IBM is notifying administrators that an upgrade issue might affect a small number of Consoles in QRadar 7.4.3 and QRadar 7.4.3 Fix Pack 1 where domains are enabled as described in the Security Bulletin for CVE-2021-29880. If you upgraded to QRadar 7.4.3 or 7.4.3 Fix Pack 1 with domains configured, you must open a case for support to review your Console.
Technical note updates
- 13 August 2021 11:30 AM EDT: Added the section, "Can I use the QRadar 7.4.3 GA ISO file?" to address questions from users.
- 13 August 2021 10:00 AM EDT: Updated article to correct and image issue and add a link to 7.4.3 Fix Pack 2.
- 12 August 2021 3:00 PM EDT: Updated content to include information about the reported CVE-2021-29880. This update adds more information for affected users and content related to the release of QRadar 7.4.3 Fix Pack 2.
- 12 August 2021 7:00 PM EDT: Initial release of the flash notice to users.
Important: A small number of users reported an upgrade issue in QRadar 7.4.3 and QRadar 7.4.3 Fix Pack 1 as described in the Security Bulletin for CVE-2021-29880. If you installed an affected software version, QRadar Support is requesting administrators confirm if domains are enabled on the Console. If you use an affected software version and domains are configured, you must open a case so the support team can review your Console.
- QRadar 7.4.3 GA (7.4.3-QRADAR-QRSIEM-20210517144015.sfs) with domains enabled.
- QRadar 7.4.3 Fix Pack 1 (7.4.3-QRADAR-QRSIEM-20210708143944.sfs) with domains enabled.
Note: QRadar on Cloud administrators are not required to open a case with support as the DevOps team completed reviews all affected QRadar on Cloud appliances.
Administrators with domains enabled who upgraded to QRadar 7.4.3 or 7.4.3 Fix Pack 1 must open a case with QRadar Support.
- Log in to the QRadar Console as an administrator.
- Select >About in the user interface to confirm the software version is QRadar 7.4.3 or 7.4.3 Fix Pack 1.
- Click the Admin tab.
- Click Domain Management.
- Review the user interface to determine whether any domain configurations are displayed in the user interface.
If domains are configured, you might be affected by CVE-2021-29880. The administrator must open a case with QRadar Support.
Figure 1: An example screen capture of a Console with domains enabled.
If no domains are displayed, you are not affected by CVE-2021-29880 and no further steps are required. You do not need to install QRadar 7.4.3 Fix Pack 2 now as you do not use domains.
Figure 2: This Console is not affected as no domains are configured.
Affected administrators must open a support case and include the following information so we can quickly identify and respond to your issue. The support representative can review your Console and advise on any steps or log files that are required.
- Title: 7.4.3 Upgrade QR29880
- Severity: 2
- Requested files:
1. A configuration backup or logs from your QRadar Console before your 7.4.3 upgrade.
2. A recent 7.4.3 configuration backup or logs from your Console.
Note: Configuration backups can be downloaded from the user interface or retrieved from /store/backup/ directory on the QRadar Console. Older log files are available in the /var/log/qradar.old directory on the Console.
Can I install QRadar 7.4.3 Fix Pack 1?
QRadar Support recommends that users who plan to upgrade from 7.3.2, 7.3.3, 7.4.0, 7.4.1, or 7.4.2 install QRadar 7.4.3 Fix Pack 2 to ensure they avoid the issue described in CVE-2021-29880.
A notice is posted to QRadar 7.4.3 GA and 7.4.3 Fix Pack 1 software versions on IBM Fix Central to direct users to QRadar 7.4.3 Fix Pack 2. If you have domains enabled, do NOT upgrade to QRadar 7.4.3 GA or QRadar 7.4.3 Fix Pack 1. The release of QRadar 7.4.3 Fix Pack 2 includes a single fix for the CVE-2021-29880 issue, but upgrading to V7.4.3 Fix Pack 2 ensures administrators do not experience this issue in the future. If you have upgrade questions or concerns, contact QRadar Support before you install a software update.
Figure 3: Notice text on IBM Fix Central to inform users of 7.4.3 versions that might be affected by CVE-2021-29880.
Do I need to delay my planned upgrade?
No, administrators with scheduled upgrades can upgrade directly to QRadar 7.4.3 Fix Pack 2 as the software is available on IBM Fix Central. The 743_QRadar_FixPack2_2020.11.2.20210708143944 SFS file can upgrade the following QRadar versions to QRadar 7.4.3 Fix Pack 2:
- QRadar 7.3.2 (Fix Pack 3 - Fix Pack 7)
- QRadar 7.3.3 (GA - Fix Pack 9)
- QRadar 7.4.0 (GA - Fix Pack 4)
- QRadar 7.4.1 (GA - Fix Pack 2)
- QRadar 7.4.2 (GA - Fix Pack 3)
- QRadar 7.4.3 (GA - Fix Pack 1)
Yes, the ISO for QRadar 7.4.3 is available on IBM Fix Central as new installs are not impacted by this upgrade issue. ISO files are used for new software or appliance installations and no domains are configured by default. The issue reported in CVE-2021-29880 does not impact users who install QRadar 7.4.3 GA with the ISO file. QRadar Support recommends that any administrator who installs QRadar 7.4.3 GA with the ISO file also download and upgrade the deployment to QRadar 7.4.3 Fix Pack 2 after the ISO install completes.
We apologize for any inconvenience due to this issue. If you have questions about the contents of this technical note, contact QRadar Support.
- QRadar Support
13 August 2021