IBM Support

Release of QRadar 7.1 MR2 Patch 12 (7.1.0.1104434)

Release Notes


Abstract

A list of the installation instructions and fixes for IBM Security QRadar 7.1 MR2 Patch 12 (7.1.0.1104434).

Content

If your deployment is installed with QRadar 7.1, you can install fix pack 7.1.0-QRADAR-QRSIEM-1104434.


Issues resolved in QRadar 7.1 MR2 Patch 12 (7.1.0.1098887)
Number Description
Security BulletinCookie missing HTTPOnly Flag
Security BulletinApache Commons Java object deserialization
Security BulletinSession Expiry not enforced by default
Security BulletinRemote Code Execution in QRadar Web User Interface
Security BulletinCross Site Scripting in QRadar Web User Interface
Security BulletinSSH Private Key Exposure
Security BulletinCross Site Scripting in QRadar Web User Interface

Note: It might take time for the resolved issues links to display on the Internet after being published.


Known Issues

In this version, administrators who attempt to add a Flow Source from a flowlog file without typing a directory path might receive an Application Error in the user interface. All flowlog configurations that reference a flowlog file must include a path to a file that references the location of the flowlog file on the QRadar appliance. To resolve this issue, the administrator can close the Flow Source Management window and add the Flow Sources a second time from the Admin tab. In the Add Flow Source configuration, the administrator must specify a valid path to either the flowlog file or a list of Flowlog Files before attempting to Save, such as @/store/flowlogs/flowloglist.


Before you begin

Ensure that you take the following precautions:

  • Important: HA crossover related tuning values (MTU and PING) in qradar_nettune.pl are not preserved during this patch. These values should be recorded prior to the patch so qradar_nettune.pl can be re-run again following the patch should those tuning parameters still be required.
  • Back up your data before you begin any software upgrade. For more information about backup and recovery, see the IBM Security QRadar Administration Guide.
  • To avoid access errors in your log file, close all open QRadar sessions.
  • The fix pack for QRadar cannot be installed on a managed host that is at a different software version from the Console. All appliances in the deployment must be at the same software revision to patch the entire deployment.
  • Verify that all changes are deployed on your appliances.
  • The patch cannot install on appliances that have changes that are not deployed.

About this task

Fix packs are cumulative software updates to fix known software issues in your QRadar deployment. QRadar fix packs are installed by using an SFS file. The fix pack can update any appliance that is attached to the QRadar Console that is at the same software version as the Console.


Procedure

  1. Download the fix pack 7.1.0-QRADAR-QRSIEM-1104434 from the IBM Fix Central website: http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.1.0&platform=Linux&function=fixId&fixids=7.1.0-QRADAR-QRSIEM-1104434&includeRequisites=0&includeSupersedes=0&downloadMethod=http&source=fc
  2. Using SSH, log in to your system as the root user.
  3. Copy the fix pack to the /tmp directory on the QRadar Console.
    Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
  4. To create the /media/updates directory, type the following command: mkdir -p /media/updates
  5. Change to the directory where you copied the patch file. For example, cd /tmp
  6. To mount the patch file to the /media/updates directory, type the following command: mount -o loop -t squashfs 710_QRadar_patchupdate-7.1.0.1104434.sfs /media/updates/
  7. To run the patch installer, type the following command: /media/updates/installer
    Note: The first time that you run the fix pack, there might be a delay before the installation menu is displayed.
  8. Using the patch installer, select all.

    The all option updates the software on all systems in your deployment. In HA deployments, primary HA appliances are patched and replicate the patch update to the secondary HA appliance.

    If you do not select the all option, you copy the fix to each appliance in your deployment and install the fix pack. If you manually install fix packs in your deployment, you must update your appliances in the following order:
    1. Console
    2. Event Processors
    3. Event Collectors
    4. Flow Processors
    5. Flow Collectors

  9. After the install completes, administrators and users should clear their browser cache before logging in to the Console.

NOTE: If your Secure Shell (SSH) session is disconnected while the installation is in progress, the installation continues. When you reopen your SSH session and rerun the installer, the current state of the installation is displayed.


Results

A summary of the fix pack installation advises you of any managed host that were not updated. If the fix pack fails to update a managed host, you can copy the fix pack to the host and run the installation locally.


-----
Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Documentation","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg27047379

Page Feedback