News
Abstract
QRadar® 7.3.x administrators who received the QRadar Weekly Auto Update on 21 October 2020 can experience a hostcontext issue where services do not start as expected after they upgrade to QRadar 7.4.x.
Content
Important: The issue described in this technical note is resolved with the release of [WAU Version] 1603523627 on 26 October 2020. Administrators who plan to upgrade to QRadar 7.4.x can ensure that they check for the latest QRadar auto update before they begin a software upgrade on their Console appliance. If you manually download and install updates, the auto update package posted on IBM Fix Central for 26 October 2020 (autoupdate-1603523627.tgz) contains the resolution for APAR IJ28895.
Urgency
Critical for QRadar® 7.3.x users who installed the 21 October 2020 auto update [build 1602876962], then upgrade their QRadar deployment from 7.3.x to a 7.4.x software version.
You can ignore this notice if you:
An issue has been reported as APAR IJ28895 with the 21 October 2020 auto update where the hostcontext service does not start as expected after an upgrade to QRadar 7.4.x that affects appliance functionality. A conflict between an autoupdate-deploy utility bundled with the 21 October 2020 auto update can cause ClassNotFoundException errors or NoClassDefFoundErrors in /var/log/qradar.log. These errors indicate that JAR files are not in the correct location after the administrator completes an upgrade to QRadar 7.4.x.
When this issue occurs, ClassNotFoundException or NoClassDefFoundErrors error messages can display in /var/log/qradar.log:
You can ignore this notice if you:
- Installed QRadar 7.4.x before 21 October.
- Do not plan to upgrade to QRadar 7.4.x in the next seven days. A fix will be provided through QRadar auto update next week to resolve this issue.
- Complete a daily or weekly auto update after 26 October 2020 for auto update [build 1603523627].
Summary
An issue has been reported as APAR IJ28895 with the 21 October 2020 auto update where the hostcontext service does not start as expected after an upgrade to QRadar 7.4.x that affects appliance functionality. A conflict between an autoupdate-deploy utility bundled with the 21 October 2020 auto update can cause ClassNotFoundException errors or NoClassDefFoundErrors in /var/log/qradar.log. These errors indicate that JAR files are not in the correct location after the administrator completes an upgrade to QRadar 7.4.x.
When this issue occurs, ClassNotFoundException or NoClassDefFoundErrors error messages can display in /var/log/qradar.log:
[main] java.lang.NoClassDefFoundError: com.google.common.cache.CacheBuilder
[main] at com.q1labs.core.dao.qidmap.SensorProtocolConfigParameters.{init}(SensorProtocolConfigParameters.java:37)
[main] at sun.misc.Unsafe.ensureClassInitialized(Native Method)
[main] at sun.reflect.UnsafeFieldAccessorFactory.newFieldAccessor(UnsafeFieldAccessorFactory.java:55)
[main] at sun.reflect.ReflectionFactory.newFieldAccessor(ReflectionFactory.java:154)
[main] at java.lang.reflect.Field.acquireFieldAccessor(Field.java:1103)
[main] at java.lang.reflect.Field.getFieldAccessor(Field.java:1079)
[main] at java.lang.reflect.Field.set(Field.java:774)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.checkNameConstant(FrameworksNaming.java:412)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.loadClasses(FrameworksNaming.java:323)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(FrameworksNaming.java:171)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.loadClasses(FrameworksNaming.java:270)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(FrameworksNaming.java:171)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(FrameworksNaming.java:105)
[main] at com.q1labs.frameworks.naming.FrameworksNaming.{init}(FrameworksNaming.java:86)
[main] at com.q1labs.frameworks.core.FrameworksContext.initServices(FrameworksContext.java:620)
[main] at com.q1labs.frameworks.core.FrameworksContext.initFrameworks(FrameworksContext.java:257)
[main] at com.q1labs.qvm.workflow.FrameworksJsvcBootstrapper.init(FrameworksJsvcBootstrapper.java:135)
[main] at com.q1labs.qvm.workflow.FrameworksJsvcBootstrapper.main(FrameworksJsvcBootstrapper.java:243)
[main] Caused by:
[main] java.lang.ClassNotFoundException: com.google.common.cache.CacheBuilder
[main] at java.net.URLClassLoader.findClass(URLClassLoader.java:610)
[main] at java.lang.ClassLoader.loadClassHelper(ClassLoader.java:943)
[main] at java.lang.ClassLoader.loadClass(ClassLoader.java:888)
[main] at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
[main] at java.lang.ClassLoader.loadClass(ClassLoader.java:871)
[main] ... 18 more
Workaround
Administrators with scheduled maintenance windows can prevent this upgrade issue by moving an autoupdate-deploy file on all appliances before you attempt to upgrade to QRadar 7.4.x. Optionally, administrators can postpone their QRadar 7.4.x upgrade until this issue is resolved in the next QRadar weekly auto update.
Note: Administrators who decide to postpone their QRadar 7.4.x upgrade can subscribe to APAR IJ28895 to receive an email notice when this issue is resolved.
Procedure
Note: Administrators who decide to postpone their QRadar 7.4.x upgrade can subscribe to APAR IJ28895 to receive an email notice when this issue is resolved.
Procedure
- Use SSH to log in to the QRadar 7.3.x Console as the root user.
- Copy the following command into the command line of the QRadar Console:
/opt/qradar/support/all_servers.sh -C "mkdir /store/IBM_Support; mv /opt/qradar/conf/autoupdate-deploy-9000000000-13 /store/IBM_Support; rm /store/configservices/staging/globalconfig/autoupdate-deploy-9000000000-13 /store/configservices/deployed/globalconfig/autoupdate-deploy-9000000000-13; ls -l /store/IBM_Support/autoupdate-deploy-9000000000-13" - Verify the command text and press Enter.
- Wait for the command to complete on all appliances.
- Administrators can mount and install the QRadar 7.4.x SFS file to upgrade their appliances per the QRadar release notes.
Results
If you experience issues during your QRadar 7.4.x software upgrade or if you have questions about this notice, administrators can open a case with QRadar Support. If you open a case, it is important that you include the APAR number in your case title. For example, APAR IJ28895 upgrade assistance.
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.0;7.3.1;7.3.2;7.3.3"}]
Was this topic helpful?
Document Information
Modified date:
27 October 2020
UID
ibm16352997