IBM Support

Notice: CentOS6 applications and mitigation for CVEs

Troubleshooting


Problem

A security bulletin is issued to users on several QRadar versions identifying CVEs related to CentOS6 base images used in QRadar applications. Administrators are advised per the security bulletin to upgrade applications to mitigate the security issue.

Cause

Applications that use a CentOS6 base image are considered a security issue. For CVE and CVSS score information, see Security Bulletin: IBM QRadar SIEM Application Framework v1 (CentOS6) is End of Life.

Environment

Affected versions:
  • IBM QRadar SIEM 7.3.0 to 7.3.3 FP 10
  • IBM QRadar SIEM 7.4.0 to 7.4.3 FP 4
  • IBM QRadar SIEM 7.5

Diagnosing The Problem

Administrators can identify CentOS6 and UBI apps from the QRadar command line. QRadar Support recommends all administrators at all versions complete this diagnosis section to ensure you are not running CentOS6 applications in your deployment.

Command-line Interface(CLI) for on-prem configuration

Procedure
  1. Use SSH to log in to the QRadar Console as the root user.
    Note: Administrators with App Host appliances need to run the following command from the Console.
  2. To confirm/identify the CentOS base image, type: 
    psql -U qradar -t -c "select id,name,image from installed_application;"
  3. Review the output for the image column and note any entries labeled centos-base. 
    [root@example.lab /]# psql -U qradar -t -c "select id,name,image from installed_application;" 
1056 | pulse.full_name | centos-base:6.9.10 
1057 | threatglobe.name | centos-base:6.9.10 
1101 | QRadar Certificate Management | qradar-app-base:2.0.5 
1058 | QRadar Assistant | centos-base:6.9.10 
1059 | QRadar Use Case Manager | qradar-app-base:2.0.5 
1151 | QRadar Log Source Management | qradar-app-base:2.0.5

    Result
    Sometimes, the image column can include blank entries. For example:     
      id  |             name             |         image         |  status   
------+------------------------------+-----------------------+-----------
 1002 | pulse.full_name              | qradar-app-base:2.1.7 | COMPLETED
 1003 | Pulse - Threat Globe         |                       | COMPLETED
    If you encounter this issue, use the following command instead: 
    ​docker ps | grep -i start
    Example output: 
    CONTAINER ID             IMAGE                                            COMMAND               CREATED        STATUS        PORTS                   NAMES 
3d223521aefb console.localdeployment:5000/qapp/2002:4.2.0-20220408120235 "sh /opt/app-root/bi…" 25 minutes ago Up 25 minutes 0.0.0.0:32778->5000/tcp qapp-1952-spCpOBd8 
d9cdf6df0984 console.localdeployment:5000/qapp/1101:1.2.0-20210513135458 "sh /start_container…" 25 minutes ago Up 25 minutes 0.0.0.0:32777->5000/tcp qapp-1101-fBbA5Hre
    If the COMMAND column starts with "sh /start_container...", it is the CentOS base image
     
Note: If no centos-base images are listed, administrators are not required to upgrade applications. However, to mitigate risk, administrators are advised to disable the installation of CentOS6 applications as described in this technical note.
 
 

User Interface (UI) for on-prem and Cloud configurations

Users can access the Interactive API for Developers section of the QRadar Console to obtain the relevant application information.

Steps
 
  1. Log in to the QRadar Console.
  2. On the navigation menu ( Navigation menu icon  hamburger icon  located next to “IBM QRadar” title), click Interactive API for Developers.
  3. When the API Home page is displayed navigate to the following section, gui_app_framework > applications.
    API
  4. Scroll down the newly displayed page, click Try It Out!
    Tryitout
    The cURL command is run against the QRadar Console and the information for the installed applications is displayed in the section, Response Body.
  5. Highlight then copy all the text in the section Response Body.
    Open a text editor and paste the output.
    In the pasted text, search for the value "image".

    Details of Pulse - Threat Globe, a centos based application. 
    {
    "image": "centos-base:6.9.10",
    "installed_on": 1668003508011,
    "application_state": {
      "memory": 200,
      "application_id": "2702",
      "status": "RUNNING"
    },
    "manifest": {
      "description": "Pulse - Threat Globe",
      "console_ip": "x.x.x.x",
      "uuid": "2F3388D1-52D7-4240-99F6-9396A06B4BA2",
      "resource_bundles": [
  6. In the text editor, select the option to find the next reference of "image". Continue until all references have been viewed.
Note: If no centos-base images are listed, administrators are not required to upgrade applications. However, to mitigate risk, administrators are advised to disable the installation of CentOS6 applications as described in this technical note.

Results
Applications that list centos-base or blank are affected by the security bulletin from IBM and must be upgraded.
  • Affected: Pulse Dashboard app, which includes the threat globe and the QRadar Assistant App use CentOS as a base image. If an application displays a blank value, it indicates the image type cannot be determined and the application is CentOS6-based.
  • Not affected: QRadar Certificate Management, QRadar Use Case Manager, and the QRadar Log Source Management applications list qradar-app-base and use the Red Hat Universal Base Image (UBI).

Resolving The Problem

Administrators are advised to upgrade all applications that use a CentOS6 base image due to security issues. CentOS-based applications are end of support and must be upgraded to applications based on Red Hat Universal Base Image (UBI). To review the end of life announcement issued in 2020, see QRadar: Applications, CentOS 6, and Python 2 End Of Support.

Overview for administrators
After you identified affected applications, administrators can review the following sections:
  1. Upgrade all applications to the latest available version.
  2. Mitigating risk for applications without a UBI version.
  3. Disable installations for CentOS6 applications.

Upgrading your applications

CentOS 6 applications are considered insecure and administrators must upgrade these applications. For more information, see Security Bulletin: IBM QRadar SIEM Application Framework v1 (CentOS6) is End of Life.

Resources
  1. Administrators can individually download and install applications from the IBM X-Force App Exchange. To locate UBI applications to manually install, use the filter QRadar 7.3.3 FP6+/7.4.1 FP2+.
    image 12378
    OR
  2. Use the QRadar Assistant App to manage and upgrade applications in QRadar:
    1. Configuring the QRadar Assistant app.
    2. Firewall requirements and URL access.
    3. Review the following video on how to upgrade applications in the QRadar Assistant app:
       

Mitigating risk for applications without a UBI version

The administrator can confirm whether an upgrade exists for your installed CentOS6 application. In some cases, third-party or early access applications might not have an upgrade available to mitigate the security issues. If an application does not have a UBI version available, administrators can choose one of the following options: 
  1. Uninstall the affected CentOS6 application.
    Note: If you no longer use a CentOS-based application, you must uninstall the application before you complete the procedure to disable CentOS6 application installations in this technical note.
  2. Stop the application from the QRadar API.
    Stopping an affected application is considered a temporary solution and not a mitigation for the security vulnerabilities. Applications with a status of STOPPED in the QRadar API cannot be upgraded. If you stop an application and need to upgrade it in the future when a UBI version of your app is available, you must change the status to RUNNING.

    Important: Administrators who continue to use CentOS6 applications expose themselves to the risks defined in the security bulletin. IBM cannot be held responsible for users who continue to operate CentOS6 applications. It is important for administrators to mitigate their risk and either upgrade, uninstall, or disable affected applications. Questions related to third-party app releases must be directed to the app development team defined in the Support field X-Force App Exchange page.

Disable installations for CentOS6 applications

Administrators can reduce the security risk further and ensure that CentOS-based applications cannot install on the QRadar Console. This procedure decreases risk by preventing administrators who are unaware of the security issues from installing older CentOS-based applications, but does not mitigate the vulnerabilities. You must upgrade, uninstall, or disable applications that use CentOS6 images.

Procedure
To prevent CentOS6 application installs, administrators must add or update nva.conf files on the QRadar Console. 
  1. Create a backup of the nva.conf file in a safe location, such as /store/ibmsupport. For example, 
    cp -p /opt/qradar/conf/nva.conf /store/IBMSupport/
    Note: Always create a backup before you attempt to modify a core QRadar system file.
  2. Edit the following files:
    • /opt/qradar/conf/nva.conf
    • /store/configservices/staging/globalconfig/nva.conf
  3. Select one of the following options:
    1. If the DISABLE_DEPRECATED_APPS value is false, set the parameter to true. For example, 
      DISABLE_DEPRECATED_APPS=true
      Tip: If you use the Vim text editor, type :/DISABLE_DEPRECATED_APPS in command mode to confirm if the parameter needs to be added.
    2. If the parameter is not present in the nva.conf file, add DISABLE_DEPRECATED_APPS=true. For example,
      1. To edit the file, type: 
        vim nva.conf
      2. Type :$ to jump to the end of the file.
      3. Press i to insert a value.
      4. To add the required parameter, type: 
        DISABLE_DEPRECATED_APPS=true
      5. Type :wq to save your changes.
  4. Log in to the QRadar user interface as an administrator.
  5. Click the Admin tab.
  6. Click Advanced > Deploy Full Configuration.

    Results
    After the deployment completes, CentOS6 applications cannot install on the QRadar Console. If you require assistance with the mitigation described in this technical note, contact QRadar Support.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud - SSKMKU"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
02 February 2023

UID

ibm16514023

Page Feedback