Release of QRadar 7.5.0 Update Package 15 SFS (2021.6.15.20260306120301)

Following changes in QRadar 7.5.0 UP15, high availability systems that host apps (either the Console or an Apphost) will now use the shared VIP IP address for any routing done by applications that communicate with the internet. This may cause issues with internet communication by QRadar apps in some environments.

If any 3rd party devices or software (VPN, firewall, etc.) are configured to use the HA host's physical IPs in order to allow internet communication from the QRadar host/apps, communication may break after upgrading to 7.5.0 UP15 if any such device is not expecting the VIP.

As the change implemented in 7.5.0 UP15 is by design, adjustments should be made on the 3rd party device(s) to factor in the VIP now being used for communication in between QRadar apps and the internet. IBM QRadar Support cannot assist with, or support 3rd party software.

The Known Issues listed below are resolved in QRadar 7.5.0 Update Package 15. For a complete list of Known Issues, see Known Issues. The Known Issues search page allows users to search for Known Issues by version or status.

Some Known Issues links might take 24 hours to display properly after a software release is posted to IBM Fix Central.

The following is a list of Known Issues fixed in QRadar 7.5.0 Update Package 15:

• DT459103 -  Hybrid DR setup flow - Remove stale references of deleted Managed Hosts and Managed Host HA prior to failover and failback

• DT462724 - Rule Version History does not update Author properly

• DT462261 - After UP14, QFlow continuously logs "ERSPAN is disabled" messages, flooding qradar.log and making it unusable for operational troubleshooting.

• DT458513 - Unable to assign search to groups because the 'Assign Search to Group(s)' list doesn't load.

• DT460873 - Hybrid Flow : Manage host_tokens.masterlist and host.token files during restoration

• DT460865 - Hybrid Flow: After failover/failback system throwing time out in first attempt of deploy changes for paired MH on DR site

• DT433277 - "Invalid License Key" Warning on QRadar UI

• DT453179 - PROPERTY NAME IS NOT DISPLAYED AS EXPECTED FOR PROPERTIES USED IN AN AQL (ADVANCED SEARCH) UP7.5.x

• DT119242 - IJ36282: PROPERTY NAME IS NOT DISPLAYED AS EXPECTED FOR PROPERTIES USED IN AN AQL (ADVANCED SEARCH)

• DT214373 - IJ46429: QRADAR ASSET NAMES MIGHT NOT BE DISPLAYED ON THE ASSETS SCREEN OR NOT BE INCLUDED IN A VULNERABILITY REPORT AFTER BEING UPDATED

• DT241221 - IJ48738: HA SECONDARY DISK SPACE ISSUES CAN OCCUR WHEN FILES FOR OLDER VERSIONS OF ECS ARE NOT REMOVED

• DT252105 - IJ49396: DROPPED FLOW QRADAR SYSTEM NOTIFICATIONS ONLY DISPLAY FOR THE CONSOLE IP

• DT391311- Disabling FIPS mode using the qradar_fips_update.sh script fails to update grub properly

• DT396265- In high availability configurations- internet connections from QRadar apps use the active host's physical IP instead of the shared virtual IP

• DT433440- QRadar: Unable to uncheck "Enable for use in Rules- Forwarding Profiles and Search Indexing" due to the incorrect dependency API call

• DT422542- Autoupdate may fail due to long running transaction on Vulnerabilities database table

• DT424465- Issues with CRE Event Names After Restoring Partial Configuration Backup

• DT434387- When user select multiple CEP and try to deletes it directly deletes it without going for dependency check.

• DT442472- Asset Quick Search is not working

• DT444459- QNI fails to parse X.509 Common Names containing a comma followed by a space ('- ')

• DT444767- Historical correlation won't start after patching from UP11- UP12 and UP13

• DT450117- QRM Policy Questions Failing to Return Results Due to Missing Index in vulninstance Table

• DT454175- Parallel Patching - "Check patching status" and "View live report" options show different results

• DT450110- QRM Policy question throwing error "Question submission failed due an unexpected problem"

• DT454173- LVM warning menu should not show up on MH that is not configured with LVM

• DT451485- QRM Policy question monitor 'by policy" not working as expected

• DT450854- QRadar: DSM Editor fails to map subsequent events after first mapping in Update Package (UP) 13

• DT452406- QRadar: Log Activity- Network Activity- and Offenses Tab table width have changed and are no longer visible in a single view after UP11 if the screen aspect ratio is set to something other than 16:9.

• DT456524- Persistent queues will not empty on Event Collectors disconnecting from port 32005 to event Processors

• DT456361- Qflow Spoofing forwarding fails with error 'Failed to retrieve MAC address for 192.xx.xx.xx.'

• DT455159- Risk Manager - "Rules of Device" Window- Event Button Greyed out.

• DT455273- QRadar Risk Manager - Attack Path is displayed but unreadable

• DT455164- Risk Manager - Search on Rules fails on multiple selections

• DT458611- QRadar 7.5.0.14+ : Backup restoration fails on destination site due to foreign key constraint violation: fk_flowsource_lookup

• DT096809- IJ31090: INDEX MANAGEMENT CAN DISPLAY ZEROS (0) ACROSS ALL COLUMNS WHEN A LARGE TIME RANGE IS CHOSEN

• DT251833- IJ34636: RSS FEEDS WIDGET IS NO LONGER WORKING

• DT461409- Report generation fails when payload contains special characters 

• DT458064- Postgres is running out of connections for Non Console appliances

• DT464278- QuickFilter not taking advantage of the Lucene index, causing slow searching 

• DT467986- 7.5.0 UP15: Apps hosted on an HA Console or Apphost will route externally using the VIP instead of physical IPs

  Known Issues

• DT464215 - Risk Manager - Search on Rules fails on multiple selections

• DT465347 -  Backup and Restore | POST API | Backup API to take config backup fails with 500 Internal server error

• DT465384 - Syslog Event Timeout Resets to Default After Saving “Never timeout” Selection

• DT465400 - Quick Log Source Creation Triggers an Error When “Use Default Timeout (720)” Is Selected

QRadar 7.5.0 Update Package 15 resolves reported issues from users and administrators from previous QRadar versions. This cumulative software update fixes known software issues in your QRadar deployment. QRadar software updates are installed by using an SFS file, and update all appliances attached to the QRadar Console.

The 750-QRADAR-QRSIEM-2021.6.15.20260306120301 SFS file can upgrade the following QRadar versions to QRadar 7.5.0 Update Package 15:

This document does not cover all of the installation messages and requirements, such as changes to appliance memory requirements or browser requirements for QRadar. To review any additional requirements, see the QRadar Upgrade Guide.

See QRadar: Software update check list for administrators for a list of steps to review before you update your QRadar deployment.

Before you begin

Ensure that you take the following precautions:

• Back up your data before you begin any software upgrade. For more information about backup and recovery, see the QRadar Administration Guide.
• To avoid access errors in your log file, close all open QRadar sessions.
• The QRadar software update cannot be installed on a managed host that is at a different software version from the Console. All appliances in the deployment must be at the same software revision to update the entire deployment.
• Verify that all changes are deployed on your appliances. The update cannot install on appliances that have changes that are not deployed.
• If this is a new installation, review the instructions in the QRadar Installation Guide.

These instructions guide you through the process of upgrading an existing QRadar version to QRadar 7.5.0 Update Package 15. To update appliances in parallel, see QRadar: How to Update Appliances in Parallel.

Procedure

1. Download the software update to install QRadar 7.5.0 Update Package 15 from the IBM Fix Central website: 7.5.0-QRADAR-QRSIEM-20260306120301

   Important: Please confirm that you are installing the correct SFS file by checking the sha256sum value as found on Fix Central
   
   Note: To confirm QRadar 7.5.0 Update Package 15 is code signed by IBM, you must use the latest code signing utility 1.0.2. For more information, see https://ibm.biz/qradarcodesigning.
2. Use SSH to log in to your Console as the root user.

3. To verify you have enough space (10GB) in /store/tmp for the QRadar Console, type the following command:

     df -h /tmp /storetmp /store/transient | tee diskchecks.txt

   • Best directory option: /storetmp

     It is available on all appliance types at all versions. In QRadar 7.5.0 versions /store/tmp is a symlink to the /storetmp partition.

If the disk check command fails, retype the quotation marks from your terminal, then rerun the command. This command returns the details to both the command window and to a file on the Console named diskchecks.txt. Review this file to ensure that all appliances have at minimum 10GB of space available in a directory to copy the SFS before attempting to move the file to a managed host. If required, free up disk space on any host that fails to have less that 10GB available.

Note: In QRadar 7.3.0 and later, an update to directory structure for STIG-compliant directories reduces the size of several partitions. This can impact moving large files to QRadar.

1. To create the /media/updates directory, type the following command:

     mkdir -p /media/updates

2. Use SCP to copy the files to the QRadar Console to the /storetmp directory or a location with 10GB of disk space.

3. Change to the directory where you copied the patch file. For example,

     cd /storetmp

4. To mount the patch file to the /media/updates directory, type the following command:

     mount -o loop /storetmp/750-QRADAR-QRSIEM-2021.6.15.20260306120301.sfs /media/updates
   

5. To run the patch installer, type the following command:

     /media/updates/installer 

   Note: The first time that you run the software update, there might be a delay before the software update installation menu is displayed.

6. Using the patch installer, select all.
   • The all option updates the software on all appliances in the following order:
     1. Console
     2. No order required for remaining appliances. All remaining appliances can be updated in any order that you require.

   • If you do not select the all option, you must select your Console appliance.

     As of QRadar 7.2.6 Patch 4 and later, you are only provided the option to update all or update the Console appliance. Managed hosts are not displayed in the installation menu to ensure that the Console is patched first. After the Console is patched, a list of managed hosts that can be updated is displayed in the installation menu. This change was made starting with QRadar 7.2.6 Patch 4 to ensure that the Console appliance is always updated before managed hosts to prevent upgrade issues.

     If you want to patch systems in series, you can update the Console first, then copy the patch to all other appliances and run the patch installer individually on each managed host. The Console must be patched before you can run the installer on managed hosts. When updating in parallel, there is no order required in how you update appliances after the Console is updated.

     If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes.

1. After the system reboot is not initiated after the patch completes and you have exited the installer, type the following command:

     umount /media/updates

2. Clear your browser cache before you log in to the Console.
3. Delete the SFS file from all appliances.
4. For administrators with managed WinCollect 7 agents, upgrades to 7.5.0 Update Package 15 require WinCollect version 7.3.1 Patch 4. Depending on your upgrade path, you might be required to update your WinCollect agent version on the Console. For more information, see the WinCollect 7.3.1 Patch 4 release notes.
5. To run AQL queries that use geographic data or the flags on the Log Activity tab, update to the latest database from Maxmind after you upgrade to QRadar 7.5.0 Update Package 15. 
    

Results

A summary of the software update installation advises you of any managed hosts that were not updated. If the software update fails to update a managed host, you can copy the software update to the host and run the installation locally.

After all hosts are updated, send an email to your team to inform them that they will need to clear their browser cache before they log in to the QRadar SIEM interface.

Security Bulletins

• IBM QRadar SIEM is vulnerable to information disclosures and cross-site scripting  
• IBM QRadar SIEM is vulnerable to using components with known vulnerabilities