IBM Support

IJ18492: /VAR/LOG PARTITION CAN FILL WITH EXCEPTION THROWN WHEN USING 'CHAINED EXPLOIT FOLLOWED BY SUSPICIOUS EVENTS' RULE TEST

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified that an exception is thrown during the
    test of the Custom Rule Engine rule "Chained Exploit Followed
    by Suspicious Events".  As events are tested against rules, the
    following exception is thrown for every test and can quickly
    fill up the /var/log partition.
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue is occurring:
    [ecs-ep.ecs-ep] [CRE Processor [4]]
    com.q1labs.semsources.cre.CustomRule: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception in rule 100106
    - Chained Exploit Followed by Suspicious Events:
    Entry.next=null, data[removeIndex]=<ipaddress>=package
    com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
    ddb4a previous=<ipaddress>=package
    com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
    ddb4a key=<ipaddress>value=package
    com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@af1
    35446 size=25000 maxSize=25000 Please check that your keys are
    immutable, and that you have used synchronization properly. If
    so, then please report this to commons-dev@jakarta.apache.org
    as a bug.
    [ecs-ep.ecs-ep] [CRE Processor [4]]
    java.lang.IllegalStateException: Entry.next=null,
    data[removeIndex]=<ipaddress>=package
    com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
    ddb4a previous=<ipaddress>=package
    com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
    ddb4a key=<ipaddress> value=package
    com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@af1
    35446 size=25000 maxSize=25000 Please check that your keys are
    immutable, and that you have used synchronization properly. If
    so, then please report this to commons-dev@jakarta.apache.org
    as a bug.
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    org.apache.commons.collections.map.LRUMap.reuseMapping(LRUMap.ja
    va:301)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.frameworks.cache.LFUMap.reuseMapping(LFUMap.java:263)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    org.apache.commons.collections.map.LRUMap.addMapping(LRUMap.java
    :267)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    org.apache.commons.collections.map.AbstractHashedMap.put(Abstrac
    tHashedMap.java:284)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.frameworks.cache.LFUMap.put(LFUMap.java:226)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.tests.DoubleSequenceFunction_Test.test
    (DoubleSequenceFunction_Test.java:237)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.tests.CREStatefulEventTest.test(CRESta
    tefulEventTest.java:81)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.gen.TestExecutor_1_0.test(TestExecutor
    _1_0.java)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:519)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:476)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomR
    uleSetExecutor.java:342)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleS
    etExecutor.java:210)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.LocalRuleExecutor.processEventInProper
    tyMode(LocalRuleExecutor.java:229)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRu
    leExecutor.java:158)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomR
    uleEngine.java:521)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine
    .java:464)
    

Local fix

  • No workaround available.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 FixPack
    9 and 7.4.3.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 FixPack
    9 and 7.4.3.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ18492

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    732

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-08-21

  • Closed date

    2021-08-11

  • Last modified date

    2021-08-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"732"}]

Document Information

Modified date:
12 August 2021