IBM Support

Release of the QRadar 7.3.0 Patch 3 SFS (7.3.0.20170727172058)

Release Notes


Abstract

A list of the installation instructions, new features, and resolved issues for the release of IBM Security QRadar 7.3.0 Patch 3 (20170727172058). This article guides admins on how to update from QRadar 7.3.0 (any patch) to QRadar 7.3.0 Patch 3 latest.

Content

Administrator note
This SFS update is intended for administrators who have not already installed 7.3.0 Patch 2 Interim Fix 01 from IBM Fix Central. QRadar 7.3.0 patch 3 is an upgrade release for users at QRadar 7.3.0 or 7.3.0 Patch 1 to allow those administrators to install a single update file. The resolved issues in QRadar 7.3.0 Patch 2 Interim Fix 01 are the same in this update QRadar 7.3.0 Patch 3.

If you have already installed QRadar 7.3.0 Patch 2 Interim Fix 01 (7.3.020170726005946), you do not need to install this update.


Upgrade information
QRadar 7.3.0 Patch 3 resolves 2 field issues reported from users and administrators. Fix packs are cumulative software updates to fix known software issues in your QRadar deployment. QRadar fix packs are installed by using an SFS file. The fix pack can update all appliances attached to the QRadar Console. If your deployment is installed with any of the following QRadar versions, you can install fix pack 7.3.0-QRADAR-QRSIEM-20170727172058 to upgrade to QRadar 7.3.0 Patch 3:

Current QRadar VersionUpgrades to QRadar 7.3.0 Patch 3?
QRadar 7.2.8 Patch 1 or laterYes, requires the QRadar 7.3.0 Patch 3 ISO.
QRadar 7.3.0Yes, see the SFS instructions below.


The 7.3.0-QRADAR-QRSIEM-20170727172058 SFS file can upgrade QRadar 7.3.0 to QRadar 7.3.0 Patch 3. However, this document does not cover all of the installation messages and requirements, such as changes to appliance memory requirements or browser requirements for QRadar. To review any additional requirements, see the QRadar Upgrade Guide.


Before you begin
Ensure that you take the following precautions:

  • Back up your data before you begin any software upgrade. For more information about backup and recovery, see the IBM Security QRadar Administration Guide.
  • To avoid access errors in your log file, close all open QRadar sessions.
  • The fix pack for QRadar cannot be installed on a managed host that is at a different software version from the Console. All appliances in the deployment must be at the same software revision to patch the entire deployment.
  • Verify that all changes are deployed on your appliances. The patch cannot install on appliances that have changes that are not deployed.
  • If this is a new installation, administrators must review the instructions in the QRadar Installation Guide.


Installing the QRadar 7.3.0 Patch 3 Fix Pack
The instructions guide administrators through the process of upgrading an existing QRadar version at 7.3.0 to QRadar 7.3.0 Patch 3. If the administrator is interested in updating appliances in parallel, see: QRadar: How to Update Appliances in Parallel.


Procedure

  1. Download the fix pack to install QRadar 7.3.0 Patch 3 from the IBM Fix Central website: https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.0-QRADAR-QRSIEM-20170727172058&includeRequisites=1&includeSupersedes=0&downloadMethod=http
  2. Using SSH, log in to your system as the root user.
  3. Copy the fix pack to the /storetmp directory on the QRadar Console.

    Note:
    In QRadar 7.3.0 and later, an update to directory structure for STIG compliant directories reduces the size of several partitions. QRadar support recommends you copy the fix pack to /storetmp or use the df -Th command to locate a partition with sufficient space. The use of the /tmp directory for patch updates is limited and might cause unpacking or install issues.

  4. To create the /media/updates directory, type the following command: mkdir -p /media/updates
  5. Change to the directory where you copied the patch file. For example, cd storetmp
  6. To mount the patch file to the /media/updates directory, type the following command:
    mount -o loop -t squashfs 730_QRadar_patchupdate-7.3.0.20170727172058.sfs /media/updates
  7. To run the patch installer, type the following command: /media/updates/installer
    Note: The first time that you run the fix pack, there might be a delay before the fix pack installation menu is displayed.
  8. Using the patch installer, select all.
  • The all option updates the software on all appliances in the following order:


    1. Console
    2. No order required for remaining appliances. All remaining appliances can be updated in any order the administrator requires.

  • If you do not select the all option, you must select your Console appliance.

    As of QRadar 7.2.6 Patch 4 and later, administrators are only provided the option to update all or update the Console appliance. Managed hosts are not displayed in the installation menu to ensure that the Console is patched first. After the Console is patched, a list of managed hosts that can be updated is displayed in the installation menu. This change was made starting with QRadar 7.2.6 Patch 4 to ensure that the Console appliance is always updated before managed hosts to prevent upgrade issues.

    If administrators want to patch systems in series, they can update the Console first, then copy the patch to all other appliances and run the patch installer individually on each managed host. The Console must be patched before you can run the installer on managed hosts. When updating in parallel, there is no order required in how you update appliances after the Console is updated.

    If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes.



    After the update completes

  • 1. After the patch completes and you have exited the installer, type the following command: umount /media/updates

    2. Administrators and users should clear their browser cache before logging in to the Console.

    Results
    A summary of the fix pack installation advises you of any managed host that were not updated. If the fix pack fails to update a managed host, you can copy the fix pack to the host and run the installation locally.

    After all hosts are updated, administrators can send an email to their team to inform them that they will need to clear their browser cache before logging in to the QRadar SIEM interface.


Resolved issues
Note: Some APAR links in the table below might take 24 hours to display properly after a software release. A full APAR link for all QRadar versions is available.

Issues resolved in QRadar 7.3.0 Patch 3
Product Component Number Description
QRADARUSER INTERFACEIV98386LOG SOURCE USER INTERFACE DOES NOT SAVE ENABLED, COALESCING EVENTS, STORE EVENT PAYLOAD, AND GROUP ASSIGNMENT CHECK BOX ACTIONS
QRADARUSER INTERFACEIV98410AN ERROR OCCURRED WHEN PARSING THIS EVENT'S PAYLOAD. YOU'LL NOT BE ABLE TO EDIT ITS MAPPING' WHEN MAPPING EVENTS

Issues resolved in QRadar 7.3.0 Patch 2
Product Component Number Description
QRADARSEARCHIV89196REALTIME STREAMING CAN FAIL TO DISPLAY EVENTS WHEN FILTERING ON EVENTPROCESSOR
QRADARINTERFACEIV89672LDAP HOVER TEXT TOOLTIP DISPLAYS DUPLICATE VALUES
QRADARSEARCHIV91674SEARCHES USING A GEOGRAPHIC LOCATION FILTER CAN RETURN UNEXPECTED RESULTS (RESOLVED IN 7.2.8 PATCH 6 AND IN 7.3.0 PATCH 2)
VULNERABILITY MANAGERINTERFACEIV92973A SCHEDULED SCAN IN QRADAR VULNERABILITY MANAGER CAN BE STARTED MULTIPLE TIMES ONE MINUTE APART
QRADARDATA NODEIV93697DATA NODES MAY NOT REBALANCE CORRECTLY IF THERE ARE MULTIPLE DESTINATIONS
QRADARCLIIV93847RUNNING THE ARIEL_QUERY.PY SCRIPT FROM A CONSOLE COMMAND LINE CAN RETURN EXTRA SPACES IN THE RESULTS
QRADARLICENSEIV94195EVENT COLLECTOR APPLIANCES (15XX) ARE ASSIGNED A EPS VALUE OF 450 INSTEAD OF THEIR PROCESSOR'S VALUE
FORENSICSDEPLOYIV94790FORENSICS RECOVERY JOBS CAN BECOME ORPHANED IF INTERRUPTED BY A 'DEPLOY FULL CONFIGURATION'
QRADARSERVICESIV95251HOSTCONTEXT CAN SOMETIMES NOT START AFTER UPGRADING QRADAR WITH 'FAILED TO ACQUIRE JMS CONNECTION' IN QRADAR.ERROR G
QRADARUPGRADEIV97144PREVIOUS CORRUPTION IN NVA.CONF CAN CAUSE SOME UPGRADES TO QRADAR 7.3.0.X TO FAIL

Issues resolved in QRadar 7.3.0 Patch 1
Number Description
SECURITY BULLETINIBM JAVA AS USED IN IBM QRADAR SIEM IS VULNERABLE TO MULTIPLE CVES
IV95246THERE ARE NOT ENOUGH UNALLOCATED EPS IN THE POOL TO MAINTAIN THE EVENT RATE LIMITS THAT ARE ASSIGNED TO THE MANAGED HOSTS
IV94784QRADAR USER INTERFACE OUTAGES WITH LOGS DISPLAYING HOSTCONTEXT '...TOO MANY OPEN FILES' MESSAGES
IV94700FORENSICS APPLIANCE UPGRADE TO QRADAR 7.3 CAN SOMETIMES FAIL
IV93961'DELETE LISTED' OPTION WHILE FILTERED ON A REFERENCE SET DATA LIST CAN DELETE ALL REFERENCE SET DATA
IV93459SYSTEM AND LICENSE MANAGEMENT CAN TAKE A LONGER THAN EXPECTED TIME TO LOAD IN LARGE QRADAR DEPLOYMENTS
IV92977VULNERABILITY SEARCH DASHBOARD ITEMS CHANGES DO NOT PERSIST AFTER LOG OUT OF THE QRADAR USER INTERFACE
IV92852REPORTS RUNNING ON 'ACCUMULATED DATA' CAN SOMETIMES FAIL DUE TO THE GLOBAL VIEW DAILY ROLLUPS FAILING
IV92466QRADAR SEARCHES CAN FAIL TO COMPLETE AND/OR DASHBOARD DATA CAN FAIL TO LOAD DUE TO AN ARIEL CONNECTION LEAK
IV91679I/O ERROR FOR MANAGED HOST(S) DISPLAYED IN THE SEARCH WINDOW WHILE RUNNING LOG AND/OR NETWORK ACTIVITY SEARCHES
IV91675AN 'APPLICATION ERROR' CAN BE DISPLAYED FOR NEW USERS LOGGING INTO THE QRADAR USER INTERFACE INSTEAD OF A DEFAULT DASHBOARD
IV91634ARIEL SEARCHES THAT ARE RUN USING API VERSION 7.0+ DO NOT RETURN PAYLOAD PROPERLY FOR PARSING
IV91615'ERROR: COULD NOT FIND OR LOAD MAIN CLASS COM.Q1LABS.CORE.UTIL . PASSWORDENCRYPT' WHEN CONFIGURING LDAP HOVER FEATURE
IV91607'UNEXPECTED ERROR WHILE RETRIEVING GET_LOGS STATUS' WHEN A NON-ADMIN USER ACCESSES SYSTEM AND LICENCE MANAGEMENT
IV90795DRILLING INTO A SEARCH THAT WAS GROUPED BY A CUSTOM EVENT PROPERTY WITH PARENTHESIS DOES NOT WORK AS EXPECTED
IV90792USERS WITH DEFAULT DOMAIN PERMISSIONS CANNOT VIEW LOG SOURCE AND LOG SOURCE GROUP EVENT FILTERS
IV90791'APPLICATION ERROR' WHEN OPENING SOME OFFENSES
IV89591LARGE CSV EXPORTS FROM QVM 'SCAN RESULTS' CAN TAKE AN UNEXPECTEDLY LONG TIME TO COMPLETE
IV89558FILTERING BY PHRASE OR VENDOR IN A SCAN POLICY VULNERABILITY SEARCH RETURNS INCOMPLETE RESULTS
IV77665SOME QRADAR ADVANCED SEARCHES DO NOT COMPLETE, DISPLAYING 'IN PROGRESS 0% COMPLETE'
IV75242NETFLOW FORWARDING CAN BE INCONSISTENT FROM A HIGH AVAILABILITY PAIR
Issues resolved in QRadar 7.3.0
Number Description
IV94244QRADAR PATCHING TO 7.3.0 CAN FAIL AT 'ERROR: THE UPGRADE PHASE SCRIPT 40-PRESERVE_PROTECTED_SEARCH_RESULTS.SH FAILED...'
IV91030QRADAR APPS THAT REQUIRE SPECIFIC USER ROLE PERMISSIONS CAN STOP WORKING AFTER PATCHING TO QRADAR 7.2.8 PATCH 1
IV88705ASSET UI SCREEN APPLICATION ERROR DISPLAYED DUE TO DELETED ASSET SEARCH
IV89204QRADAR ASSET PROFILER TREATS HOSTNAMES WITH DIFFERENT CASE CHARACTERS AS SEPARATE ASSETS
IV84736TOMCAT OUT OF MEMORY CAN OCCUR CAUSING THE USER INTERFACE TO BECOME INACCESSIBLE
IV91288OFFENSES CAN SOMETIMES STOP GENERATING WHEN OFFENSES ARE INDEXED ON CUSTOM PROPERTIES
IV88270USING COMPLEX FILTERS ON LOG AND/OR NETWORK ACTIVITY PAGE SEARCHES CAN CAUSE PIPELINE PERFORMANCE ISSUES/NOTIFICATION
IV90364SETTING A CUSTOMIZED 'RULE RESPONSE' NAME/DESCRIPTION FOR THE 'LACK OF DEVICE' RULE TEST DOES NOT WORK AS EXPECTED
IV78366THE ECS-EC PROCESS CAN SOMETIMES RUN OUT OF MEMORY WHEN A LARGE NUMBER OF EVENTS WITH CUSTOM PROPERTIES ARE RECEIVED
IV89556ECS-EP PROCESS RUNNING, BUT EVENT/FLOW PROCESSING NOT OCCURING ON A QRADAR APPLIANCE
IV90906TIMES SERIES NOT WORKING FOR SOME NON-ADMIN QRADAR USERS
IV91098INVAILD SUPER INDEXES CAN CAUSE 'GENERAL FAILURE. PLEASE TRY AGAIN' MESSAGES WHEN USED IN A FILTER IN SEARCHES
IV89015APPLICATION ERROR WHEN DOUBLE CLICKING THE RESULTS OF AN 'ADVANCED SEARCH' (AQL)
IV90007TIMESERIES ACCUMULATION AND/OR REPORTS CAN FAIL TO GENERATE IN SOME INSTANCES AFTER PATCHING TO QRADAR 7.2.7.X
IV89209REPEATED ARIEL PROCESS OUT OF MEMORY OCCURANCES WITH LARGE VOLUMES OF DATA IN /STORE/TRANSIENT
IV89207OPENING AN EVENT FROM AN ADVANCED SEARCH (AQL) RESULTS LIST CAN OPEN THE INCORRECT EVENT IF A COLUMN SORT HAS BEEN PERFORMED
IV90601FLOW RETENTION WINDOW DOES NOT ACCURATELY DISPLAY DISTRIBUTION USAGE PERCENTAGES
IV73227INTERMITTENT AND/OR FREQUENT QRADAR SYSTEM NOTIFICATIONS: 'ACCUMULATOR FALLING BEHIND'
IV87313'SOURCE' AND 'DESTINATION' NETWORK GROUP SHOW FULL NETWORK HIERARCHY NAME WHEN ADDED AS A COLUMN TO DISPLAY
IV90633QRADAR DATABASE REPLICATION PROCESS CAN TAKE A LONGER THAN EXPECTED AMOUNT OF TIME
IV89022CUSTOM PROPERTIES SAVED TO ADVANCED SEARCHES (AQL) WITH INVALID SYNTAX ARE UNABLE TO BE DELETED
IV91638IMPORTING VULNERABILITY SCAN DATA FROM XML INTO QRADAR CAN SOMETIMES FAIL WITH AN EXCEPTION IN THE LOGS
IV85834EMAIL ADDRESS VALIDATION IN QRADAR ONLY ALLOWS FOUR CHARACTERS IN THE LAST SECTION OF THE DOMAIN
IV89662UNABLE TO EDIT BULK ADDED LOG SOURCES AFTER A QRADAR CONFIGURATION RESTORE IS PERFORMED
IV90376SECURITY APP EXCHANGE APPLICATIONS CAN FAIL TO COMMUNICATE IN SOME HIGH AVAILABILITY QRADAR CONFIGURATIONS
IV91071QRADAR XX48 APPLIANCE ISO BUILDS CAN FAIL WITH 'INVALID ACTIVATION KEY' MESSAGE
IV90089HOSTCONTEXT PROCESS NAME IS NOT CONSISTENT IN ALL AREAS OF QRADAR
IV86682SYSTEM NOTIFICATIONS STATING 'THE PRIMARY HIGH AVAILABILITY SYSTEM FAILED' WHEN NO FAILOVER HAS OCCURRED
IV85384HIGH AVAILABILITY STANDBY APPLIANCE USING CROSSOVER CABLE CAN HAVE ROUTING INCORRECTLY UPDATED
IV85366QRADAR CONSOLE CONTINUES TO PING THE IP OF A MANAGED HOST CLUSTER AFTER IT IS REMOVED FROM THE DEPLOYMENT
IV87497IO ERRORS WHEN PERFORMING SEARCHES AFTER A DEPLOY FUNCTION WHERE AN ENCRYPTED MANAGED HOST EXISTS IN THE DEPLOYMENT
IV74231QRADAR ADMIN TAB DISPLAYS MESSAGE 'THERE ARE UNDEPLOYED CHANGES...' WHEN NO CHANGES HAVE BEEN MADE
IV87856QRADAR PATCHES THAT INCLUDE A JAVA VERSION UPDATE DO NOT MOVE THE US EXPORT JAR FILES INTO THE APPROPRIATE DIRECTORY
IV89587KEYBOARD CURSOR/ARROW KEYS AND CTRL-A FUNCTIONS ARE INCONSISTENT ACROSS THE QRADAR USER INTERFACE
IV76165FLOW SOURCE ALIASES DO NOT APPEAR IN THE ADD FILTER, FLOW INTERFACE, 'VALUE:' DROP DOWN FOR NETWORK ACTIVITY SEARCHES
IV90069LIST OF OPERATING SYSTEMS AVAILABLE TO SELECT FOR ASSETS IS MISSING SOME OS VERSION ENTRIES
IV90066'GENERAL FAILURE. PLEASE TRY AGAIN' WHEN PERFORMING A 'GROUP BY' SEARCH OF A PROPERTY, FILTERED AGAINST A REFERENCE SET
IV93147NETWORK HIERARCHY SEARCH ATTEMPT RESULTS IN POP UP MESSAGE 'AN ERROR OCCURRED, ARGUEMENT TYPE MISMATCH'
IV89519RULES THAT TEST AGAINST REFERENCE MAP OF DATA SETS CAN SOMETIMES FIRE UNEXPECTEDLY
IV89341SINGLE RUN HOURLY REPORT CAN SOMETIMES RUN TWICE
IV88805DOMAINS BASED ON CEP VALUE BROKEN STARTING IN QRADAR 7.2.7
IV89363MULTIPLE SIMULTANEOUS REFERENCE DATA ADDITIONS AND/OR DELETIONS USING THE API CAN CAUSE THE QRADAR UI TO BECOME UNRESPONSIVE
IV87507SOME DASBOARD ITEMS NO LONGER DISPLAY IN THE QRADAR USER INTERFACE






Where do I find more information?

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Release Notes","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3","Edition":"All Editions"}]

Document Information

Modified date:
10 May 2019

UID

swg27050137