IBM Support

IV87193: QRADAR SYSTEM DEGRADATION AND/OR DROPPED EVENTS CAN BE CAUSED BYSOME VULNERABILITY CRE TESTS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • In some instances when vulnerability CRE tests are run on
    systems with a large number of vulnerabilities/assets,
    pipeline performance issues can occur that cause a TxSentry on
    the ECS process.  When this situation occurs, events are
    dropped.
    
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue is occurring.
    [hostcontext.hostcontext]
    [a4bc9cbe-35c3-4910-a4e7-a87cb0b2322d/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]Found a process on host
    127.0.0.1: ecs-ep, pid=23134 children= immediately=false, TX
    age=635 secs
    [hostcontext.hostcontext]
    [a4bc9cbe-35c3-4910-a4e7-a87cb0b2322d/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]    TX on host
    127.0.0.1: pid=23134 age=635 IP=127.0.0.1 port=36239 locks=10
    query='select
    v.vulnid,v.osvdbid,v.osvdbtitle,v.osvdbcreatedate,v.lastmodified
    date,v.exploitpublishdate,v.disclosuredate,v.discoverydate,aggar
    ray(distinct q.qid::text) as qids from vuln v inner join
    asset.portvulnview pv on v.vulnid = pv.vulnid left outer join
    qidtovuln qv on v.vulnid = qv.vulnid left outer join qidmap q
    on qv.qidmapid = q.id where pv.vulnid in
    (95389,61076,3121,65601,71235,61527,61075,4217,74873,59288,13293
    5,125715,61449,69902,64519,73450,59287,96350,59166,24678,59819,5
    9165,61250,59195,101348,69054,60990,60545,132080,77084,62187,613
    74,95003,59284,71226,59164,63333,63810,61587,15608,68784,95288,6
    4020,91816,61835,66245,59529,126192,68326) group by
    v.vulnid,v.osvdbid,v.osvdbtitle,v.osvdbcreatedate,v.lastmodified
    date,v.exploitpublishdate,v.disclosuredate,v.discoverydate'
    [hostcontext.hostcontext]
    [a4bc9cbe-35c3-4910-a4e7-a87cb0b2322d/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Following message
    suppressed 1 times in 300000 milliseconds
    [hostcontext.hostcontext]
    [a4bc9cbe-35c3-4910-a4e7-a87cb0b2322d/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]    Lock acquired on
    host 127.0.0.1: rel=portvulnxref age=635 granted=t
    mode=AccessShareLock query='select
    v.vulnid,v.osvdbid,v.osvdbtitle,v.osvdbcrea'
    ecs-ep[22007]: Thread=CRE Processor [12] (00007FA1E0A921B0)
    Status=Running
    ecs-ep[22007]:  at
    java/net/SocketInputStream.socketRead0(Ljava/io/FileDescriptor;[
    BIII)I (Native Method)
    ecs-ep[22007]:  at java/net/SocketInputStream.read([BIII)I
    (SocketInputStream.java:164) (Compiled Code)
    ecs-ep[22007]:  at java/net/SocketInputStream.read([BII)I
    (SocketInputStream.java:134) (Compiled Code)
    ecs-ep[22007]:  at
    org/postgresql/core/VisibleBufferedInputStream.readMore(I)Z
    (VisibleBufferedInputStream.java:143) (Compiled Code)
    ecs-ep[22007]:  at
    org/postgresql/core/VisibleBufferedInputStream.ensureBytes(I)Z
    (VisibleBufferedInputStream.java:112) (Compiled Code)
    ecs-ep[22007]:  at
    org/postgresql/core/VisibleBufferedInputStream.read()I
    (VisibleBufferedInputStream.java:71) (Compiled Code)
    ecs-ep[22007]:  at org/postgresql/core/PGStream.ReceiveChar()I
    (PGStream.java:269) (Compiled Code)
    ecs-ep[22007]:  at
    org/postgresql/core/v3/QueryExecutorImpl.processResults(Lorg/pos
    tgresql/core/ResultHandler;I)V (QueryExecutorImpl.java:1700)
    (Compiled Code)
    ecs-ep[22007]:  at
    org/postgresql/core/v3/QueryExecutorImpl.execute(Lorg/postgresql
    /core/Query;Lorg/postgresql/core/ParameterList;Lorg/postgresql/c
    ore/ResultHandler;III)V (QueryExecutorImpl.java:255) (Compiled
    Code)
    ecs-ep[22007]:  at
    org/postgresql/jdbc2/AbstractJdbc2Statement.execute(Lorg/postgre
    sql/core/Query;Lorg/postgresql/core/ParameterList;I)V
    (AbstractJdbc2Statement.java:555) (Compiled Code)
    ecs-ep[22007]:  at
    org/postgresql/jdbc2/AbstractJdbc2Statement.executeWithFlags(Lja
    va/lang/String;I)Z (AbstractJdbc2Statement.java:403) (Compiled
    Code)
    ecs-ep[22007]:  at
    org/postgresql/jdbc2/AbstractJdbc2Statement.executeQuery(Ljava/l
    ang/String;)Ljava/sql/ResultSet;
    (AbstractJdbc2Statement.java:283)
    ecs-ep[22007]:  at
    com/mchange/v2/c3p0/impl/NewProxyStatement.executeQuery(Ljava/la
    ng/String;)Ljava/sql/ResultSet; (NewProxyStatement.java:35)
    (Compiled Code)
    ecs-ep[22007]:  at
    org/apache/openjpa/lib/jdbc/DelegatingStatement.executeQuery(Lja
    va/lang/String;Z)Ljava/sql/ResultSet;
    (DelegatingStatement.java:109) (Compiled Code)
    ecs-ep[22007]:  at
    org/apache/openjpa/lib/jdbc/LoggingConnectionDecorator$LoggingCo
    nnection$LoggingStatement.executeQuery(Ljava/lang/String;Z)Ljava
    /sql/ResultSet; (LoggingConnectionDecorator.java:896)
    ecs-ep[22007]:  at
    org/apache/openjpa/lib/jdbc/DelegatingStatement.executeQuery(Lja
    va/lang/String;Z)Ljava/sql/ResultSet;
    (DelegatingStatement.java:107) (Compiled Code)
    ecs-ep[22007]:  at
    org/apache/openjpa/jdbc/kernel/JDBCStoreManager$CancelStatement.
    executeQuery(Ljava/lang/String;Z)Ljava/sql/ResultSet;
    (JDBCStoreManager.java:1680)
    ecs-ep[22007]:  at
    org/apache/openjpa/lib/jdbc/DelegatingStatement.executeQuery(Lja
    va/lang/String;Z)Ljava/sql/ResultSet;
    (DelegatingStatement.java:107) (Compiled Code)
    ecs-ep[22007]:  at
    org/apache/openjpa/lib/jdbc/DelegatingStatement.executeQuery(Lja
    va/lang/String;)Ljava/sql/ResultSet;
    (DelegatingStatement.java:96)
    ecs-ep[22007]:  at
    com/q1labs/core/dao/vis/correlation/light/Vuln.lookupVulnSet(Lco
    m/q1labs/frameworks/session/ISessionContext;Lcom/q1labs/core/dao
    /vis/correlation/light/VulnArray;)Ljava/util/HashSet;
    (Vuln.java:279)
    ecs-ep[22007]:  at
    com/q1labs/core/dao/vis/correlation/light/Vuln.findByHost(Lcom/q
    1labs/frameworks/session/ISessionContext;J)Ljava/util/HashSet;
    (Vuln.java:320)
    ecs-ep[22007]:  at
    com/q1labs/jstl/test/Jstl.hostVulnerableForExploit(ILcom/q1labs/
    core/dao/util/Host;I)I (Jstl.java:698)
    ecs-ep[22007]:  at
    com/q1labs/jstl/test/Jstl.attackerHostVulnerableForExploit(Lcom/
    q1labs/core/types/networkevent/NetworkEvent;)I (Jstl.java:675)
     ecs-ep[22007]:     at
    com/q1labs/jstl/gen/OptJstl.attackerHostVulnerableForExploit(Lco
    m/q1labs/core/types/networkevent/NetworkEvent;)I
    (OptJstl.java:609)   ecs-ep[22007]:     at
    com/q1labs/semsources/cre/tests/gen/Vulnerbility_attacker_curren
    t_any.test(Lcom/q1labs/core/types/networkevent/NetworkEvent;Lcom
    /q1labs/semsources/cre/tests/ExternalEventTests;)Z
    (Vulnerbility_attacker_current_any.java)
    ecs-ep[22007]:  at
    com/q1labs/semsources/cre/tests/Vulnerability_Test.test(Lcom/q1l
    abs/core/types/networkevent/NetworkEvent;Ljava/util/BitSet;Lcom/
    q1labs/semsources/cre/tests/ExternalEventTests;)Lcom/q1labs/sems
    ources/cre/CREResult; (Vulnerability_Test.java:48)
    

Local fix

  • Disable exploit rules which run the test
    "com.q1labs.semsources.cre.tests.Vulnerability_Test" so that
    the problematic query is not executed by the rules.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 728 Patch 11
    and 731 patch 3.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 728 Patch 11
    and 731 patch 3.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV87193

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    726

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-07-22

  • Closed date

    2018-08-02

  • Last modified date

    2018-12-19

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"726","Edition":""}]

Document Information

Modified date:
19 December 2018