APAR status
Closed as program error.
Error description
It has been identified that after applying QRadar 7.3.2 Patch 2 WinCollect is unable to register new agents, and existing agents report errors related to "invalid token role" in QRadar logging, if the "Admin" or "All" user role authentication token is used. Messages similar to the following might be visible in /var/log/qradar.error when this issue is occuring: [tomcat.tomcat] [Token: WinCollectAgent@127.0.0.1 (7331) /console/wincollect] com.q1labs.core.ui.servlet.WinCollect: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Session:DFC95AEF26CC2DA38F5BB0C611D52CA5 - possible CSRF attack detected, invalid token role 'All' [tomcat.tomcat] [Token: WinCollectAgent@127.0.0.1 (7481) /console/wincollect] com.q1labs.core.ui.servlet.WinCollect: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Session:02CC745E11B1A731ADB0021C525A0A6A - possible CSRF attack detected, invalid token role 'All' [tomcat.tomcat] [Token: WinCollectAgent@127.0.0.1 (7600) /console/wincollect] com.q1labs.core.ui.servlet.WinCollect: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Session:D9E0340E0A9BC084E6B73484FC33C1A9 - possible CSRF attack detected, invalid token role 'All
Local fix
Contact Support for a possible workaround that might address this issue in some instances.
Problem summary
It has been identified that after applying QRadar 7.3.2 Patch WinCollect is unable to register new agents, and existing agents report errors related to "invalid token role" in QRada logging, if the "Admin" or "All" user role authentication tok is used. Messages similar to the following might be visible in /var/log/qradar.error when this issue is occuring: [tomcat.tomcat] [Token: WinCollectAgent@127.0.0.1 (7331) /console/wincollect] com.q1labs.core.ui.servlet.WinCollect: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Session:DFC95AEF26CC2DA38F5BB0C611D52CA5 - possible CSRF attack detected, invalid token role 'All' [tomcat.tomcat] [Token: WinCollectAgent@127.0.0.1 (7481) /console/wincollect] com.q1labs.core.ui.servlet.WinCollect: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Session:02CC745E11B1A731ADB0021C525A0A6A - possible CSRF attack detected, invalid token role 'All' [tomcat.tomcat] [Token: WinCollectAgent@127.0.0.1 (7600) /console/wincollect] com.q1labs.core.ui.servlet.WinCollect: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Session:D9E0340E0A9BC084E6B73484FC33C1A9 - possible CSRF attack detected, invalid token role 'All'
Problem conclusion
The issue was resolved in QRadar version 7.3.2 Patch 2 Interim Fix 2 and 7.3.2 Patch 3.
Temporary fix
Comments
APAR Information
APAR number
IJ17394
Reported component name
QRADAR SOFTWARE
Reported component ID
5725QRDSW
Reported release
732
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-07-03
Closed date
2019-07-12
Last modified date
2019-07-24
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
QRADAR SOFTWARE
Fixed component ID
5725QRDSW
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"732","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Document Information
Modified date:
24 July 2019