IBM Support

Release of QRadar Packet Capture 7.3.1 SFS (7.3.1 Build 1418)

Release Notes


Abstract

A list of the installation instructions, and resolved issues list for the release of IBM Security QRadar Packet Capture 7.3.1 (7.3.1 Build 1418). This update applies to QRadar Packet Capture appliances and Packet Capture Data Nodes.

Content

Important advisories in this update
This QRadar Packet Capture software update includes an operating system mitigation for the side-channel analysis vulnerability known as Spectre (Variant 1) and Meltdown (Variant 3). Due to a potential change to search performance in Meltdown (Variant 3), a new installation prompt displays to administrators so you can decide how to apply the mitigation. Installation of this update is not intended to, nor will it, provide mitigation measures against Spectre Variant 2 (CVE-2-17-5715). The mitigation for Variant 2/Spectre requires an OEM microcode/BIOS update on appliances. For information about other variants for Spectre and Meltdown, see the following IBM Flash Notice: http://www.ibm.com/support/docview.wss?uid=swg22012320.

This update contains a mitigation for CVE-2017-5754 Variant 3/Meltdown provided by Red Hat that can impact search performance. Administrators must read the release notes before they install this update.

Choices:
1) Enable: Turn ON the mitigation for Variant 3/Meltdown on all appliances.
2) Disable: Turn OFF the mitigation for Variant 3/Meltdown on all appliances. IF YOU CHOOSE NOT TO ENABLE THIS UPDATE TO ADDRESS CVE-2017-5754, YOU WILL NOT HAVE ANY PROTECTION AGAINST VARIANT 3/MELTDOWN.
3) Abort patch.


CVEID: CVE-2017-5753 (Variant 1/Spectre)
MITIGATION: Enabled by default during the installation of QRadar 7.3.1 Patch 4 and cannot be disabled.
DESCRIPTION: Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a local authenticated attacker to obtain sensitive information, caused by a bounds check bypass in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to cross the syscall boundary and read data from the CPU virtual memory.
IMPACT: No performance impact.

CVEID: CVE-2017-5754 (Variant 3/Meltdown)
MITIGATION: An installation prompt is provided to enable or disable this mitigation on appliances. A utility is also provided to allow administrators to enable or disable the mitigation for CVE-2017-5754 (Variant 3/Meltdown) post-installation, see Installation wrap-up for further details. IBM cannot be held responsible for risks incurred by administrators who do not enable the mitigation of CVE-2017-5754 (Variant 3/Meltdown).
IF YOU CHOOSE NOT TO ENABLE THIS UPDATE TO ADDRESS CVE-2017-5754, YOU WILL NOT HAVE ANY PROTECTION AGAINST VARIANT 3/MELTDOWN.
DESCRIPTION: Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a local authenticated attacker to obtain sensitive information, caused by a rogue data cache load in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to cause the CPU to read kernel memory from userspace before the permission check for accessing an address is performed.
IMPACT: Search performance degradation has been observed on appliances when the mitigation for Variant 3/Meltdown is enabled. Administrators who want to evaluate search duration on appliances before they apply the mitigation can review the following technical note: Search performance evaluation for CVE-2017-5754 (Variant 3/Meltdown).


Firmware notice
The mitigation for Variant 2/Spectre requires an OEM microcode/BIOS update on appliances. For more information on firmware releases, see: https://ibm.biz/qradarfirmware.


Performance assessment summary
You can expect performance degradation after you enable the mitigation for the vulnerability.

  • A 3% to 6% increase in CPU utilization has been observed across all workloads on appliances after the mitigation applied.
  • Search performance for most common search types has been observed to degrade by 0% to 10%, with the following exceptions:
  • Searches that use indexed criteria and match a moderate number of results (less than 10% of the total searched dataset) are expected to be degraded between 3% to 20%.
  • Open-ended searches that have no limit applied to the query and return a very large number of results (30% of the total searched dataset or more) are expected to be degraded by up to 2x.
  • The impact on data processing is estimated to be in the 0% to 20% range.
  • High availability on 1 Gbit network is not affected. The initial high availability setup speed and catch-up replication speed after fail-over will be lower on 10 Gbit network. However, the replication rate is still in the multiple hundreds MB/s, which is sufficient for real time replication.


Upgrade Information
For information on the requirements for upgrading to the latest version of QRadar Packet Capture, see IBM QRadar Packet Capture upgrade path (Updated).

Important: If you have a QRadar Packet Capture Software Install on your own hardware, see these release notes for instructions: http://www.ibm.com/support/docview.wss?uid=swg27051177.

Requirements
Administrators should read the following information before they attempt to complete an update:

  • This update should be completed during a scheduled maintenance window. While the system is updating, Packet Captures are not recorded as services are not started. Administrators with multiple capture appliances can capture on one appliance while they complete updates on another appliance. The update typically completes in about 10-15 minutes.
  • To avoid access errors in your log file, close all open QRadar Packet Capture sessions.
  • Google Chrome and Mozilla FireFox ESR 388 and later browsers are supported. Microsoft Internet Explorer 11 is not supported for QRadar Packet Capture appliances.
  • Any search output directories in /extraction that are older than 6 hours will be removed.
  • If Search store is full, any search output directories that are older than 3 hours will be removed.
  • Verify that all changes are deployed on your appliances. The patch cannot install on appliances that have changes that are not deployed.
  • The .SFS file is only capable of upgrading existing QRadar Packet Capture appliances. A QRadar 7.2.8 ISO is available for administrators to want to complete a new install or reinstall their Packet Capture appliance. Administrators who want to do a new install or reinstall need to review the QRadar Packet Capture Installation Guide.

Installing the QRadar Packet Capture 7.3.1 (7.3.1 Build 1418) Software Update
These instructions guide you through the process of upgrading an existing QRadar Packet Capture appliance or QRadar Packet Capture Data Nodes at version at 7.2.7.256 or later to the newest software version.

Procedure

  1. Download the software update to install QRadar Packet Capture 7.3.1 (7.3.1 Build 1418) from the IBM Fix Central website: http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+QRadar+Network+Packet+Capture+Software&fixids=7.3.1-QRADAR-NETPCAPFULL-1418
  2. Use SSH to log in to your system as the root user.
  3. Copy the software update to the /tmp directory on the QRadar Packet Capture appliance. If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
  4. To create the /media/updates directory, type the following command: mkdir -p /media/updates
  5. Change to the directory where you copied the patch file. For example, cd /tmp

    Note: Using the patch installer, you can update your Packet Capture or Packet Capture Data Nodes in any order. This update will cause downtime while the installation completes. The Packet Capture appliance must be rebooted after the installation completes.

  6. To mount the patch file to the /media/updates directory, type the following command:
    mount -o loop -t squashfs 7.3.1-QRadar-PCAP-build-1418.sfs /media/updates
  7. Navigate to the /media/updates directory. For example, cd /media/updates
  8. Type the following command to being the update: sh installer.sh

    Note: The first time that you run the software update, there might be a delay before the software update installation begins.


    After the update completes
    • After the patch completes and you have exited the installer, type the following command: umount /media/updates
    • To restart the appliance from the command line, type: reboot.
    • Clear your browser cache before you log in to the appliance.

      Results
      A summary of the software update installation advises you of any issues. After the update is complete, send an email to your team to inform them that they must clear their browser cache before they log in to QRadar Packet Capture.


      Troubleshooting
      After the system is rebooted, run the nc_bootcheck.sh command on the Packet Capture appliance or on the Data Node appliance to verify if the capture server is ready or if the system must be rebooted to complete the installation.







Where do I find more information?

[{"Product":{"code":"SSMU35","label":"IBM QRadar Network Packet Capture Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Installation","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
28 October 2020

UID

swg27051176

Page Feedback