News
Abstract
This technical note is an overview from the QRadar Support and Development teams regarding the removal of QRadar SIEM 7.4.3 Fix Pack 3 from IBM Fix Central. Users who downloaded this version must not install QRadar SIEM 7.4.3 Fix Pack 3. A new version is under development as QRadar SIEM 7.4.3 Fix Pack 4 to resolve two critical issues reported to the support team. This issue does not affect QRadar on Cloud users.
Content
Summary
QRadar Support is advising users to NOT upgrade to QRadar SIEM 7.4.3 Fix Pack 3 (743_QRadar_FixPack3_2020.11.3.20211021121337) as two critical issues were reported. Administrators reported network connections failing, which can cause updates to fail unexpectedly and applications that do not display after an upgrade completes. On 27 October 2021, development removed QRadar SIEM 7.4.3 Fix Pack 3 from IBM Fix Central for all users globally while a new software delivery is prepared.
Affected QRadar versions
QRadar SIEM administrators who installed QRadar SIEM 7.4.3 Fix Pack 3 (743_QRadar_FixPack3_2020.11.3.20211021121337).
Important: QRadar on Cloud users are not affected by the issues in this technical note due to mitigations by QRadar DevOps teams.
Important: QRadar on Cloud users are not affected by the issues in this technical note due to mitigations by QRadar DevOps teams.
Affected services
Issue | Summary | Data loss | Symptoms |
---|---|---|---|
Network / Tunnel Manager |
SSH connections can be closed unexpected by the tunnel manager service.
|
No. Data is collected properly and incoming events or flows might be queued. |
|
Application Framework | The application framework fails to display applications in the UI on tomcat startup when the HTTPd certificate does not contain the Console IP address in the SAN list. | No. Data is collected properly for incoming events and flows. |
|
Investigation
The following information outlines the analysis completed by QRadar Development teams.
Category | Action or description |
File name | 743_QRadar_FixPack3_2020.11.3.20211021121337.sfs |
Version | QRadar SIEM 7.4.3 Fix Pack 3 (743_QRadar_FixPack3_2020.11.3.20211021121337) |
Severity | Critical |
Issue type | Network and Application Framework |
Root cause | New reported issue that affects network connectivity and applications in the user interface for QRadar 7.4.3 Fix Pack 3. |
Services |
|
Immediate actions taken | Development teams removed QRadar 7.4.3 Fix Pack 3 from IBM Fix Central. |
Analysis for Tunnel Manager | The tunnel manager is a service running in QRadar that simplifies the management of SSH tunnels and reduce the load on hostcontext. The tunnel manager consists of a service that creates and maintains tunnels, and a tunnel-monitor component based on a timer. The tunnel manager services runs on a 1-minutes interval on all QRadar appliances to monitor and close tunnels in a bad state. In QRadar 7.4.3 Fix Pack 3, the service can close valid SSH sessions connections unexpectedly. A closed SSH connection between encrypted hosts can lead to failed upgrades, events or flows queued in the event pipeline (Event Collector to Event Processor handoff), or HA failovers can occur. If you installed QRadar 7.4.3 Fix Pack 3 was installed, you can disable the tunnel-monitor service and timer as a temporary workaround. Procedure
|
Analysis for Application Framework service | An issue exists where applications do not display in the user interface after an upgrade to QRadar 7.4.3 Fix Pack 3. All applications report as running in the Application Framework, but the applications cannot be launched. This issue affects applications starting as expected when encryption is enabled in the QRadar deployment or if you generated your own custom certificate without the Console IP address in the SAN list. During tomcat startup, the gui_application_startup thread attempts to run, but the SAN certificate for the HTTPd service is missing the IP address of the appliance. When this issue occurs the following error is displayed in /var/log/qradar.log:
Workaround If you installed QRadar 7.4.3 Fix Pack 3, you can force stop, then force start the applications to temporarily resolve this issue. A software fix is required to permanently resolve this application framework issue. Options There are multiple methods to stop, then start applications in QRadar SIEM. For more information, see Starting apps that are in an ERROR state or do not display in the user interface. 1. Administrators can use the REST API to stop, then start your applications. OR 2. Administrators can use the qappmanager utility in /opt/qradar/support and select App instance stop, then App instance start for all applications.
Results
After all apps are stopped, then started, they display properly in the user interface. If you installed QRadar 7.4.3 Fix Pack 3 and need assistance with this procedure, you can contact QRadar Support. |
Mitigation | Do not install QRadar SIEM 7.4.3 Fix Pack 3. A new release is being prepared for all users to resolve these issues. |
Mitigation delivered | No, currently under development as QRadar SIEM 7.4.3 Fix Pack 4. |
Preventive actions |
|
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.3","Type":"MASTER"}]
Was this topic helpful?
Document Information
Modified date:
29 October 2021
UID
ibm16509562