decoding issue that occurs during the Add Host processes. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    java.lang.IllegalArgumentException: Last unit does not have
    enough valid bits
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at java.util.Base64$Decoder.decode0(Base64.java:745)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at java.util.Base64$Decoder.decode(Base64.java:537)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at java.util.Base64$Decoder.decode(Base64.java:560)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java:98)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at com.ibm.si.mks.Crypto.decrypt(Crypto.java:55)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.crypto.CryptoUtils.decrypt(CryptoUtils.jav
    a:46)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.core.FrameworksContext.decrypt(FrameworksC
    ontext.java:1122)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.getPresenceComman
    d(AddHost.java:2143)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.executePresence(A
    ddHost.java:2103)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.add(AddHost.java:
    1530)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.addManagedHost(Ad
    dHost.java:324)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH
    ost(AddHostExecutor.java:74)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.core.executor.AddHostExecutor.invoke(AddH
    ostExecutor.java:51)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
    est.invoke(BaseHostRequest.java:71)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.HostContextServices.m
    essageReceived(HostContextServices.java:489)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
    MSMessageEvent.java:107)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java:129)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    com.q1labs.configservices.capabilities.AddHost: [ERROR]
    [NOT:0000003000][x.x.x.x/- -] [-/- -]Unable to add managed
    host. The ip of the host is: x.x.x.x
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    com.q1labs.configservices.hostcontext.core.HostContextServices:
    [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Error retrieving
    message
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    com.q1labs.configservices.hostcontext.exception.HostContextExcep
    tion: Could not get executor object
    com.q1labs.hostcontext.core.executor.AddHostExecutor
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
    est.invoke(BaseHostRequest.java:76)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.HostContextServices.m
    essageReceived(HostContextServices.java:489)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
    MSMessageEvent.java:107)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java:129)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    Caused by:
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    com.q1labs.configservices.hostcontext.exception.HostContextExcep
    tion: Command exited with non-zero value (4): add_host
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH
    ost(AddHostExecutor.java:80)
    17 January 2020
    ACCESS / USER LOG IN IJ21731 QRADAR USERS CAN BE UNABLE TO LOGIN TO THE USER INTERFACE WHEN MULTIPLE HOST LOCKS OCCUR AT THE SAME TIME CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Workaround
    A tomcat service restart on the QRadar console via an SSH connection can be performed to enable logins to be successful again when this issue occurs:
    systemctl restart tomcat
    NOTE: The QRadar user interface becomes available again after all required process are running as expected.

    Issue
    QRadar users can be prevented from performing a successful login when the QRadar cleanup job for authentication fails to run as expected when multiple host locks occur at the same time.
    19 December 2019
    CUSTOM EVENT PROPERTIES IJ19261 JSON EXPRESSIONS CAN MATCH IN CUSTOM EVENT PROPERTY UI PAYLOAD TESTS BUT DO NOT MATCH ON RECEIVED EVENTS CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)

    Workaround
    Ensure the correct expression is being used. Not all expressions that provide a result while using test button in the QRadar User Interface provide the expected results when events are processed.

    Issue
    It has been identified that putting a "/" before the index doesn't invalidate the match when testing JSON expressions in the Custom Event Property UI (CEP). This can result in false positives in the CEP user interface (Admin > Data Sources > Custom Event Properties).

    For example:
    • Correct:
      /"object"[0]/"desiredPropertyName"
    • Incorrect:
      /"object"/[0]/"desiredPropertyName"
    In this example, the second expression includes an extra forward slash "/", the Custom Event Property interface will generate a false positive match, which will result in seeing "N/A" when an event is processed through the event pipeline.
    26 September 2019
    HTTP INSPECTOR / QRADAR NETWORK INSIGHTS IJ20823 QRADAR NETWORK INSIGHTS (QNI) COREDUMP CAN OCCUR DUE TO HTTP INSPECTOR CLOSED Resolved in
    QRadar Netowrk Insights 7.4.0 (7.4.0.20200304205308)
    QRadar Netowrk Insights 7.3.3 Patch 2 (7.3.3.20200208135728)

    Workaround: No workaround available.

    Issue: It has been identified that the QRadar Network Insights (QNI) HTTP inspector component can cause QNI core dump instances in /store/jheap on the QNI appliance. QNI cannot process flow traffic as expected while the decapper service is not running.
    13 November 2019
    UPGRADE / HIGH AVAILABILITY (HA) IJ21673 HIGH AVAILABILITY (HA) CROSSOVER NO LONGER ENABLED AFTER PATCHING OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Re-enable the crossover after the patching process is completed using the following command from an SSH session:
    /opt/qradar/ha/bin/qradar_nettune.pl crossover enable
    How to verify crossover status on HA: https://ibm.biz/BdqBSg

    Issue:
    After patching to QRadar 7.3.3, High Availability (HA) pairs configured with a crossover cable connection can have the crossover no longer enabled after the appliance reboot processes are complete.
    22 January 2020
    FLOWS IJ21657 'LAST PROXY IPV4' AND 'LAST PROXY IPV6' FLOW DATA IS NOT PARSED CORRECTLY CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    At QRadar version 7.3.2+, the "Last Proxy IPv4" and "Last Proxy IPv6" fields from flows are not properly parsed. When this occurs, new and previous searches configured to use that data no longer function as expected.
    19 December 2019
    DSM EDITOR IJ21643 DSM EDITOR PAGE 'EXPORT' BUTTON IS MISSING CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    The DSM Editor page 'Export" button is missing after upgrading to QRadar 7.3.3 from 7.3.2 p4+.
    20 December 2019
    DSM EDITOR IJ21610 DSM EDITOR USER INTERFACE REGEX VALIDATION CAN DIFFER FROM THE QRADAR PIPELINE CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances or upgrade to the latest software version.

    Issue
    The DSM Editor User Interface and the Pipeline can sometimes disagree as to what constitutes a valid regex. This has been observed when a character that doesn't have any special meaning from a regex perspective is escaped unecessarly. Example: username\=(\S+) <-- the = sign here does not require to be escaped and while this would pass most regex engines, QRadar might consider this invalid regex.
    18 December 2019
    INSTALL IJ21608 QRADAR SOFTWARE INSTALL CAN FAIL DUE TO PARTITION SIZE CHECK FAILURE CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Install QRadar at an earlier version (example 7.3.1 Patch 5) and then patch up.

    Issue
    QRadar software installation with an SDA disk smaller than a certain size fails with message similar to:
    Initializing...
    Starting setup session in screen
    EULA accepted on Thu Jan  4 19:30:16 UTC 2018
    About to install QRadar version 7.3.0.20171205025101
    Install started on Thu Jan  4 19:30:17 UTC 2018 but was not
    completed.
    Attempting to continue...
    done.
    Checking that SELinux is disabled...
    OK: SELinux is disabled.
    Checking that system language is set to en_US.UTF-8...
    OK: System language is set to en_US.UTF-8
    Checking for minimum disk size...
    ERROR: Boot disk sda is only 32768 MiB but must be at least
    78125 MiB.
    ERROR: This version does not support small drives. You must
    replace the drive before trying again.
    Press enter to close screen
    20 December 2019
    QRADAR RISK MANAGER / ADAPTER BACKUP IJ21606 QRADAR RISK MANAGER (QRM) DEVICE ADAPTER BACKUPS CAN FAIL WHEN STRICT SSH KEY EXCHANGE ALGORITHMS ARE EMPLOYED TO RESTRICT COMM CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Workaround
    No workaround available.

    Issue
    QRadar Risk Manager (QRM) is unable to discover or back up devices when strict SSH key exchange algorithms are employed to restrict communication.

    "Couldn't agree a key exchange algorithm" is present on the Configuration Source Management's Backup Error Detail dialog, and if the backup was initiated on the Configuration Monitor screen, in the Recent Activity Adapter Backup log viewer.
    16 December 2019
    QRADAR VULNERABILITY INSIGHTS APP IJ21604 QRADAR VULNERABILITY INSIGHTS APP REPORT IN FAILED "ERROR" STATUS OPEN: Reported in QRadar Vulnerbility Insights App v1.1.0 Workaround: Contact Support for a possible workaround that might address this issue in some instances.

    Issue:
    QRadar Vulnerability Insights scan compare report can fail to generate with only 'error' text being shown against the report in the User Interface when vulnerability critical details contains "::" characters.
    20 December 2019
    USER INTERFACE IJ21588 "TYPEERROR: DOMAPI.GETELM IS NOT A FUNCTION" WHEN ON THE QRADAR ADMIN TAB AND USING FIREFOX WEB BROWSER OPEN: Reported in QRadar 7.3.3 Workaround: No workaround available.

    Issue:
    It is possible that clicking on the Admin tab when you are already on the Admin tab will throw a Client exception with the message similar to:
    The following client exception occurred while handling the
    server response:
    {0}
    TypeError: domapi.getElm is not a function

    This has been observed on Firefox version 68.0.1 as well as Firefox version 71.0 on Windows 10.
    20 December 2019
    AQL CUSTOM PROPERTY / USER INTERFACE IJ21571 APPLICATION ERROR IN THE UI CAN BE GENERATED WHEN OPENING AN EVENT RETURNED FROM A SEARCH WITH AQL CUSTOM PROPERTY OPEN: Reported in QRadar 7.3.1 and later Workaround: No workaround available.

    Issue:
    An Application Error can be generated in the QRadar User Interface when opening an Event returned from a search containing an AQL Custom Property. This can occur when a backend exception is generated by an AQL Custom Property that results in a divide by zero occurence. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails] Caused by:
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails] java.lang.ArithmeticException:
    divide by zero
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunctions$DivideLong.calcul
    ate(ArithmeticFunctions.java:352)
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunctions$ArithmeticFunctio
    nLong.calculate(ArithmeticFunctions.java:223)
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunctions$ArithmeticFunctio
    nLong.calculate(ArithmeticFunctions.java:205)
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunction.calculateValue(Ari
    thmeticFunctions.java:32)
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunction.calculate(Arithmet
    icFunctions.java:39)
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunction.calculate(Arithmet
    icFunctions.java:19)
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.metadata.Metadata$ScalarFunctionBase.call(Metad
    ata.java:71)
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]    ... 65 more
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]
    com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Root cause:
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails] java.lang.ArithmeticException:
    divide by zero
    20 December 2019
    APPLICATION FRAMEWORK IJ21569 QRADAR APP BACKUPS CAN BE LEFT IN AN UNUSABLE STATE CLOSED Resolved in
    QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)

    Workaround
    No workaround available.

    Issue:
    QRadar Apps that are running can delete files from their /store/docker/volumes directory while the marathon backup script is running, creating unusable backups. The app backups will not be successful and leave a untarred directory for that day in the /store/backup/marathon directory. Messages similar to the following might be visible in QRadar logging when this issue occurs:
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
    "/usr/local/bin/marathon-volume-backup.py", line 365, in
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
    args.function(args)
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
    "/usr/local/bin/marathon-volume-backup.py", line 213, in
    backup_volumes
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
    tar_dir(archive_path, host_path)
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
    "/usr/local/bin/marathon-volume-backup.py", line 315, in tar_dir
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
    tar.add(source_dir)
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
    "/usr/lib64/python2.7/tarfile.py", line 1998, in add
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
    recursive, exclude, filter)
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
    "/usr/lib64/python2.7/tarfile.py", line 1991, in add
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
    self.addfile(tarinfo, f)
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
    "/usr/lib64/python2.7/tarfile.py", line 2020, in addfile
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
    copyfileobj(fileobj, self.fileobj, tarinfo.size)
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
    "/usr/lib64/python2.7/tarfile.py", line 274, in copyfileobj
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: raise
    IOError("end of file reached")
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: IOError:
    end of file reached
    20 August 2020
    APPLICATION FRAMEWORK IJ21567 RESET OF QRADAR CERTIFICATES CAN FAIL WHEN QRADARCA-MONITOR SERVICE IS RUNNING AT THE SAME TIME CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    The reset-qradar-ca.sh script can fail to reset all certificates properly if it encounters the same time as qradarca-monitor service is running.

    Messages similar to the following might be visible in /var/log/localca.log when this issue occurs:
    time="2019-10-03T12:36:57-04:00" level=debug msg="Start loading
    configurations from /opt/qradar/ca/conf.d/conman-server.json"
    time="2019-10-03T12:36:57-04:00" level=debug msg="Checking
    certificate /etc/conman/tls/conman_ca.crt expiration status for
    local host"
    time="2019-10-03T12:36:57-04:00" level=warning msg="Certificate
    /etc/conman/tls/conman_ca.crt was not found. Preparing to
    generate new certificate"
    time="2019-10-03T12:36:57-04:00" level=debug msg="Certificate
    /etc/conman/tls/conman_ca.crt is close to expire. Regenerate
    the certificate"
    time="2019-10-03T12:36:57-04:00" level=debug msg="Regenerating
    dependent certificate id=4, type=intermediate,
    file=/etc/conman/tls/conman_ca.crt,
    cfg=/opt/qradar/ca/conf.d/conman-server.json"
    time="2019-10-03T12:36:57-04:00" level=debug msg="Start loading
    configurations from /opt/qradar/ca/conf.d/conman-server.json"
    time="2019-10-03T12:36:57-04:00" level=info msg="Setup
    intermediate CA for service conman"
    time="2019-10-03T12:37:00-04:00" level=debug msg="127.0.0.1->
    {fqdn}" action=command
    time="2019-10-03T12:37:00-04:00" level=debug msg="Appliance
    Type: 4000\tProduct Version: 7.3.2.20190522204210"
    action=command
    time="2019-10-03T12:37:00-04:00" level=debug msg=" 12:36:56 up
    83 days,  1:43,  0 users,  load average: 2.33, 2.35, 2.19"
    action=command
    time="2019-10-03T12:37:00-04:00" level=debug
    msg=------------------------------------------------------------
    ------------ action=command
    time="2019-10-03T12:37:00-04:00" level=debug action=command
    time="2019-10-03T12:37:00-04:00" level=info msg="Setup CSR
    /etc/vault-qrd/tls/vault-qrd.csr for service vault-qrd under
    host IP ADDRESS"
    time="2019-10-03T12:37:01-04:00" level=debug msg="INFO:
    Retrieving /etc/vault-qrd/tls/vault-qrd.csr from each server,
    will be placed in separate from-x.x.x.x directories under
    /opt/qradar/ca/certs" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg="IP ADDRESS"
    -> xxxxxxx.xxxxxx.com" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg="Appliance
    Type: 1400\tProduct Version: 7.3.2.20190522204210" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg=" 12:37:00 up
    83 days, 14:38,  0 users,  load average: 2.45, 2.48, 2.57"
    action=pull
    time="2019-10-03T12:37:01-04:00" level=warning msg="CSR path
    /opt/qradar/ca/certs/from-IPADDRESS/vault-qrd.csr does not
    exist"
    time="2019-10-03T12:37:01-04:00" level=debug
    msg=------------------------------------------------------------
    ------------ action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg="rsync:
    change_dir \"/etc/vault-qrd/tls\" failed: No such file or
    directory (2)" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg="rsync error:
    some files/attrs were not transferred (see previous errors)
    (code 23) at main.c(1650) [Receiver=3.1.2]" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg="rsync:
    [Receiver] write error: Broken pipe (32)" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug action=pull
    time="2019-10-03T12:37:01-04:00" level=info msg="Run command
    /opt/ibm/si/vault-qrd/bin/tls-certs-updated.sh"
    time="2019-10-03T12:37:04-04:00" level=error msg="Failed to
    generate intermediate CA for service conman" error="exit status
    1"
    time="2019-10-03T12:37:04-04:00" level=error msg="Failed to
    regenerate the intermediate certificate
    /etc/conman/tls/conman_ca.crt"
    And In the /var/log/setup-xxx/configure-qradar-ca.log:
    [configure-qradar-ca.sh] [RunAndLog] /opt/qradar/bin/si-vault
    write -format=json
    conman-int-pki/intermediate/generate/exported
    common_name="CONMAN-CA" ttl=26280h key_bits=4096
    exclude_cn_from_sans=true > /tmp/tmp.xxxxxxx
    [configure-qradar-ca.sh] Export intermediate CA key file to
    /var/tmp/qradar_int.key
    [configure-qradar-ca.sh] [RunAndLog] /opt/qradar/bin/si-vault
    write -format=json qradar-pki/root/sign-intermediate
    csr="@/var/tmp/qradar_int.csr" common_name="CONMAN-CA"
    ttl=26280h > /tmp/tmp.33wItN4riu
    Error writing data to qradar-pki/root/sign-intermediate: Error
    making API request.
    20 December 2019
    INSTALL / PRE-CHECK IJ21518 QRADAR NETWORK INSIGHTS (QNI) INSTALLATIONS CAN FAIL AT STORAGE PRE-CHECK CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    If you are unable to upgrade to QRadar 7.4.1 Fix Pack 2, you can contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that QRadar Network Insights (QNI) installations can fail at storage pre-check for one or more reasons.
    1. Large databases being replicated to the QNI managed host
    2. Coredumps
    3. QNI appliances having only 200 GB or 240 GB of storage
    4. 7.3.2 fresh install environments have 32GB in the /recovery partition which decreases the size of /store
    16 November 2020
    USERS / RULES IJ21487 RULE FIRING FALSE POSITIVE/NEGATIVE CAN OCCUR DUE TO A RULE WITH A USER THAT NO LONGER EXISTS IN THE DEPLOYMENT OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Contact Support for a possible workaround that might address this issue in some instances.

    Issue:
    It has been identified that Rules are not being properly loaded when the origin user does not exist anymore in the QRadar deployment. This has been observed after Content Managment Tool (CMT) imports have been performed as it allows the import of data even if a user does not exist.

    False positive/negative Rule firing can be experienced when this issue occurs. Messages similar to the following might be visble in /var/log/qradar.log:
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]
    com.ibm.si.ariel.aql.metadata.exceptions.InsufficientUserCapabil
    itiesException: User "xxxxx@domain.com" does not have required
    capabilities to access catalog "events"
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.ibm.si.ariel.aql.metadata.MetadataFactory.createUserCatalog(
    MetadataFactory.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.ibm.si.ariel.aql.metadata.MetadataFactory.getCatalogByName(M
    etadataFactory.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.protocol.ClientData.initColumns(ClientData.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.protocol.SearchAlias.clientData(SearchAlias.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.searches.tasks.Result.resultForAlias(Result.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.protocol.SearchAlias.result(SearchAlias.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.searches.AccessManager.updateResult(AccessManag
    er.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.searches.AccessManager.findQueryResult(AccessMa
    nager.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
    .java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
    .java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.
    java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at java.lang.Thread.run(Thread.java)
    16 December 2019
    API / QRADAR VULNERABILITY MANAGER IJ21464 QRADAR VULNERABILITY MANAGER (QVM) API THROWS ILLEGAL ARGUMENT EXCEPTION WHEN REQUESTING VULNERABILITIES THAT HAVE A RISK OF 'CRITICAL' OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Exception all Critical vulnerabilities in QVM or remove the critical vulnerabilities from the asset view.

    Issue:
    It has been identified that the QVM Vulninstance API throws an illegal argument exception when the vulnerability information requested includes vulnerabilities that have Critical Risk. The vulnerability content could have came from 3rd party scanner or from using the vulnerability triage feature in QVM and changing risk of some vulnerabilities to Critical. This affects Apps like QRadar Vulnerability Insights (QVI) that query vulnerabilities through the API or any other integrations that use the QVM Vulninstance API. QVI App data sync would report errors on data sync and have zero counts on the dashboard.

    Messages similar to the following might be visible in /var/log/qradar.error when an API call is made:
    [tomcat.tomcat] [pool-1-thread-1]
    java.lang.IllegalArgumentException: Invalid RiskFactor name:
    Critical
    [tomcat.tomcat] [pool-1-thread-1]    at
    com.q1labs.assetprofile.api.r1_2017.pojo.RiskFactorDTO.forName(R
    iskFactorDTO.java)
    [tomcat.tomcat] [pool-1-thread-1]    at
    com.q1labs.assetprofile.api.r1_2017.R1_2017VulnInstanceDTOAdapte
    r.doConvert(R1_2017VulnInstanceDTOAdapter.java)
    [tomcat.tomcat] [pool-1-thread-1]    at
    com.q1labs.assetprofile.api.vulninstance.common.AbstractVulnInst
    anceDTOAdapter.dtoConvert(AbstractVulnInstanceDTOAdapter.java)
    [tomcat.tomcat] [pool-1-thread-1]    at
    com.q1labs.assetprofile.api.vulninstance.common.VulninstancesAPI
    Task.runTask(VulninstancesAPITask.java)
    [tomcat.tomcat] [pool-1-thread-1]    at
    com.ibm.si.frameworks.taskmanagement.Task.run(Task.java)
    [tomcat.tomcat] [pool-1-thread-1]    at
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.ja
    va)
    [tomcat.tomcat] [pool-1-thread-1]    at
    java.util.concurrent.FutureTask.run(FutureTask.java)
    [tomcat.tomcat] [pool-1-thread-1]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java)
    [tomcat.tomcat] [pool-1-thread-1]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java)
    [tomcat.tomcat] [pool-1-thread-1]    at
    java.lang.Thread.run(Thread.java)
    06 December 2019
    OFFENSES IJ21461 DUPLICATE OFFENSE RULE RESPONSE CAN OCCUR 30 MINUTES AFTER INITIAL OFFENSE TRIGGERING OPEN: Reported in QRadar 7.3.1 Patch 5 and later Workaround: No workaround available.

    Issue:
    It has been identified that a duplicate Offense Rule response can sometimes unexpectedly occur 30 minutes after the initial Offense Rule response occurs.

    For example, receiving a duplicate (second) e-mail response for one time offense update 30 minutes after the first one after verifying that nothing updated in the offense (no second event that cause offense generation). In this example, second e-mail response is a false positive.
    11 December 2019
    ROUTING RULES / EVENT FORWARDING IJ21459 ONLINE AND OFFLINE TCP SELECTIVE FORWARDING CAN LOSE AN EVENT DURING A CONNECTION RESET CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround: No workaround available.

    Issue:
    It has been identified that Online and Offline TCP selective forwarding can lose an event if the connection is reset at the remote end as QRadar views this event as received.
    16 December 2019
    CONTENT MANAGEMENT TOOL (CMT) IJ21456 CONTENT MANAGEMENT TOOL IMPORT CONTAINING A DELETED/DISABLED BULK ADD LOG SOURCE CAN FAIL CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)

    Workaround
    No workaround available.

    Issue
    It has been identified that a Content Managment Tool (CMT) import with a deleted/disabled Bulk Add log source can fail with a null pointer exception. The following two conditions must be met:
    1. A deleted log source has to be the first among log sources with the same bulk_added_id.
    2. The target system has at least one bulk group in sensordevicebulkadd postgress table with the bulk_group_name same as the bulk group name of the imported log source.
    Messages such as the following might be visibile in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [] com.ibm.si.content_management.ContentCustom:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to apply
    custom logic.
    [tomcat.tomcat] java.lang.NullPointerException
    [tomcat.tomcat]   at
    com.ibm.si.content_management.ContentCustom.importSensorDevice(C
    ontentCustom.java)
    [tomcat.tomcat]   at
    com.ibm.si.content_management.ContentCustom.importCustom(Content
    Custom.java)
    [tomcat.tomcat]   at
    com.ibm.si.content_management.Content.importCustomContent(Conten
    t.java)
    [tomcat.tomcat]   at
    com.ibm.si.content_management.ContentManager.importContent(Conte
    ntManager.java)
    [tomcat.tomcat]   at
    com.ibm.si.content_management.ContentManager.doImport(ContentMan
    ager.java)
    09 December 2019
    APPLICATION FRAMEWORK IJ21454 ERROR "SSL.CERTIFICATEERROR: HOSTNAME '{IPADDRESS}' DOESN'T MATCH '{FQDN}'" WHEN APP-VOLUME-BACKUP.PY SCRIPT RUNS OPEN: Reported in QRadar 7.3.2 Patch 2 versions Workaround: Contact Support for a possible workaround that might address this issue in some instances.

    Issue:
    It has been identified that the app-volume-backup.py backup script can fail with an error similar to:
    ssl.CertificateError: hostname '{IP Address}' doesn't match '{FQDN}'.

    When this issue occurs, QRadar App data backups do not complete successfully.

    This is caused when the script requests the IP address but it's not contained in the SAN in customer's certificate.
    16 December 2019
    REFERENCE SETS IJ21446 REFERENCE SETS INCORRECTLY DISPLAY " 0 " IN 'NUMBER OF ELEMENTS' AND 'ASSOCIATED RULES' OPEN: Reported in QRadar 7.3.2 versions Workaround: Add a value (then remove it, if desired) to the Reference Set(s). This should repair the reference set tables involved and display the proper # of Elementts or Rules associated.

    Issue:
    It has been identified that the "Associated Rules" column and the "Number of Elements" column in the Reference Set Management user interface can sometimes display " 0 " when there are rules and/or elements associated with the Reference Set.
    13 December 2019
    REPORTS IJ21445 'APPLICATION ERROR' WHEN MODIFYING REPORTS CREATED BY A DIFFERENT USER OR ASSIGNING REPORT TO A NEW GROUP CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)

    Workaround Either modify the report by the original user who created it without adding new groups, or while modifying the report unassign it from all existing groups

    Issue
    It has been identified that an "Application Error" can be generated when clicking the "Finish" button during modification of Reports in certain scenarios.
    1. Criteria of reports where modification can cause this issue: Report created by a different user, and the current user is modifying them for 1st time
      OR
    2. Trying to assign the report to new Group AND
    3. The report has VirtualViewReferenceID associated to it.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [ /console/do/reportwizard]
    com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
    Chained SQL Exception [1/1]: You can't operate on a closed
    Statement!!!
    [tomcat.tomcat] [ /console/do/reportwizard]
    com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
    [NOT:0000003000][-/- -]An exception occurred while processing
    the request:
    [tomcat.tomcat] [ /console/do/reportwizard]
    java.sql.SQLException: You can't operate on a closed
    Statement!!!
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.setString(New
    ProxyPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
    g(DelegatingPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingCo
    nnection$LoggingPreparedStatement.setString(LoggingConnectionDec
    orator.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
    g(DelegatingPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
    g(DelegatingPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
    g(DelegatingPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.frameworks.session.PreparedStatementWrapper.setString
    (PreparedStatementWrapper.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.core.shared.group.FgroupTypeFactory.assignItemsToGrou
    ps(FgroupTypeFactory.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.reports.ui.util.ReportGroupFactory.assignItemsToGroup
    s(ReportGroupFactory.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.reports.ui.action.ReportWizard.generateReport(ReportW
    izard.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.reports.ui.action.ReportWizard.fetchPageToDisplay(Rep
    ortWizard.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.reports.ui.action.ReportWizard.executeAction(ReportWi
    zard.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.uiframeworks.actions.WizardAction.execute(WizardActio
    n.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.struts.action.RequestProcessor.processActionPerform(R
    equestProcessor.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.uiframeworks.action.RequestProcessor.processActionPer
    form(RequestProcessor.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.struts.action.RequestProcessor.process(RequestProcess
    or.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.struts.action.ActionServlet.process(ActionServlet.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.uiframeworks.action.ActionServlet.process(ActionServl
    et.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.struts.action.ActionServlet.doPost(ActionServlet.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.ja
    va)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.uiframeworks.postauthredirect.PostLoginRedirectFilter
    .doFilter(PostLoginRedirectFilter.java:70)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.catalina.core.StandardHostValve.invoke(StandardHostVa
    lve.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.uiframeworks.valve.ErrorReportValve.invoke(ErrorRepor
    tValve.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.catalina.core.StandardEngineValve.invoke(StandardEngi
    neValve.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapte
    r.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.coyote.AbstractProcessorLight.process(AbstractProcess
    orLight.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.coyote.AbstractProtocol$ConnectionHandler.process(Abs
    tractProtocol.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(Nio
    Endpoint.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcess
    orBase.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T
    askThread.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    java.lang.Thread.run(Thread.java)
    [tomcat.tomcat] [ /console/do/reportwizard] Caused by:
    [tomcat.tomcat] [ /console/do/reportwizard]
    java.lang.NullPointerException
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.maybeDirtyTra
    nsaction(NewProxyPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.setString(New
    ProxyPreparedStatement.java:961)
    [tomcat.tomcat] [ /console/do/reportwizard]    ... 74 more
    [tomcat.tomcat] [ /console/do/reportwizard]
    com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Root cause:
    [tomcat.tomcat] [ /console/do/reportwizard]
    java.lang.NullPointerException
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.maybeDirtyTra
    nsaction(NewProxyPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.setString(New
    ProxyPreparedStatement.java:961)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
    g(DelegatingPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingCo
    nnection$LoggingPreparedStatement.setString(LoggingConnectionDec
    orator.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
    g(DelegatingPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
    g(DelegatingPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
    g(DelegatingPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.frameworks.session.PreparedStatementWrapper.setString
    (PreparedStatementWrapper.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.core.shared.group.FgroupTypeFactory.assignItemsToGrou
    ps(FgroupTypeFactory.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.reports.ui.util.ReportGroupFactory.assignItemsToGroup
    s(ReportGroupFactory.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.reports.ui.action.ReportWizard.generateReport(ReportW
    izard.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.reports.ui.action.ReportWizard.fetchPageToDisplay(Rep
    ortWizard.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.reports.ui.action.ReportWizard.executeAction(ReportWi
    zard.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.uiframeworks.actions.WizardAction.execute(WizardActio
    n.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.struts.action.RequestProcessor.processActionPerform(R
    equestProcessor.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.uiframeworks.action.RequestProcessor.processActionPer
    form(RequestProcessor.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.struts.action.RequestProcessor.process(RequestProcess
    or.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.struts.action.ActionServlet.process(ActionServlet.jav
    a)
    06 December 2019
    RULES IJ21420 QRADAR DEPENDENCY CHECKER SOMETIMES DOES NOT FIND DEPENDENT RULES OR BUILDING BLOCKS OPEN: Reported in multiple QRadar versions Workaround: Create a new rule test that includes the building block not being picked up by the QRadar dependency checker.

    Issue:
    It has been identified that the QRadar dependency checker does not find rules or building blocks referenced in a system rule if a newly added building block is added to an original rule test (instead of a new rule test). For example:
    1. Create a building block.
    2. Have a system rule that uses a rule test that references other rules (eg. Multiple Failed Logins to a Compliance Asset).
    3. Using that example rule, click on the rule test that references other building blocks and add the building block created in step1. Save it.
    4. Go to the building block and try to delete it. View the rule dependents.

      Results
    • Actual: The dependency checker does not include Multiple Failed Logins to a Compliance Asset rule
    • Desired: The dependency checker to also include Multiple Failed Logins to a Compliance Asset rule
    16 December 2019
    RULES IJ21352 RULE NAMES IN 'LIST OF RULES CONTRIBUTING TO OFFENSE' CAN BE INCORRECT OPEN: Reported in multiple QRadar versions Workaround: Close the original offense after modifying the rule name. The next time the rule is triggered it creates a new offense that has the updated rule name in the list.

    Note: The offense name might be different based on what option for offense naming is chosen in the Rule Wizard.

    Issue:
    It has been identified that in some instances Rule Names in "List of Rules Contributing to Offense" are incorrect. For example:
    1. Have a rule that creates an offense.
    2. Trigger the rule for the first time to create an offense.
    3. Edit the rule name.
    4. When the rule is triggered again, the rule name in the "List of Rules Contributing to Offense" page displays the old rule name.
    13 December 2019
    ROUTING RULES IJ21347 ROUTING RULES CAN FAIL TO WORK AS EXPECTED WHEN A HUNG THREAD DOES NOT RESTART AS EXPECTED OPEN: Reported in QRadar 7.3.1 Patch 8 Workaround
    From SSH command line session, restart the ecs-ec service manually using the following command:
    systemctl restart ecs-ec


    Note:
    The offense name might be different based on what option for offense naming is chosen in the Rule Wizard.

    Issue
    It has been identified that in some instances an RPC call from the event collection service can fail to restart as expected. When this issue is occuring, routing rules can fail to work as expected until the ecs-ec service is restarted successfully. Messages similar to the following might be visible in qradar logging when this issue occurs:
    "87393acc-aa0a-4cd2-97da-6c6a8a65454f/SequentialEventDispatcher"
    Id=83 in BLOCKED on lock=java.util.HashMap@8607f58e
         owned by SelectiveForwardingStatisticsReportingTimer Id=89
        at
    com.q1labs.semsources.selectiveforwarding.SelectiveForwardingCom
    municator.notifyStatisticsUpdated(SelectiveForwardingCommunicato
    r.java:268)
        at
    com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardin
    gSetCache.notifyDestinationChangeListener(SelectiveForwardingSet
    Cache.java:591)
        at
    com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardin
    gSetCache.messageReceived(SelectiveForwardingSetCache.java)
        at
    com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
    MSMessageEvent.java)
        at
    com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java:129)
    "SelectiveForwardingStatisticsReportingTimer" Id=89 in RUNNABLE
    (running in native)
        at java.net.SocketInputStream.socketRead0(Native Method)
        at
    java.net.SocketInputStream.socketRead(SocketInputStream.java)
        at
    java.net.SocketInputStream.read(SocketInputStream.java)
        at
    java.net.SocketInputStream.read(SocketInputStream.java)
        at com.ibm.jsse2.b.a(b.java:262)
        at com.ibm.jsse2.b.a(b.java:33)
        at com.ibm.jsse2.av.a(av.java:579)
          - locked java.lang.Object@47749733
        at com.ibm.jsse2.av.i(av.java:574)
          - locked java.lang.Object@91bc8eee
        at com.ibm.jsse2.av.a(av.java:280)
        at com.ibm.jsse2.av.startHandshake(av.java:431)
        at
    com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java)
        at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java)
        at
    sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Htt
    pURLConnection.java)
          - locked com.ibm.net.ssl.www2.protocol.https.e@93c90c60
        at
    sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Http
    URLConnection.java)
          - locked com.ibm.net.ssl.www2.protocol.https.e@93c90c60
        at
    com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java)
          - locked com.ibm.net.ssl.www2.protocol.https.b@2111733
        at
    com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java)
        at
    com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java)
        at
    com.q1labs.core.shared.jsonrpc.RPC.executeMethodWithTimeout(RPC.
    java)
        at
    com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java)
        at
    com.q1labs.semsources.selectiveforwarding.SelectiveForwardingCom
    municator.reportStats(SelectiveForwardingCommunicator.java)
          - locked java.util.HashMap@8607f58e
        at
    com.q1labs.semsources.selectiveforwarding.SelectiveForwardingCom
    municator$1.run(SelectiveForwardingCommunicator.java)
        at java.util.TimerThread.mainLoop(Timer.java)
        at java.util.TimerThread.run(Timer.java)
    13 December 2019
    LOG SOURCE GROUPS IJ21333 UNABLE TO DELETE LOG SOURCE GROUP DUE TO FAILED DEPENDENCY CHECK OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Contact Support for a possible workaround that might address this issue in some instances.

    Note: The offense name might be different based on what option for offense naming is chosen in the Rule Wizard.

    Issue:
    It has ben identified that in some instances Log Source groups cannot be deleted due to dependency check failure caused by a customviewparams (SELECTIVE_FORWARDING-events-xxx) that uses arielsearchlite class. This customviewparam does not have proper database name structure.

    Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [tomcat.tomcat] [pool-1-thread-5]
    com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion:
    [ERROR] [NOT:0000003000][xxx.xxx.xxx.xxx/- -] [-/- -]Error
    while getting Saved Search dependents for this Log Source
    Group: 104460
    [tomcat.tomcat] [pool-1-thread-5] java.lang.RuntimeException:
    java.lang.RuntimeException: Could not locate the configuration
    for ariel database null
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
    SearchLite.java:682)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
    SearchLite.java:369)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
    SearchLite.java:363)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
    SearchLite.java:358)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
    SearchLite.java:353)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getAr
    ielSavedSearchDependentsByGroupId(LogSourceGroupDeletion.java)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getUs
    age(LogSourceGroupDeletion.java:58)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getA
    ctualUsage(FindDependentsTask.java:291)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getC
    hildUsage(FindDependentsTask.java:212)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getD
    efaultUsage(FindDependentsTask.java:169)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.runT
    ask(FindDependentsTask.java:122)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
    [tomcat.tomcat] [pool-1-thread-5]    at
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.ja
    va:522)
    [tomcat.tomcat] [pool-1-thread-5]    at
    java.util.concurrent.FutureTask.run(FutureTask.java:277)
    [tomcat.tomcat] [pool-1-thread-5]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [tomcat.tomcat] [pool-1-thread-5]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    [tomcat.tomcat] [pool-1-thread-5]    at
    java.lang.Thread.run(Thread.java:812)
    [tomcat.tomcat] [pool-1-thread-5] Caused by:
    [tomcat.tomcat] [pool-1-thread-5] java.lang.RuntimeException:
    Could not locate the configuration for ariel database null
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.ariel.ArielUtils.getProperties(ArielUtils
    .java:713)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.ariel.ArielSearchLite.loadProperties(Arie
    lSearchLite.java:897)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
    SearchLite.java:385)
    [tomcat.tomcat] [pool-1-thread-5]    ... 16 more
    10 December 2019
    AQL IJ21332 AQL SEARCHES RETURNING INCORRECT RESULTS DUE TO CONVERT TO AQL NOT ADDING PERCENT ( % ) SYMBOL IN ILIKE STATEMENTS CLOSED Resolved in
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    No workaround available.

    Issue:
    It has been identified that the Convert to AQL is not adding the percent ( % ) symbol in ilike statements causing searches to return incorrect or no results in an Advanced Search (AQL). The same searches performed in the QRadar User Interface works as expected.
    03 May 2021
    DEPLOY CHANGES IJ21674 'DEPLOY' FUNCTION CAN FAIL AFTER A CONFIGURATION RESTORE IS PERFORMED CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
    QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

    Workaround
    If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

    Issue:
    QRadar "deploy" function can fail after a configuration restore has been performed.

    These instances of "deploy" failure occur due to missing bandwidth_egress_filter database table entries during the restore process.

    Messages similar to the following might be visible in QRadar logging when this issue occurs:
    com.q1labs.frameworks.exceptions.FrameworksException: Failed to
    get next filter ID for hostID=677 and wildcard device
      at
    com.q1labs.core.shared.bm.BandwidthConfigurationUtilities.update
    BMForAQSDeployment(BandwidthConfigurationUtilities.java:155)
      at
    com.q1labs.configservices.config.globalset.ibm.BandwidthManagerT
    ransformer.updateDeploymentAQSConfig(BandwidthManagerTransformer
    .java:110)
      ... 80 more
    Caused by:
    com.q1labs.frameworks.exceptions.FrameworksException: Failed to
    execute query for next valid class ID
      at
    com.q1labs.core.shared.bm.BandwidthConfigurationUtilities.getNex
    tValidFilterID(BandwidthConfigurationUtilities.java:942)
      at
    com.q1labs.core.shared.bm.BandwidthConfigurationUtilities.update
    BMForAQSDeployment(BandwidthConfigurationUtilities.java:151)
      ... 81 more
    Caused by:
    {openjpa-2.4.3-r422266:1833086 nonfatal user error}
    org.apache.openjpa.persistence.ArgumentException: Cannot load
    object with id
    "com.q1labs.core.dao.bm.BandwidthEgressFilter-com.q1labs.
    core.dao.bm.BandwidthEgressFilterCompKey@b055f". Instance
    "com.q1labs.core.dao.bm.BandwidthEgressFilter@31a91e2c" with
    the same id already exists in the L1 cache. This can occur when
    you assign an existing id to a new instance, and before
    flushing attempt to load the existing instance for that id.
    12 April 2021
    AQL IJ21676 QRADAR ERROR WHEN ATTEMPTING TO EXECUTE A LONG AQL QUERY OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: The problem can be avoided by reducing the length of the search criteria used (eg. reduce the number of "or" clauses").

    Issue:
    QRadar ERROR can occur when executing a long AQL query. An 'Application Error' can be generated in the QRadar User Interface when executing AQL and an API error can occur in API.

    Messages similar to the following might be visible in /var/log/httpd/error.log when this issue occurs:
    [proxy_ajp:error] [pid 4251] ajp_msg_append_cvt_string():
    BufferOverflowException 4 631
    22 January 2020
    RULES / APP CONTENT EXTENSIONS IJ21677 MODIFIED RULES FROM INSTALLED CONTENT PACK AND THEN UNINSTALLING CONTENT PACK CAUSES NULLPOINTEREXCEPTION OPEN: Reported in QRadar 7.3.2 Patch 3 and later Workaround: Contact Support for a possible workaround that might address this issue in some instances.

    Issue:
    Rules modified after installing a content pack in which they are contained, and then uninstalling that content pack can result in NullPointerException(s). Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep] [Thread-127]
    com.q1labs.core.dao.cre.CustomRule: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Error while
    unmarshalling rule id 500 from DB table custom_rule
    [ecs-ep.ecs-ep] [Thread-127] java.lang.NullPointerException
    [ecs-ep.ecs-ep] [Thread-127]    at
    com.q1labs.core.dao.cre.CustomRule.getRule(CustomRule.java:299)
    [ecs-ep.ecs-ep] [Thread-127]    at
    com.q1labs.core.shared.cre.CREServices.getCustomRules(CREService
    s.java:1955)
    [ecs-ep.ecs-ep] [Thread-127]    at
    com.q1labs.core.shared.cre.CREServices.getCustomRules(CREService
    s.java:1974)
    [ecs-ep.ecs-ep] [Thread-127]    at
    com.q1labs.core.shared.cre.CREServices.getAllFlowAndEventRules(C
    REServices.java:1801)
    [ecs-ep.ecs-ep] [Thread-127]    at
    com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleR
    eader.java:332)
    [ecs-ep.ecs-ep] [Thread-127]    at
    com.q1labs.semsources.cre.CustomRuleReader.run(CustomRuleReader.
    java:225)
    02 January 2020
    SEARCH IJ21678 ARIEL SEARCHES IN QRADAR CAN TAKE LONGER THAN EXPECTED TO COMPLETE WHEN USING A LOG SOURCE TYPE FILTER OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Contact Support for assistance in identifying if this issue is the cause of slow searches when using Log Source type filters.

    Issue:
    Searches can take longer than expected to complete when using a Log Source type filter in an Ariel search. This has been identified as being caused by ariel becoming single threaded in some instances.
    02 January 2020
    UPGRADE / APP FRAMEWORK IJ21697 DOCKER CAN FAIL TO START DURING QRADAR PATCHING PROCESSES CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue:
    In some instances, Docker can fail to start during the QRadar upgrade processes. When this occurs, QRadar Apps cannot be used or installed until the issue with Docker is corrected.
    02 January 2020
    DECAPPER / SYSTEM IJ21698 QRADAR NETWORK INSIGHTS (QNI) DECAPPER CAN CRASH AND GENERATE A COREDUMP CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    No workaround available.

    Issue
    The QRadar Network Insights (QNI) decapper can crash and generate a coredump. These particular decapper coredump instances are related to a DTLS error. Support can analyze the coredump that is generated to futher determine if this is the issue affecting the QNI decapper. Messages similar to the following might be visible in /var/log/messages and /var/log/qradar.log when this issue occurs:

    Example from messages log file where multiple core dump messages appear:
    [578]: Process 5298 (decapper) of user 99 killed by SIGABRT - dumping core
    [691]: Process 8687 (decapper) of user 99 killed by SIGABRT - dumping core
    [351]: Process 5846 (decapper) of user 99 killed by SIGABRT - dumping core
    [466]: Process 4250 (decapper) of user 99 killed by SIGABRT - dumping core
    [830]: Process 4891 (decapper) of user 99 killed by SIGABRT - dumping core
    [649]: Process 4823 (decapper) of user 99 killed by SIGABRT - dumping core
    [868]: Process 6960 (decapper) of user 99 killed by SIGABRT - dumping core
    [450]: Process 7803 (decapper) of user 99 killed by SIGABRT - dumping core
    [995]: Process 9482 (decapper) of user 99 killed by SIGABRT - dumping core

    Example from qradar.log:
    decapper - INFO - rtf for rtf0 died - return code: -6
    decapper - INFO - Started rtf process for case rtf0
    decapper: [main] decapper.keybag: [INFO] Reading keybag
    configuration......
    decapper: [main] decapper.APPID: [INFO] Reading signature
    file....
    decapper: [main] decapper.yara: [INFO] YaraRules: Reading rule
    file......
    decapper: [main] decapper.yara: [WARN] YaraRules: Config file
    is empty.
    decapper: [main] decapper: [INFO] rtf0: Processing napatech
    [hostcontext.hostcontext] [Server Host Status Processor]
    com.q1labs.configservices.controller.ServerHostS
    tatusUpdater: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
    -]Sent update status of host 127.0.0.1 to ACTIVE
    decapper: [] decapper.capture: [INFO] rtf1: [1] Packet Capture
    Stats 60 sec: (Read: Packets(1938480, 32297/sec), Oct
    ets(909349284, 15150791/sec)) (Dropped: Packets(0, 0/sec),
    Octets(0, 0/sec))
    decapper: [] decapper.capture: [INFO] rtf1: [1] Content Scan
    Stats 60 sec: Requests(8873, 147/sec) Throttled(0, 0/se
    c) Filtered(2, 0/sec)
    decapper: [] decapper.capture: [INFO] rtf1: [1] Flow Report
    Stats 60 sec: Std(33000, 549/sec, 10406 unique) Content(
    32041, 533/sec) Dropped(0, 0/sec)
    02 January 2020
    API IJ22370 TRAFFICANALYSIS API IN QRADAR CAN GENERATE ERROR 'CODE: 500 MESSAGE: UNEXPECTED INTERNAL SERVER ERROR' CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround: No workaround available.

    Issue: The QRadar TrafficAnalysis API can fail with an error similar to {"http_response": {"code": 500, "message": "Unexpected internal server error"}, "code": 1020, "description": "An error occurred during the attempt to update the Autodetection Config Record.", "details": {}, "message": "An error occured while trying to update the Autodetection Config Record with id: 513"}

    Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43] Caused by:
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]
    java.lang.IllegalArgumentException: Parameter position 1 is not
    declared in query "select MIN(a.taOrder) from
    TrafficAnalysisConfigRecord a where a.taOrder > 10000 and 0 =
    (select COUNT(b) from TrafficAnalysisConfigRecord b where
    b.taOrder = a.taOrder + 1)". Declared parameter keys are "[]".
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    org.apache.openjpa.persistence.AbstractQuery.getParameter(Abstra
    ctQuery.java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    org.apache.openjpa.persistence.AbstractQuery.setParameter(Abstra
    ctQuery.java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    org.apache.openjpa.persistence.AbstractQuery.setParameter(Abstra
    ctQuery.java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    com.q1labs.frameworks.session.JPASessionDelegate.namedQueryForSi
    ngleResult(JPASessionDelegate.java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    com.q1labs.core.dao.qidmap.TrafficAnalysisConfigRecord.getTAConf
    igRecordForTAConfigRecordPrecedence(TrafficAnalysisConfigRecord.
    java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    com.ibm.si.data_ingestion.api.impl.trafficanalysis.validation.Tr
    afficAnalysisConfigRecordValidator.validatePrecedence(TrafficAna
    lysisConfigRecordValidator.java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    com.ibm.si.data_ingestion.api.v10_0.trafficanalysis.impl.Traffic
    AnalysisAPIImpl.updatePrecedence(TrafficAnalysisAPIImpl.java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    com.ibm.si.data_ingestion.api.v10_0.trafficanalysis.impl.Traffic
    AnalysisAPIImpl.updateTAConfigRecordWithoutNotificationMask(Traf
    ficAnalysisAPIImpl.java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    com.ibm.si.data_ingestion.api.v10_0.trafficanalysis.impl.Traffic
    AnalysisAPIImpl.updateTAConfigRecord(TrafficAnalysisAPIImpl.java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    ... 68 more
    05 February 2020
    RULES / PERFORMANCE IJ22342 QRADAR USER INTERFACE RULES PAGE CAN TAKE LONGER THAN EXPECTED TO LOAD OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: No workaround available.

    Issue: The QRadar User Interface "Rules" page can take over 20 seconds to populate due to multiple inefficiencies in how the data needed for the Rules page is gathered/loaded.
    28 January 2020
    SEARCH IJ22156 'RUNTIME EXCEPTION PROCESSING REQUEST GET QUERY STATUS - QUERYSTATUSWAIT' DURING ARIEL SEARCHES IN QRADAR LOGGING OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: No workaround available. Instances of these specific NullPointerException errors generated during Ariel searches have been investigated and found to be benign.

    Issue: A 'Runtime exception processing request Get query status - QueryStatusWait' error can be generated during the running of Ariel searches.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] com.q1labs.ariel.ConnectedClient: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Runtime exception
    processing request Get query status - QueryStatusWait
    [Id=e253ffee-2feb-4b96-89f5-825e4fa86ca3, waitMillis=0]: u=admin
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] java.lang.NullPointerException
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.ibm.si.ariel.aql.metadata.CatalogDatabase.userHasAccess(Meta
    dataFactory.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.ibm.si.ariel.aql.metadata.MetadataFactory.getCatalogByName(M
    etadataFactory.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.ibm.si.ariel.aql.metadata.MetadataFactory.createUserCatalog(
    MetadataFactory.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.protocol.ClientData.initColumns(ClientData.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.protocol.SearchAlias.clientData(SearchAlias.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.searches.tasks.Result.resultForAlias(Result.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.protocol.SearchAlias.result(SearchAlias.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.searches.AccessManager.updateResult(AccessManag
    er.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.searches.AccessManager.findQueryResult(AccessMa
    nager.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
    .java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
    .java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.
    java:278)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at java.lang.Thread.run(Thread.java)
    17 January 2020
    MANAGED HOSTS / ADD HOST IJ22140 ADD HOST CAN FAIL WITH PASSWORD DECODING ERROR OPEN: Reported in QRadar 7.3.3 initial release (GA) and later Workaround: Contact Support for a possible workaround that might address this issue in some instances.

    Issue: The QRadar Add Host process can fail due to a password decoding issue that occurs during the Add Host processes. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:

    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    java.lang.IllegalArgumentException: Last unit does not have
    enough valid bits
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at java.util.Base64$Decoder.decode0(Base64.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at java.util.Base64$Decoder.decode(Base64.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at java.util.Base64$Decoder.decode(Base64.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at com.ibm.si.mks.Crypto.decrypt(Crypto.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.crypto.CryptoUtils.decrypt(CryptoUtils.jav
    a)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.core.FrameworksContext.decrypt(FrameworksC
    ontext.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.getPresenceComman
    d(AddHost.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.executePresence(A
    ddHost.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.add(AddHost.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.addManagedHost(Ad
    dHost.java:324)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH
    ost(AddHostExecutor.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.core.executor.AddHostExecutor.invoke(AddH
    ostExecutor.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
    est.invoke(BaseHostRequest.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.HostContextServices.m
    essageReceived(HostContextServices.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
    MSMessageEvent.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    com.q1labs.configservices.capabilities.AddHost: [ERROR]
    [NOT:0000003000][x.x.x.x/- -] [-/- -]Unable to add managed
    host. The ip of the host is: xxx.xxx.xxx.xxx
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    com.q1labs.configservices.hostcontext.core.HostContextServices:
    [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Error retrieving
    message
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    com.q1labs.configservices.hostcontext.exception.HostContextExcep
    tion: Could not get executor object
    com.q1labs.hostcontext.core.executor.AddHostExecutor
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
    est.invoke(BaseHostRequest.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.HostContextServices.m
    essageReceived(HostContextServices.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
    MSMessageEvent.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    Caused by:
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    com.q1labs.configservices.hostcontext.exception.HostContextExcep
    tion: Command exited with non-zero value (4): add_host
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH
    ost(AddHostExecutor.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.core.executor.AddHostExecutor.invoke(AddH
    ostExecutor.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
    est.invoke(BaseHostRequest.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       ... 3 more
    17 January 2020
    PROTOCOL INSPECTOR / QRADAR NETWORK INSIGHTS (QNI) IJ22087 SOME SMTP AND FTP FLOWS RECEIVED BY QRADAR NETWORK INSIGHTS (QNI) MISCLASSIFIED AS IRC TRAFFIC CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue: Some SMTP and FTP flows received by QRadar Network Insights (QNI) are being misclassified as IRC traffic. The application "determination algorithm" for these flows displays as "QNI Inspectors".
    17 January 2020
    DEPLOY CHANGES IJ22083 'DEPLOY' BUTTON DOES NOT FUNCTION FOM THE 'ADMIN TAB > DATA SOURCES > EVENTS' WINDOW CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Navigate to another User Interface window that prompts the Deploy changes to be performed.

    Issue
    When in the Admin > Data Sources > Events view, the Deploy changes button does not function.
    17 January 2020
    AQL IJ22082 'APPLICATION ERROR' WHEN RUNNING SOME LONG AQL QUERIES USING CHROME, FIREFOX, AND SAFARI WEB BROWSERS OPEN: Reported in QRadar 7.3.1 Patch 7 and later Workaround: Shorten the AQL to see if it completes when using Chrome, Firefox, Safari or attempt the query using Internet Explorer or Edge web browser.

    Issue: Some longer AQL queries that work using the web browsers Internet Explorer and Edge can fail when using the Chrome, Firefox, and Safari Web Browsers with an 'Application Error' in the QRadar User Interface.
    31 January 2020
    SEARCH IJ22001 SEARCHES CAN CAUSE A RUNTIME EXCEPTION WITH A NULLPOINTEREXCEPTION GENERATED IN QRADAR LOGGING OPEN: Reported in QRadar 7.3.2 Patch 3 Workaround: No workaround available.

    Issue: In some instances, searches performed within QRadar can generate a NullPointerException in QRadar logging similar to:
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464] com.q1labs.ariel.ConnectedClient: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Runtime exception
    processing request Get query status - QueryStatusWait
    [Id=7b08480a-770f-4a0d-942f-f214e5f88660, waitMillis=0]: u=admin
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464] java.lang.NullPointerException
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.ibm.si.ariel.aql.metadata.CatalogDatabase.userHasAccess(Meta
    dataFactory.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.ibm.si.ariel.aql.metadata.MetadataFactory.createUserCatalog(
    MetadataFactory.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.ibm.si.ariel.aql.metadata.MetadataFactory.getCatalogByName(M
    etadataFactory.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.protocol.ClientData.initColumns(ClientData.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.protocol.SearchAlias.clientData(SearchAlias.jav
    a)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.searches.tasks.Result.resultForAlias(Result.jav
    a)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.protocol.SearchAlias.result(SearchAlias.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.searches.AccessManager.updateResult(AccessManag
    er.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.searches.AccessManager.findQueryResult(AccessMa
    nager.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
    .java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
    .java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.
    java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at java.lang.Thread.run(Thread.java)
    31 January 2020
    FLOWS IJ21982 FLOWS CAN CONTAIN INCORRECT VALUES FOR PACKET TIMES, IP ADDRESSES, PROTOCOLS, SIZE, SOURCE OR DESTINATION PORT CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Workaround
    Restarting the qflow process on affectd QRadar Console, Flow Processor or Flow Collector can be used to rectify this behavior temporarily, but the behavior can re-occur:
    systemctl restart qflow
    Note: Restarting qflow service results in an interruption in flow collection.

    Issue: Flows can get incorrect first packet time or unusual IP addresses, values and bytes. The source bytes or destination bytes display as either 4G in size or 0. The source and destination port displays as 0.

    This behavior has predominately been observed in flows received from QRadar Network Insights appliances.
    14 January 2020
    GEOGRAPHIC DATA IJ21884 GEODATA UPDATES NO LONGER OCCURING WITH '401 UNAUTHORIZED AT /OPT/QRADAR/BIN/GEOIPUPDATE-PUREPERL.PL' IN QRADAR LOGGING OPEN: Reported in QRadar 7.3.2 Patch 3 Workaround: Sign up for a MaxMind account and configured QRadar system settings. For more information, see: Configuring a MaxMind account for geographic data updates (APAR IJ21884)

    Issue: QRadar geographic updates for GeoLite2-City.mmdb can fail to be obtained and installed from maxmind.com due to a login failure with the default userid and license key used within QRadar.

    To verify if this issue occurs, on the QRadar Console command line, run the geodata update command:
    /opt/qradar/bin/geodata_update.sh

    Messages similar to the following are displayed:
    401 Unauthorized at /opt/qradar/bin/geoipupdate-pureperl.pl line
    222, <$fh> line 37
    06 January 2020
    SEARCH IJ21739 'PAYLOAD CONTAINS' AQL FILTER FROM A BASIC SEARCH CAN GENERATE AN ILLEGAL ARGUMENT EXCEPTION AND INCORRECT RESULTS OPEN: Reported in QRadar 7.3.2 Patch 2 Workaround: Enable store payload in the Log Sources.

    Issue: Using the 'Payload Contains' AQL filter generated from a basic search generates an illegal argument exception and has incorrect search results when compared with the results of the basic search. For example:
    1. Create a basic search
    2. Add the filter "Payload Contains" Admin
    3. Add the payload column
    4. Save the search and run it
    5. Notice the expected output of the payload column
    6. Convert the search to AQL from Log Activity > Edit Search > Show AQL
    7. Use the SHOW AQL and leverage the output in a new search:
      select "payload" as 'Payload',QIDNAME(qid) as 'Event
      Name',logsourcename(logSourceId) as 'Log Source',"eventCount"
      as 'Event Count',"startTime" as 'Start
      Time',categoryname(category) as 'Low Level Category',"sourceIP"
      as 'Source IP',"sourcePort" as 'Source Port',"destinationIP" as
      'Destination IP',"destinationPort" as 'Destination
      Port',"userName" as 'Username',"magnitude" as 'Magnitude' from
      events where icu4jsearch('Admin', payload) != -1 order by
      "startTime" desc LIMIT 1000 last 5 minutes
    8. Run the AQL search.

      Results
      An illegal argument exception is generated and the payload is incorrect.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:

    com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException:
    Error calling function
    com.q1labs.ariel.ql.parser.ICU4jSearch([B@e6bc0507):
    java.lang.IllegalArgumentException
    at com.q1labs.frameworks.util.Utils.icu4jSearch(Utils.java)
    at com.q1labs.frameworks.util.Utils.icu4jSearch(Utils.java)
    at
    com.q1labs.ariel.ql.parser.ICU4jSearch.calculate(Functions.java)
    at
    com.q1labs.ariel.ql.parser.ICU4jSearch.calculate(Functions.java)
    31 December 2019
    OFFENSES IJ21725 QRADAR USER INTERFACE INTERRUPTION CAN OCCUR WHEN PERFORMING SEARCHES ON THE OFFENSE TAB BY 'DESTINATION IP' OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Contact Support for a possible workaround that might address this issue in some instances.

    Issue: The QRadar User Interface can experience an interruption caused by a tomcat TxSentry occurrence after performing searches by 'Destination IP' on the Offense tab.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext]
    [78695a45-e04b-4ee0-8189-4a2b7eeb1490/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][xx.xx.xx.xx/- -] [-/- -]  TX on host
    xx,xx,xx,xx: pid=25311 age=928 IP=127.0.0.1 port=48623 locks=31
    query='SELECT op.id FROM offense_properties op JOIN
    offense_target_link otl ON otl.offense_id=op.id JOIN
    target_view t ON t.id=otl.target_id JOIN offense o ON
    op.id=o.id WHERE (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('x..x.xx.xx/27')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/27')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xxxx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/27')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/27')) OR (INET(ip2address'
    [hostcontext.hostcontext]
    [78695a45-e04b-4ee0-8189-4a2b7eeb1490/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][xx.xx.xx.xx/- -] [-/- -]  Lock acquired on
    host xx.xx.xx.xx: rel=domains_pkey age=928 granted=t
    mode=AccessShareLock query='SELECT op.id FROM
    offense_properties op JOIN offen'
    [hostcontext.hostcontext]
    [78695a45-e04b-4ee0-8189-4a2b7eeb1490/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    02 January 2020
    RULES IJ21724 'WHEN THE SOURCE IP IS PART OF ANY OF THE FOLLOWING REMOTE NETWORKS / SERVICES' CAN WORK INCORRECTLY WITH DOMAINS OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: No workaround available.

    Issue: The following issue manifests when an event originates from any other domain other than the default domain.
    Rule condition (used in Building Block):
    When the source IP is part of any of the following remote networks / remote services is matching to events that should be excluded.
    When this Building Block is used in a rule with other conditions:

    The IP in question is added to the remote network with /32 cidr and it is matching the event that should be excluded based on the source ip, but when the destination ip is the one (source IP and destination IP is same) it is matching them regardless.
    19 December 2019
    AQL CUSTOM PROPERTIES IJ21723 AQL PROPERTY WITH FUNCTION CONTAINING MULTIPLE ARGUMENTS CANNOT BE USED AS AN AGGREGATED PROPERTY IN THRESHOLD RULE CREATION OPEN: Reported in QRadar 7.3.2 Patch 2 Workaround: No workaround available.

    Issue: An AQL property that has a function with multiple arguments cannot be selected as an aggregated property in a Threshold Rule in the Rule Wizard page.

    For example, the following example AQL is stored as a saved search and threshold monitoring rule is created on it.
    SELECT sourceip, SUM(LONG("eventcount") + LONG("sourceport"))
    AS total FROM events GROUP BY sourceip LAST 5 MINUTES

    When the aggregation has two components that are summarized in one value (as above), the Rule Wizard is unable to select it and it fails to save the rule configuration. The rule can be saved and it works successfully when there is only a single aggregated parameter, such as SUM(LONG("eventcount"))
    02 January 2020
    LOG SOURCES IJ21722 AUTO DISCOVERED LOG SOURCES ARE NOT AUTO DISCOVERED AGAIN IF DELETED USING THE LOG SOURCE MANAGEMENT APP CLOSED Resolved in:
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Workaround
    1. Use Log Source legacy User Interface (UI) to delete log source(s).
      OR
    2. If the auto discovered log source has already been deleted using Log Source Management App, a tomcat restart is required to clear cached data:
      Admin tab > select Advanced > Restart Web Server

    Note: The QRadar UI only becomes available again after all required process are running as expected after a "Restart We Server" has been completed.

    Issue
    Using the Log Source Management App to delete a Log Source causes it to not be auto discovered again.
    19 December 2019
    SYSTEM NOTIFICATIONS IJ21721 REPEATED SYSTEM NOTIFICATION MESSAGES FROM MANAGED HOST(S) INDICATING SYNCHRONIZATION TO CONSOLE 'TLSDATE TIMED OUT' OPEN: Reported in multiple QRadar versions Workaround: Contact Support for a possible workaround that might address this issue in some instances.

    Repeated System Notifications can be generated from Managed Hosts regarding time synchronization to the QRadar console. time_sync.sh reports 'tlsdate timed out' when httpd does not respond within 5 seconds.

    This issue can generate a large number of events if communication to the QRadar console is unavailable for a period of time.

    Notificaiton is similar to:
    [hostcontext.hostcontext]: [ERROR] [NOT:0150003100] Time
    Synchronization to Console has failed - tlsdate timed out
    19 December 2019
    APP HOST IJ21720 QRADAR APP HOST CANNOT BE REMOVED FROM THE DEPLOYMENT IF ALL APPS HAVE BEEN UNINSTALLED CLOSED Closed as permanent restriction. Administrators can install at least one app and migrate it to the console, so the App Host appliance can be removed. Workaround
    1. Install a QRadar App.
    2. Migrate the App to the Console.
    3. Perform App Host removal.
    4. Remove the QRadar App now installed on Console, if not needed.

    Issue
    A QRadar App Host cannot be removed from the Deployment if all Apps have been uninstalled. The option Admin > System and License Management > highlight app host > Deployment Actions > 'Remove Host' is grayed out
    29 July 2020
    RULES / QRADAR ON CLOUD IJ21717 QRADAR ON CLOUD USERS ARE UNABLE TO DELETE ANOMALY DETECTION ENGINE RULES OPEN: Reported in QRadar 7.3.1 and later Workaround: Contact Support and request them to delete the appropriate ADE rule.

    QRadar on Cloud users with appropriate rights assigned are not able to delete Anomaly Detection Engine (ADE ) rules. Users are able to delete other rule types, but no pop-up window is displayed when attempting to delete an ADE rule.
    02 January 2020
    TOPOLOGY / QRADAR RISK MANAGER (QRM) IJ21704 SUBNETS CAN INTERMITTENTLY APPEAR AND DISAPPEAR ON THE QRADAR RISK MANAGER TOPOLOGY SCREEN CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Workaround
    Contact Support for a possible workaround that might address this issue if you are unable to upgrade to resolve this issue through a fix pack update.

    Issue
    Subnets can appear and disappear intermittently on the QRadar Risk Manager Topology screen.
    19 December 2019
    HIGH AVAILABILITY (HA) IJ21703 ADDED OR EDITED NTP SERVER SETTINGS ARE NOT IMPLEMENTED ON HIGH AVAILABILITY (HA) STANDBY APPLIANCE CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Restart the chrony service manually via SSH connection command line for affected HA standy appliances:
    systemctl restart chronyd


    Issue
    After adding or updating a NTP server in QRadar for a High Availability (HA) appliance (using the steps in System and License Management on the Active HA appliance), the chrony service on the High Availability Standby appliance needs to be restarted for the chrony config change to be implemented.
    26 November 2020
    DATA OBFUSCATION IJ21702 UNABLE TO ADD NEW DATA OBFUSCATION EXPRESSION TO AN EXISTING DATA OBFUSCATION PROFILE OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround:
    1. Open the Obfuscation Management Administration page.
    2. Unlock.
    3. Click add.
    4. Firefox browser use F12 and go to inspector or elements in Chrome browser.
    5. With the element selector, find the required field that is blank and fill in the proper value in the HTML (eg. manually added a -1 for {Any}).
    6. Click send.

    7. Results
      New obfuscation expression should be added.

    Issue:
    Users might be unable to add a new Data Obfuscation expression to an existing obfuscation profile in QRadar environments with a very large number of Log Sources. The error message generated in the QRadar User Interface is similar to: java.lang.NumberFormatException: empty String Example of steps that lead to this issue:
    1. Admin > Data Obfuscation
    2. Unlock the Data Obfuscation profile
    3. Click Add to add a new expression
    4. Select regex.
      Note that the Log Source type does not fully load and Log Source field is empty.
    5. Fill out all required settings, click Save.
    6. Error message is generated: java.lang.NumberFormatException: empty String
    02 January 2020
    LOG ACTIVITY / NETWORK ACTIVITY IJ21700 REGEX ' + ' (PLUS) SYMBOL TO MATCH ONE OR MORE OF ANYTHING IS HIDDEN AFTER FILTER IS APPLIED OPEN: Reported in QRadar 7.3.2 Workaround: No workaround available.

    Issue: The regex expression \w+ is being displayed in 'add filter' as \w and not \w+. For example:
    1. Click the Log Activity tab.
    2. Click Add filter.
    3. Use "Process File URL (custom)" Matches any of expressions \w+\.exe

      Result
      Displayed in the filter area of the user interface is \w \.exe rather than the expected \w+\.exe.

      NOTE: This only occurs on the QRadar Log/Network Activity User Interface windows. The filter is applied correctly otherwise. On the DSM Editor screen, the plus sign is displayed correctly.
    19 December 2019
    SECURITY BULLETIN CVE-2018-0734 OpenSSL as used in IBM QRadar SIEM is vulnerable to a timing side channel attack CLOSED Resolved in:
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
    09 January 2020
    SECURITY BULLETIN CVE-2019-1559 OpenSSL as used by IBM QRadar SIEM is Missing a Required Cryptographic Step CLOSED Resolved in:
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
    09 January 2020
    SECURITY BULLETIN CVE-2019-4508 IBM QRadar SIEM uses weak credential storage in some instances CLOSED Resolved in:
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    09 January 2020
    SECURITY BULLETIN CVE-2019-2816
    CVE-2019-2762
    CVE-2019-2769
    Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM QRadar SIEM CLOSED Resolved in:
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    09 January 2020
    SECURITY BULLETIN CVE-2019-4559 IBM QRadar SIEM is vulnerable to information disclosure CLOSED Resolved in:
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    09 January 2020
    SECURITY BULLETIN CVE-2018-15473 OpenSSH as used by IBM QRadar SIEM is vulnerable to information exposure CLOSED Resolved in:
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    09 January 2020
    USERS IJ20771 UNABLE TO REASSIGN CUSTOM EVENT PROPERTY TO ANOTHER USER WHEN DELETING A USER CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    No workaround available. If the user needs to be deleted, you have to delete the Custom Event Property not reassign it.

    Issue
    It has been identified that when trying to delete a non admin/admin user who has a Custom Event Property, you cannot reassign that Custom Event Property to another user. The page hangs at the dependency reassign and does not reassign the Custom Event Property successfully.
    16 November 2020
    SYSLOG REDIRECT IJ03249 AUTODISCOVERED LOG SOURCES CREATED BY SYSLOG REDIRECT CAN HAVE INCORRECT LOG SOURCE IDENTIFIERS Closed as program error. It has been identified that autodiscovered Log Sources created using the Syslog Redirect Protocol, can have incorrect Log Source Identifiers listed due to a regex issue used within the Protocol. The issue is resolved with the following version of the Syslog Redirect RPM: 13 November 2019
    UPGRADE IJ00366 APPLYING A QRADAR .SFS PATCH CAN FAIL WHEN WGET HAS A PROXY SERVER CONFIGUREDCONFIGURED OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Via an SSH session to the QRadar console: Temporarily disable to wget proxy settings in /etc/wgetrc

    It has been identified that the check_undeployed script used within the QRadar patch framework can fail when there is a proxy server configured for wget to use. The check_undeployed script attempts to use that proxy to reach localhost and fails.

    Messages similar to the following might be visible in the /var/log/setup-7.x.x.../patches.log when this issue occurs:
    Verifying if there are any un-deployed changes...
    ERROR: Could not determine undeployed changes, response was invalid.
    --2018-03-28 12:11:34--
    https://127.0.0.1/console/services/configservices?method=hasUndeployedChanges
    Connecting to {proxyIP:port}... connected.
    Proxy tunneling failed: Service UnavailableUnable to establish
    SSL connection.
    An error was encountered attempting to process patches.
    Please contact customer support for further assistance.
    29 March 2018
    UPGRADE / SCANNER IJ10746 QRADAR UPGRADE CAN HANG IF IT'S UNABLE TO REACH A CONFIGURED SCANNER OVER THE INTERNET CLOSED Closed as Permanent restriction. Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that a QRadar upgrade can hang at message: 'System upgrade is in progress - DO NOT REBOOT or shutdown now!' if the QRadar upgrade process is unable to reach an internet configured scanner. QRadar attempts to retrieve a certificate during the upgrade and if internet connectivity is not allowed, the upgrade cannot reach the external scanner to complete the process.
    09 December 2019
    API / OFFENSES IJ05914 OFFENSE API DOES NOT RETURN EXPECTED OFFENSES WHEN USING "ID" AND "INACTIVE" FIELD IF OFFENSE ACTIVE_CODE IS 'DORMANT' CLOSED Resolved in:
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    Workaround
    1. Do not use the inactive attribute
    2. Use the status attribute to filter closed or non-closed offenses.
    Issue
    It has been identified that the Offense API does not return all expected offenses when using "id" and "inactive" field when the offense active_code is set as "dormant" in the database for the Offense. To further explain this reported issue, users can compare API results to the QRadar database:
    qradar=# select count(*) from offense;
    count
    -------
      1515
    (1 row)
    
    qradar=# select count(*) from offense where active_code=1;
    count
    -------
         0
    (1 row)
    
    qradar=# select count(*) from offense where active_code=2;
    count
    -------
       148
    (1 row)
    
    qradar=# select count(*) from offense where active_code=3;
    count
    -------
      1367
    (1 row)


    API results display: status = open returns 149 status = closed returns 1366 status="OPEN" and inactive=true returns 1 status="OPEN" and inactive=false returns 0

    Using inactive = false gives incorrect results. The active code value in the User Interface can be:
    • 1 (active /status open)
    • 2 (dormant, status open but inactive)
    • 3 (inactive / status closed).
    In the API you have status = OPEN, CLOSED, HIDDEN etc. and inactive = true / false
    09 December 2019
    SYSTEM NOTIFICATIONS IJ20362 'SAR SENTINEL: THRESHOLD CROSSED FOR DRBD0' SYSTEM NOTIFICATIONS CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that QRadar can report "SAR Sentinel: Threshold crossed for drbd0" system notifications for managed hosts in a High Availability (HA) pair.

    Investigation has determined that these messages can be excessively and erroneously generated due to a change made within the fix for APAR IJ06526.
    09 December 2019
    SEARCH / SERVICES IJ21718 ARIEL SEARCHES FAIL AND EVENTS ARE NOT PROCESSED/WRITTEN TO DISK WHEN A CONCURRENT MODIFICATION EXCEPTION OCCURS CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)
    QRadar 7.3.3 Patch 1 Interim Fix 01 (7.3.3.20191220154048)
    QRadar 7.3.2 Patch 5 Interim Fix 01 (7.3.2.20191220232616)

    Workaround
    A flash notice has been issued for APAR IJ21718. For more information, see: QRadar: Custom property concurrency can cause search and ariel data loss (APAR IJ21718). Administrators can complete a Deploy Full Configuration to ensure a service restart until an interim fix is available on IBM Fix Central.

    Issue
    An uncaught ConcurrentModificationException can occur within the QRadar Ariel Writer thread. When this occurs, events received into QRadar fail to be processed and written to disk, and failure exceptions occur during ariel/event searches within QRadar.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep] [Ariel Writer#events]
    com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught
    in thread: Ariel Writer#events
    [ecs-ep.ecs-ep] [Ariel Writer#events]
    java.util.ConcurrentModificationException
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    gnu.trove.TPrimitiveIterator.nextIndex(TPrimitiveIterator.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    gnu.trove.TIterator.hasNext(TIterator.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt
    ils.writeCustomProperties(NetworkEventMappingUtils.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
    CustomProperties(NormalizedEventMappingV2.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
    Event(NormalizedEventMappingV2.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.core.types.event.mapping.NormalizedEventMappings$Exlu
    deCachedResults.putData(NormalizedEventMappings.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
    (NormalizedEventMappingV2.jav)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
    (NormalizedEventMappingV2.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.io.NIOFileWriter.write(NIOFileWriter.java:110)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.io.SimpleWriter.writeRecord(SimpleWriter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.io.BucketWriter.writeRecord(BucketWriter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.io.AbstractDatabaseWriter.put(AbstractDatabaseW
    riter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.DatabaseWriterAsync.processRecord(DatabaseWrite
    rAsync.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.ScatteringDatabaseWriter.access$401(ScatteringD
    atabaseWriter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.ScatteringDatabaseWriter$Node.writeRecord(Scatt
    eringDatabaseWriter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.ScatteringDatabaseWriter$Node.processRecord(Sca
    tteringDatabaseWriter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.ScatteringDatabaseWriter$Node.access$1100(Scatt
    eringDatabaseWriter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.ScatteringDatabaseWriter$DataNodes.processRecor
    d(ScatteringDatabaseWriter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.ScatteringDatabaseWriter.processRecord(Scatteri
    ngDatabaseWriter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.DatabaseWriterAsync.run(DatabaseWriterAsync.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events]
    java.lang.Thread.run(Thread.java)
    19 December 2019
    APPLICATION SIGNATURES / QRADAR NETWORK INSIGHTS IJ20455 FALSE POSITIVE MATCHES FOR SIGNATURES CAN OCCUR AS QRADAR NETWORK INSIGHTS (QNI) CAN SKIPS SRC/DST PORT SPECIFIERS IN SIGNATURE.XML CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that the QRadar Network Insights processing of signatures.xml skips srcPort / dstPort specifiers. This can cause false positive matches for some signatures.
    09 December 2019
    ASSETS / UPGRADE IJ20458 QRADAR PATCH AND OR REPLICATION PROCESS CAN FAIL WHEN MULTIPLE DUPLICATED ASSET.ASSETVIEW DATA EXISTS CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that a QRadar patch and or replication process can fail when there are more than one duplicated asset.assetview database entry with the same (domain_id, network_addr and ipv6) values on the console.
    09 December 2019
    VULNERABILITY SCANS IJ21607 VULNERABILITY MANAGER (QVM) SCANS CAN STAY AT 100% AND NEVER COMPLETE CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    Vulnerability Manager scans can stay in the running state at 100% and never go to a Stopped state. Due to a timing issue, two threads try to determine if they are the last tool to run within a job and the jobtracking endtime never gets set, and the scan never finishes.
    When this occurs, the vulnerability data does not get sent to the asset DB, vulnerability counts remain at zero on screen, and the scan duration keeps increasing even though the scan has finished.
    19 December 2019
    WINCOLLECT IV99859 WINCOLLECT AGENTS ARE DOWNGRADED TO VERSION 7.2.3 AFTER A CONFIGURATION RESTORE ON THE QRADAR CONSOLE CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Issue
    It has been identified that WinCollect agents that have been upgraded above version 7.2.3 are downgraded to version 7.2.3 after performing a Configuration Restore of QRadar 7.2.8.

    This is caused by the older WinCollect 7.2.3 agent core files being installed when the Config Restore is performed.
    09 December 2019
    SYSTEM NOTIFICATIONS / LICENSE IJ07448 'THE APPLIANCE EXCEEDED THE EPS OR FPM ALLOCATION WITHIN THE LAST HOUR' MESSAGES CAN BE CAUSED BY HEALTH METRICS EVENTS CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

    Issue
    It has been identified that System Notifications similar to 'The appliance exceeded the EPS or FPM allocation within the last hour' can sometimes be caused by Health Metrics events generated/processed by QRadar. System Notifications generated by the increased number of Health Metric events in QRadar 7.3.1, are false positives. QRadar is not properly calculating the license giveback for Health Metric events in relation to EPS/FPM license warning System Notifications.
    09 December 2019
    BACKUP / RESTORE IJ14189 DATA BACKUPS CAN FAIL (TIME OUT) WHEN A BACKEND "PS" COMMAND HANGS CLOSED Resolved in QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

    It has been identified that data backups can fail when a backend ps command hangs.

    QRadar system notifications similar to "Backup: last backup exceeded execution threshold error." and messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:

    [hostcontext.hostcontext] [Backup]
    com.q1labs.hostcontext.backup.core.BackupUtils: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Cannot execute 'ps -e -o
    pid -o ppid -o cmd'
    [hostcontext.hostcontext] [Backup]
    java.lang.InterruptedException
    [hostcontext.hostcontext] [Backup] at
    java.lang.Object.wait(Native Method)
    [hostcontext.hostcontext] [Backup] at
    java.lang.Object.wait(Object.java)
    [hostcontext.hostcontext] [Backup] at
    java.lang.UNIXProcess.waitFor(UNIXProcess.java)
    [hostcontext.hostcontext] [Backup] at
    com.q1labs.hostcontext.backup.core.BackupUtils.getPsProcesses(Ba
    ckupUtils.java)
    [hostcontext.hostcontext] [Backup] at
    com.q1labs.hostcontext.backup.BackupRecoveryEngine.cleanup(Backu
    pRecoveryEngine.java)
    [hostcontext.hostcontext] [Backup] at
    com.q1labs.hostcontext.backup.BackupRecoveryEngine$BackupThread.
    run(BackupRecoveryEngine.java)
    [hostcontext.hostcontext] [Backup]
    com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Cancel process
    '/bin/bash /opt/qradar/bin/run_command.sh
    /opt/qradar/bin/determine_partition.sh
    /store/backup/store/tmp/backup/determine_partition' if exists
    09 December 2019
    BURST DATA / EVENT COLLECTORS IJ12229 EVENT COLLECTORS CAN EXPERIENCE PIPLELINE PERFORMANCE ISSUES DUE TO NOT HAVING AN APPLIANCE CAPABILITY CONFIGURED CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

    Issue
    It has been identified that Event Collectors (EC) do not have an appliance level capability set. Because of this, QRadar pipeline processes are not protected from bursts in the incoming event rate (EPS).

    Event Collectors inherit their licensing limits from the connected Event Processor (EP) and frequently EPs have a much higher capability and license than an EC can handle. The lack of appliance capability limitiations being configured for ECs can expose them to pipeline performance issues.
    09 December 2019
    FORWARDED EVENTS / NETWORK IJ18585 SOME FORWARDED EVENTS CAN FAIL TO FORWARD SUCCESSFULLY WHEN A CONNECTION DROP OCCURS TO THE EVENT FORWARDING RECEIVER CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that a network device can sometimes break the long connection between QRadar and a configured event forward target. Some events are not forwarded prior to the connection being recovered.

    Warning messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -]2019-07-15 15:50:20.0368 [:127.0.0.1:514] Exceeded
    maximum number of retries, dropping event[1].
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
    -]Following message suppressed 1 times in 300000 milliseconds
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -][:127.0.0.1:514] Exceeded Timeouts number[5], resetting
    connection.
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
    -][:127.0.0.1:514] Established connection
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -]2019-07-15 20:56:24.0403 [:127.0.0.1:514] Exceeded
    maximum number of retries, dropping event[1].
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
    -]Following message suppressed 1 times in 300000 milliseconds
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -][:127.0.0.1:514] Exceeded Timeouts number[5], resetting
    connection.
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
    -][:127.0.0.1:514] Established connection
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -]2019-07-16 00:21:29.0281 [:127.0.0.1:514] Exceeded
    maximum number of retries, dropping event[1].
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
    -]Following message suppressed 1 times in 300000 milliseconds
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -][:127.0.0.1:514] Exceeded Timeouts number[5], resetting
    connection.
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
    -][:127.0.0.1:514] Established connection
    09 December 2019
    DSM EDITOR IJ19112 DIFFERENCES IN HOW DSM EDITOR PARSES VERSUS HOW THE PIPELINE PARSES CAN PREVENT PROPER DSM EDITOR REGEX WRITING/TESTING CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that the DSM editor parses differently versus the pipeline due to a trailing LF (line feed) or a space contained in payloads.

    These differences in parsing behavior can inhibit the proper writing and testing of regex when using the DSM Editor.
    09 December 2019
    AUTHENTICATION (LDAP) / ACCESS IJ13595 LDAP LOGINS CAN FAIL IF PAGINATION IS DISABLED FOR BIND USERS CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    Workaround
    Enable paging for the bind user, or change the bind user to one that has paging allowed. It has been identified that the DSM editor parses differently versus the pipeline due to a trailing LF (line feed) or a space contained in payloads.

    Issue
    It has been identified that QRadar LDAP logins can fail if pagination is disabled for bind user. In the LDAP authentication setup, test connection to the backend server succeeds. If group authentication is used, group load fails.
    09 December 2019
    LOG SOURCES / LOG SOURCE MANAGEMENT APP IJ15429 TOMCAT OUT OF MEMORY CAN OCCUR WHEN PERFORMING AN ENABLE OR DISABLE OF A LOG SOURCE CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that performing an enable or disable of a Log Source using either the API (Log Source Management App) or the legacy Log Source management page can sometimes cause a tomcat out of memory in QRadar environments with a very large number of Log Sources.
    09 December 2019
    OFFENSES IJ16002 THE OFFENSE PAGE IN THE QRADAR USER INTERFACE CAN BE SLOW TO OPEN AFTER PATCHING TO QRADAR 7.3.2 CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    Issue
    It has been identified that after patching to QRadar 7.3.2, that opening the Offense page in the QRadar User Interface can take longer than expected.
    09 December 2019
    EVENT LOGS / TRAFFIC ANALYSIS IJ21155 EXCESSIVE LOGGING OF MESSAGE 'TRAFFIC ANALYSIS WILL CREATE NEW DEVICES WITH EVENT COALESCING TURNED ON' CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    Workaround: You can turn off logging for the TrafficaAnalysisFilter class from the command line of the QRadar Console to prevent it from filling the logs.
    1. To edit traffic analysis, type: /opt/qradar/support/mod_log4j.pl
    2. Type your name for audit purposes
    3. Select option 3 - Advanced Menu.
    4. Select option 2 - Add a new Logger.
    5. Type the classpath com.ibm.si.ec.filters.trafficanalysis.TrafficAnalysisFilter
    6. Select option 4 - Off
    7. Select * - All of the above

    Issue: It has been identified that excessive logs similar to the following might be visible in /var/log/qradar.log:
    [ecs-ec.ecs-ec]
    [[type=com.eventgnosis.system.ThreadedEventProcessor][parent=l3r
    tc.canlab.ibm.com:ecs-ec/EC/TrafficAnalysis1/TrafficAnalysis]]
    com.ibm.si.ec.filters.trafficanalysis.TrafficAnalysisFilter:
    [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Traffic analysis
    will create new devices with event payload storage turned on
    [ecs-ec.ecs-ec]
    [[type=com.eventgnosis.system.ThreadedEventProcessor][parent=l3r
    tc.canlab.ibm.com:ecs-ec/EC/TrafficAnalysis1/TrafficAnalysis]]
    com.ibm.si.ec.filters.trafficanalysis.TrafficAnalysisFilter:
    [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Traffic analysis
    will create new devices with event coalescing turned on
    28 November 2019
    CUSTOM PROPERTIES / SYSTEM NOTIFICATIONS IJ15775 REGEXMONITOR FEATURE CAN SOMETIMES DISABLE CUSTOM PROPERTIES WITHOUT ANY SYSTEM NOTIFICATION CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that in the RegexMonitor feature that is designed to automatically disable expensive custom properties to prevent performance issues can sometimes disable inexpensive custom properties and without generating a System Notification.
    09 December 2019
    DASHBOARD / USER INTERFACE IJ18066 QRADAR USER INTERFACE CAN BECOME INACCESSIBLE DUE TO TOMCAT TXSENTRY WHEN USING 'TOP CATEGORY TYPES' DASHBOARD ITEM CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that in some instances the "Top Category Types" Dashboard item can lead to a TXSentry killing the tomcat process. When this occurs, the QRadar User Interface can become inaccessible.

    Messages similar to the following might be visble in /var/log/qradar.log when this issue occurs:
    TX on host 1console_ip: pid=5919 age=616 IP=127.0.0.1
    port=40362 locks=42 query='SELECT id, parent_id, category_name,
    chain_name, offense_count, attacker_count, target_count,
    event_count, start_time, end_time FROM
    category_type_summary_proc(323, true, '1,2') WHERE parent_id
    NOT IN(10000,11000,14000) AND id NOT IN(10000,11000,14000) AND
    MOD(id, 1000)<>0 ORDER BY offense_count desc LIMIT 5 '
    09 December 2019
    RULES / USER INTERFACE IJ17357 HTTP 504 ERROR IN QRADAR USER INTERFACE WHEN SELECTING CUSTOM RULES OR WHEN OPENING RULES IN THE RULE WIZARD CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

    It has been identified that in some instances selecting or opening a custom rule from the Rule Wizard can fail with a 504 error being generated in the QRadar User Interface window. This can occur if you have a large number of reference data elements.
    09 December 2019
    APPLICATION FRAMEWORK IJ21495 QRADAR APPS CAN GO OUT OF MEMORY DUE TO A RHEL KERNEL BUG WITH DENTRY SLAB CACHE CLOSED Resolved in:
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

    It has been identified that in some instances QRadar Apps can experience out of memory occurences due to Red Hat Enterprise Linux (RHEL) kernel bug with dentry slab cache where kernel memory does not get freed as expected.

    For more information, see: https://access.redhat.com/solutions/55818
    09 December 2019
    ROUTING RULES / OFFLINE FORWARDER IJ18101 CUSTOM AQL EVENT/FLOW PROPERTIES WHILE USING OFFLINE FORWARDER WITH JSON FORWARDED DESTINATIONS CAN CAUSE PERFORMANCE ISSUES CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)

    It has been identified that QRadar environments with custom AQL Event/Flow properties can experience system performance issues with offline forwarder when using JSON forwarded destinations after 7.3.2 p2 upgrade.
    09 December 2019
    UPGRADE / SNMP IJ17204 ECS-EP PROCESS FAILS TO START AFTER PATCHING TO QRADAR 7.3.2 (OR LATER) WHEN CUSTOM SNMP TRAP EVENTS WERE CONFIGURED CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that the ecs-ep service can fail to start after patching to QRadar 7.3.2 when custom snmp trap events were configured.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep] [ECS Runtime Thread] Caused by:
    java.io.FileNotFoundException:
    /opt/ibm/si/services/ecs-ep/current/frameworks_conf/customCRE.sn
    mp.xml (No such file or directory)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    java.io.FileInputStream.open(FileInputStream.java:212)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    java.io.FileInputStream.(FileInputStream.java:152)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    java.io.FileInputStream.(FileInputStream.java:104)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    sun.net.www.protocol.file.FileURLConnection.connect(FileURLConne
    ction.java:103)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    sun.net.www.protocol.file.FileURLConnection.getInputStream(FileU
    RLConnection.java:201)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unkno
    wn Source)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Un
    known Source)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    org.apache.xerces.parsers.XML11Configuration.parse(Unknown
    Source)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    org.apache.xerces.parsers.XML11Configuration.parse(Unknown
    Source)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown
    Source)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown
    Source)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmars
    hal0(UnmarshallerImpl.java:211)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] ... 17 more
    09 December 2019
    OFFENSES IJ16819 OFFENSES CAN FAIL TO GENERATE AND OR UPDATE WHEN USERNAME OR HOSTNAME IN ASSET EXCEEDS 255 CHARACTERS CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

    It has been identified that Offenses can fail to generate and or Offense data can fail to update when a username or hostname in an asset exceeds 255 characters.
    When this issue occurs, the magistrate (MPC) continuously attempts to recover and repeatedly experiences a TX Sentry reported in /var/log/qradar.log with entries similar to:
    'Multiple (101) TX's found, attempting recovery'


    Messages similar to the following might be visible in qradar-sql.log when this issue occurs:
    postgres[49684]: [3-1] ERROR: value too long for type
    character varying(255)
    postgres[49684]: [3-2] CONTEXT:  SQL statement "INSERT into
    offense_target_link (offense_id, target_id, add_time,
    macaddress, hostname, username)
    postgres[49684]: [3-3] values (p_offense, v_target, extract
    (epoch from now())::int8, substring (v_identity.macaddress
    from 1 for 17), v_identity.hostname, v_identity.username)"
    postgres[49684]: [3-4] PL/pgSQL function
    link_offense_targets(bigint,character varying,integer) line 34
    at SQL statement
    postgres[49684]: [3-5] STATEMENT:  select * from
    link_offense_targets($1,$2, $3, $4)  as result
    09 December 2019
    DEPLOY CHANGES / QFLOW IJ15630 DEPLOY FUNCTION TIMEOUT CAUSED BY INCORRECT DEPLOYMENT.XML COMPONENT DATA AFTER A QFLOW SOURCE IS REMOVED CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

    It has been identified that QRadar 'Deploy' function can fail (timeout) after removing a QFlow source that has connections to QRadar Network Insights (QNI) in Deployment.xml. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [user@127.0.0.1 (9488)
    /console/JSON-RPC/QRadar.scheduleDeployment
    QRadar.scheduleDeployment] at
    java.lang.Thread.run(Thread.java:812)
    [tomcat.tomcat] [user@127.0.0.1  (9488)
    /console/JSON-RPC/QRadar.scheduleDeployment
    QRadar.scheduleDeployment] Caused by:
    [tomcat.tomcat] [user@127.0.0.1  (9488)
    /console/JSON-RPC/QRadar.scheduleDeployment
    QRadar.scheduleDeployment] java.lang.NullPointerException
    [tomcat.tomcat] [user@127.0.0.1 9488)
    /console/JSON-RPC/QRadar.scheduleDeployment
    QRadar.scheduleDeployment] at
    com.q1labs.configservices.util.forensics.QniDtlsHelper.getQflowD
    tlsConnectionsList(QniDtlsHelper.java)
    [tomcat.tomcat] [user@127.0.0.1  (9488)
    /console/JSON-RPC/QRadar.scheduleDeployment
    QRadar.scheduleDeployment] at
    com.q1labs.configservices.config.globalset.forensics.QniDtlsConf
    igurationTransformer.configureDtlsConnections(QniDtlsConfigurati
    onTransformer.java)
    09 December 2019
    LOG SOURCES / USER INTERFACE IJ16162 QRADAR USER INTERFACE BECOMES UNRESPONSIVE DURING BULK CHANGES MADE TO A LARGE NUMBER OF LOG SOURCES USING THE API CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

    It has been identified that the QRadar User Interface can sometimes become unresponsive due to a session leak caused during a large amount of bulk changes made to Log Sources using the QRadar Log Source Management App (API) in QRadar environments with hundreds of thousands of Log Sources. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [LogSourceServices_PersisterTimer]
    com.q1labs.rpcservices.LogSourceServices: [ERROR]
    [NOT:0000003000][IP ADDRESS/- -] [-/- -]Unable to get session
    context to update device last seen times
    [tomcat.tomcat] [LogSourceServices_PersisterTimer]
    java.util.ConcurrentModificationException
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    gnu.trove.impl.hash.THashIterator.nextIndex(THashIterator.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    gnu.trove.impl.hash.THashIterator.hasNext(THashIterator.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    java.lang.Iterable.forEach(Iterable.java:85)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.rpcservices.LogSourceUpdate.closePreparedStatements(L
    ogSourceUpdate.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT
    ask.persistLogSourceUpdates(LogSourceServices.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT
    ask.run(LogSourceServices.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    java.util.TimerThread.mainLoop(Timer.java:566)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    java.util.TimerThread.run(Timer.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer]
    com.q1labs.frameworks.session.SessionContext: [ERROR]
    [NOT:0000003000][x.x.x.x/- -] [-/- -]28012 leak(s) detected in
    session context: 640axxxx-xxxx-xxxx-xxxx-e33fc1xxxx
    [tomcat.tomcat] [LogSourceServices_PersisterTimer]
    com.q1labs.frameworks.session.SessionContext: [ERROR]
    [NOT:0000003000][x.x.x.x/- -] [-/- -]java.sql.PreparedStatement
    leak detected. Object created in following code path
    [tomcat.tomcat] [LogSourceServices_PersisterTimer]
    java.lang.Exception
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.frameworks.session.BaseWrapper.(BaseWrapper.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.frameworks.session.PreparedStatementWrapper.(Pr
    eparedStatementWrapper.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.frameworks.session.ConnectionWrapper.prepareStatement
    (ConnectionWrapper.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.rpcservices.LogSourceUpdate.getPreparedStatement(LogS
    ourceUpdate.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT
    ask.persistLogSourceUpdates(LogSourceServices.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT
    ask.run(LogSourceServices.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    java.util.TimerThread.mainLoop(Timer.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    java.util.TimerThread.run(Timer.java:516)
    09 December 2019
    FLOWS / USER INTERFACE IJ21572 NO FLOW SOURCE ALIAS ARE DISPLAYED IN THE QRADAR USER INTERFACE CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    A fresh install or patch to QRadar version 7.3.2 can experience an issue where no Flow Alias are displayed in the QRadar User Interface -> Admin -> Flow Source Alias page.
    19 December 2019
    ROUTING RULES IJ21049 ROUTING RULES FOR ASSET HOSTNAME FILTERING ON SPECIFIC EVENT COLLECTOR APPLIANCES DOES NOT WORK AS EXPECTED CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 (7