IBM Support

IJ26863: THE USE OF MSRPC AND IIS SIMULTANEOULY MIGHT CAUSE POTENTIAL DEADLOCK THREADS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been observed that MSRPC and IIS Log Sources cannot be
    used simultaneously due to a potential thread deadlock.
    
    Administrators might be required to disable a protocol until a
    Microsoft Windows Security Event Log over MSRPC protocol update
    can be delivered.
    This might be the result of a jar file.
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue is
    occurring:
    
    "RPCEventLogHandler thread" Id=3378 in BLOCKED on
    lock=com.example.common.NamedRepository@abc
     owned by
    RPCEventLogHandler thread Id=7388
     at
    com.example.client.Server.dispose(Server.java:350)
     at
    com.example.client.Server.disconnect(Server.java:750)
     at
    com.example.client.Server.disconnect(Server.java:702)
     at
    com.example.client.Mount.doMount(Mount.java:521)
     at
    com.example.client.Mount.doMount(Mount.java:483)
     at
    com.example.client.Mount.doMount(Mount.java:479)
     at
    com.example.client.Mount.<init>(Mount.java:280)
     at com.example.
    client.rpc.SmbTransport.<init>(SmbTransport.java:29)
     at
    com.example.client.rpc.Dcerpc.connect(Dcerpc.java:818)
     at
    com.example.client.rpc.Dcerpc.<init>(Dcerpc.java:445)
     at
    com.example.client.rpc.Winreg.<init>(Winreg.java:130)
     at com.q1
    labs.semsources.sources.windowseventrpc.eventsource.common.Event
    LogWinRegistry.connectRemoteRegistry(EventLogWinRegistry.java:58
    )
     at com.q1labs.semsources.sources.windowseventrpc.eventsource.
    RPCSession.queryRemoteHostInfo(RPCSession.java:80)
     at com.q1lab
    s.semsources.sources.windowseventrpc.eventsource.RPCSession.<ini
    t>(RPCSession.java:53)
     at com.q1labs.semsources.sources.windows
    eventrpc.eventsource.RPCEventLogHandler.connect(RPCEventLogHandl
    er.java:129)
     at com.q1labs.semsources.sources.windowseventrpc.e
    ventsource.RPCEventLogHandler.run(RPCEventLogHandler.java:372)
    
    at java.lang.Thread.run(Thread.java:818)
    
    
    
    "RPCEventLogHandler thread" Id=7388 in TIMED_WAITING on
    lock=java.util.concurrent.locks.ReentrantLock$NonfairSync@bxyz
    (running in native)
     owned by RPCEventLogHandler thread
    Id=3378
     at sun.misc.Unsafe.park(Native Method)
     at java.util.co
    ncurrent.locks.LockSupport.parkNanos(LockSupport.java:226)
     at j
    ava.util.concurrent.locks.AbstractQueuedSynchronizer.doAcquireNa
    nos(AbstractQueuedSynchronizer.java:945)
     at java.util.concurren
    t.locks.AbstractQueuedSynchronizer.tryAcquireNanos(AbstractQueue
    dSynchronizer.java:1258)
     at java.util.concurrent.locks.Reentran
    tLock.tryLock(ReentrantLock.java:453)
     at
    com.example.client.Server.tryLock(Server.java:1528)
     at
    com.example.client.Server.waitTryLock(Server.java:1542)
     at
    com.example.client.Server.disconnect(Server.java:739)
     at
    com.example.client.Server.disconnect(Server.java:714)
     at
    com.example.client.Server.checkTimeouts(Server.java:665)
     at
    com.example.client.Server.findOrCreate(Server.java:965)
     -
    locked com.example.common.NamedRepository@a2d539c5
     at
    com.example.client.Mount.doMount(Mount.java:498)
     at
    com.example.client.Mount.doMount(Mount.java:483)
     at
    com.example.client.Mount.doMount(Mount.java:479)
     at
    com.example.client.Mount.<init>(Mount.java:280)
     at com.example.
    client.rpc.SmbTransport.<init>(SmbTransport.java:29)
     at
    com.example.client.rpc.Dcerpc.connect(Dcerpc.java:818)
     at
    com.example.client.rpc.Dcerpc.<init>(Dcerpc.java:445)
     at
    com.example.client.rpc.Lsar.<init>(Lsar.java:118)
     at com.q1labs
    .semsources.sources.windowseventrpc.util.SIDCache.<init>(SIDCach
    e.java:40)
     at com.q1labs.semsources.sources.windowseventrpc.eve
    ntsource.RPCEventLogHandler.connect(RPCEventLogHandler.java:127)
    
     at com.q1labs.semsources.sources.windowseventrpc.eventsource.R
    PCEventLogHandler.run(RPCEventLogHandler.java:372)
     at
    java.lang.Thread.run(Thread.java:818)
    

Local fix

  • Contact support for a possible workaround.
    

Problem summary

  • It has been observed that MSRPC and IIS Log Sources cannot be
    used simultaneously due to a potential thread deadlock. This
    might be the result of a jar file.
    The fix for this issue is available in the weekly auto update
    for 1 December 2020 (Build 1606478030) and in the following RPMs
    on IBM Fix Central:
    PROTOCOL-WindowsEventRPC-7.3-20201028123850.noarch.rpm
    PROTOCOL-WindowsEventRPC-7.4-20201028123859.noarch.rpm
    

Problem conclusion

  • Fixed with the release of:
    PROTOCOL-WindowsEventRPC-7.3-20201028123850.noarch.rpm or later
    PROTOCOL-WindowsEventRPC-7.4-20201028123859.noarch.rpm or later
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ26863

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    733

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-08-06

  • Closed date

    2020-12-11

  • Last modified date

    2020-12-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"733"}]

Document Information

Modified date:
14 December 2020