IBM Support

Interim Fix 03 - For QRadar 7.2.4 Patch 5 (7.2.4.1078277)

Release Notes


Abstract

Interim Fix 03 of IBM Security QRadar 7.2.4 Patch 5 (7.2.4.1078277)

Content

Interim fixes are intended to resolve specific APAR issues in the latest version of QRadar. If your deployment is installed with IBM Security QRadar 7.2.4 Patch 5 (7.2.4.1078277), then this interim fix can be applied to your system.



Issues resolved in Interim Fix 03 for QRadar 7.2.4 Patch 5
Number Description
IV72303DASHBOARD WIDGETS NOT DISPLAYING TIMES SERIES DATA FOR NON-ADMIN USERS WITH NON-ADMIN SECURITY PROFILE
IV72840QRADAR USER INTERFACE CAN BECOME UNRESPONSIVE IN DEPLOYMENTS WITH A LARGE NUMBER OF MANAGED HOSTS
IV730337.2.4.5 - SAVED SEARCHES THAT HAVE CUSTOM PROPERTIES WITH CAPITAL LETTERS IN THE FILTER ARE NOT WORKING PROPERLY
IV733517.2.4.5 - FILTERS CONTAINING CUSTOM PROPERTIES ARE NOT DISPLAYED IN ROUTING RULES OR EVENT/FLOW RETENTION WINDOWS
Issues resolved in Interim Fix 02 for QRadar 7.2.4 Patch 5
Number Description
IV70824QVM - AUTOMATIC POST SCAN REPORTS ARE NOT BEING GENERATED
IV72690QVM - VARIANCE BETWEEN THE NUMBER OF NEW VULNERABILITY TAB SCAN RESULT COMPARED TO NEW VULNERABILITIES IN ASSET DETAILS SCREEN
IV72692QVM - AN HOURLY CRON ASSOCIATED WITH QVM AND IBM ENDPOINT MANAGER INTEGRATIONS DOES NOT COMPLETE
IV72834QVM - VULNERABILTIY TREND REPORT VALUES DO NOT CHANGE
Issues resolved in Interim Fix 01 for QRadar 7.2.4 Patch 5
Number Description
IV722337.2.4.5 - CUSTOM EVENT PROPERTIES ARE NO LONGER DISPLAYED IN THE EDIT SEARCH SCREEN FOR SEARCHES CREATED PRIOR TO PATCHING
IV722607.2.4.5 - SOME 'MATCHING X CRITERIA' RULES CONTAINING CUSTOM EVENT PROPERTIES NO LONGER WORKING AFTER PATCHING
IV723167.2.4.5 - LARGE IP BASED REFERENCE SETS (10000+ ELEMENTS) ARE UNABLE TO BE UPDATED MANUALLY OR BY RULES
Security BulletinVULNERABILITY IN RC4 STREAM CIPHER AFFECTS IBM QRADAR SIEM (CVE-2015-2808)

Before you begin

Ensure that you take the following precautions:

  • Back up your data before you begin any software upgrade. For more information about backup and recovery, see the IBM Security QRadar Administration Guide.
  • To avoid access errors in your log file, close all open QRadar sessions.
  • The interim fix for QRadar cannot install on a managed host that is at a different software version from the Console. All appliances in the deployment must be at the same software revision to patch the entire deployment.
  • Verify that all changes are deployed on your appliances.
  • The patch cannot install on appliances that have changes that are not deployed.

About this task

Interim fixes are software updates intended to fix a small number of known software issues in your QRadar deployment. The interim fix restarts services, which halts event and flow collection in your deployment until the installation completes.


Procedure

  1. Download interim fix 7.2.4-QRADAR-QRSIEM-1100548INT from the IBM Fix Central website:
    http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=Linux&function=fixId&fixids=7.2.4-QRADAR-QRSIEM-1100548INT&includeSupersedes=0&source=fc
  3. Using SSH, log in to your system as the root user.
  4. Copy the interim fix to the /tmp directory on the QRadar Console.
    Note: If space in the /tmp directory is limited, copy the interim fix to another location that has sufficient space.
  5. To create the /media/updates directory, type the following command: mkdir -p /media/updates
  6. Change to the directory where you copied the patch file. For example, cd /tmp
  7. To mount the patch file to the /media/updates directory, type the following command: mount -o loop -t squashfs 724_QRadar_interimfix-7.2.4.1078277-IF03-1100548.sfs /media/updates/
  8. To run the patch installer, type the following command:/media/updates/installer
    Note: The first time that you run the interim fix, there might be a delay before the installation menu is displayed.
  9. Using the patch installer, select all.

    The all option updates the software on all systems in your deployment. In HA deployments, primary HA appliances are patched and replicate the patch update to the secondary HA appliance.

  10. After the patch completes and you have exited the installer, type the following command: umount /media/updates
  11. Administrators and users should clear their browser cache before logging in to the Console.

    If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes.

Results

A summary of the interim fix installation advises you of any managed host that were not updated. If the interim fix fails to update a managed host, you can copy the interim fix to the host, then mount and run the installation locally.

-----

Where do I find more information?
If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Documentation","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg27045838

Page Feedback