IBM Support

IJ22566: QRADAR PATCHING CAN FAIL AND ROLLBACK ON BLANK TABLES IN A QVM FUSION DATABASE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The QRadar patching process can fail and rollback when there
    are unexpected blank tables within a QVM fusion database.
    Messages similar to the following might be visble during the
    patch process and also within the most recent
    /var/log/setup-7.3.3.xxxxxxxxx/patches.log
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG]
    ip=<host_ipaddress>
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] starting
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] Found 0 patch
    report files.
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG]
    Patch Report for 172.16.77.26, appliance type: 1202
    <hostname>: patch test succeeded.
    1 SQL script errors were detected; Error applying script [3/3]
    '/media/updates/opt/qvm/db/sql/functions/all_functions.sql' for
    Test_fusionvm database.; details:
    WARNING: SET TRANSACTION can only be used in transaction blocks
    ERROR: insert or update on table "toolsuitecomponents" violates
    foreign key constraint
    "fk_toolsuitecomponents_toolsuite_l7protocolcodes"
    DETAIL: Key (l7protocolcode)=(18) is not present in table
    "toolsuite_l7protocolcodes".
    CONTEXT: SQL statement "INSERT INTO ToolSuiteComponents VALUES
    (10001,5,'netbios -
    ports','/bin/netbios/netbios_ports.pl','1.0',TRUE,TRUE,18,'','',
    1,5,10000,2,10,2)"
    PL/pgSQL function enable_netbios_ports() line 4 at SQL statement
    <hostname> : patch rolled back.
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] pr=
    Patch Report for <host_ipaddress>, appliance type: 1202
    <hostname> : patch test succeeded.
    1 SQL script errors were detected; Error applying script [3/3]
    '/media/updates/opt/qvm/db/sql/functions/all_functions.sql' for
    Test_fusionvm database.; details:
    WARNING: SET TRANSACTION can only be used in transaction blocks
    ERROR: insert or update on table "toolsuitecomponents" violates
    foreign key constraint
    "fk_toolsuitecomponents_toolsuite_l7protocolcodes"
    DETAIL: Key (l7protocolcode)=(18) is not present in table
    "toolsuite_l7protocolcodes".
    CONTEXT: SQL statement "INSERT INTO ToolSuiteComponents VALUES
    (10001,5,'netbios -
    ports','/bin/netbios/netbios_ports.pl','1.0',TRUE,TRUE,18,'','',
    1,5,10000,2,10,2)"
    PL/pgSQL function enable_netbios_ports() line 4 at SQL statement
    <hostname> : patch rolled back.
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] non console;
    interactive end.
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] complete
    Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] finishing up
    and restarting services.
    Mon Dec 2 11:57:21 AST 2019: ./patchInstaller.pl -patchfile
    /storetmp/2019140_QRadar_patchupdate-2019.14.0.20191031163225.sf
    s -p ./superpatches.manifest.xml completed with result 1
    

Local fix

  • Contact Support for a possible workaround that might address
    this issue in some instances.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 FixPack
    5 and 7.4.1 FixPack 1.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 FixPack
    5 and 7.4.1 FixPack 1.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ22566

  • Reported component name

    QR VULNERABILIT

  • Reported component ID

    5725QVMSW

  • Reported release

    732

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-02-05

  • Closed date

    2020-10-08

  • Last modified date

    2020-10-08

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QR VULNERABILIT

  • Fixed component ID

    5725QVMSW

Applicable component levels

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHLPS","label":"IBM Security QRadar Vulnerability Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"732"}]

Document Information

Modified date:
09 October 2020