Release Notes
Abstract
A list of the installation instructions and fixes for IBM Security QRadar 7.2.2 Patch 1 (7.2.2.831399).
Content
IMPORTANT: The fix pack for QRadar 7.2.2 Patch 1 is no longer available. This release was removed from distribution due to several issues. The issues in QRadar 7.2.2 Patch 1 have been corrected and an update was re-released as QRadar7.2.2 Patch 2.
For a list of resolved issues, see APARs IV58209, IV60207, IV60208, IV60209, IV60220. These APARs are outlined in the QRadar 7.2.2 Patch 2 release notes. To read the QRadar 7.2.2 Patch 2 release notes, see http://www.ibm.com/support/docview.wss?uid=swg27042009.
Original release notes for 7.2.2 Patch 1, see the statement above for important information.
If your deployment is installed with QRadar 7.1 Maintenance Release 2 (7.1.2.519185) or above, you can install fix pack 7.2.2-QRADAR-QRSIEM-831399.
Note: QRadar 7.2.2 Patch 1 is required to update a QRadar deployment to 7.2.2. There will not be a SFS file released for QRadar 7.2.2, as we require customers to upgrade directly to 7.2.2 Patch 1. This update also simplifies version names for QRadar to change from "QRadar 7.2 Maintenance Release 2" to use the name "QRadar 7.2.2".
Before you begin
Ensure that you take the following precautions:
- Back up your data before you begin any software upgrade. For more information about backup and recovery, see the IBM Security QRadar Administration Guide.
- To avoid access errors in your log file, close all open QRadar sessions.
- The fix pack for QRadar cannot be installed on a managed host that is at a different software version from the Console. All appliances in the deployment must be at the same software revision to patch the entire deployment.
- Verify that all changes are deployed on your appliances.
- The patch cannot install on appliances that have changes that are not deployed.
About this task
Fix packs are cumulative software updates to fix known software issues in your QRadar deployment. QRadar fix packs are installed by using an SFS file. The fix pack can update any appliance that is attached to the QRadar Console that is at the same software version as the Console.
Procedure
- Download the fix pack 7.2.2-QRADAR-QRSIEM-831399 from the IBM Fix Central website: https://ibm.biz/BdRJaU (IBM shortened link to the download this Fix Pack)
- Using SSH, log in to your system as the root user.
- Copy the fix pack to the /tmp directory on the QRadar Console.
Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space. - To create the /media/updates directory, type the following command: mkdir -p /media/updates
- Change to the directory where you copied the patch file. For example, cd /tmp
- To mount the patch file to the /media/updates directory, type the following command:
mount -o loop -t squashfs 722_QRadar_patchupdate-7.2.2.831399.sfs /media/updates - To run the patch installer, type the following command:
/media/updates/installer
The first time that you run the fix pack, there might be a delay before the fix pack installation menu is displayed. - Using the patch installer, select all.
The all option updates the software on all systems in your deployment. In HA deployments, primary HA appliances are patched and replicate the patch update to the secondary HA appliance.
If you do not select the all option, you copy the fix to each appliance in your deployment and install the fix pack. If you manually install fix packs in your deployment, you must update your appliances in the following order:
- Console
- Event Processors
- Event Collectors
- Flow Processors
- Flow Collectors
If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes.
Results
A summary of the fix pack installation advises you of any managed host that were not updated. If the fix pack fails to update a managed host, you can copy the fix pack to the host and run the installation locally.
Resolved issues
Since QRadar 7.2.2 Patch 1 is a cumulative release that includes the fixes for QRadar 7.2.2 and also QRadar 7.2.2 Patch 1, both issue lists are provided below.
| Number | Description |
|---|---|
| IV46420 | AN ERROR MESSAGE CAN APPEAR WHEN YOU SOUR THE ANNOTATION PANE BY THE TIME PARAMETER. |
| IV46407 | NON-ADMINISTRATOR USER ROLES THAT DO NOT INCLUDE THE MAINTAIN CUSTOM RULES PRIVILEGE DISPLAY A RULE DISABLED MESSAGE. |
| IV42445 | HOSTCONTEXT AND TOMCAT MAY NOT FUNCTION PROPERLY DUE TO SPECIAL CHARACTERS IN THE GLOBAL CONFIGURATION PASSWORD. |
| IV46114 | TOMCAT SERVICE THRESHOLD FOR MAXIMUM NUMBER OF CLIENTS MIGHT BE REACHED WHEN ADDING MANAGED HOSTS. |
| IV49707 | ERROR OCCURS WHEN INVESTIGATING EVENTS ON THE OFFENSES TAB WHEN USING THE MICROSOFT INTERNET 8 WEB BROWSER. |
| IV54646 | ERRORS MAY OCCUR WHEN PERFORMING A SEARCH GROUPED OR SORTED ON A CUSTOM PROPERTY. |
| IV43108 | NOTES IN OFFENSES ARE NOT BEING EXPORTED TO CSV OR XML. |
| IV48752 | EXCEPTION OCCURS WHEN YOU ADD A RULE FOR A CUSTOM PROPERTY THAT CONTAINS AN AMPERSAND. |
| IV54456 | WINCOLLECT AGENTS, SCHEDULES, OR DESTINATIONS MIGHT DISPLAY INCORRECT COUNTS AND SORT INCORRECTLY IN THE USER INTERFACE. |
| IV46412 | LOG SOURCES MIGHT DISPLAY DUPLICATE EVENTS WHEN A SINGLE LOG SOURCE FORWARD EVENTS TO MULTIPLE EVENT PROCESSORS. |
| IV46384 | EVENT RULES THAT MATCH EVENTS TO A FUNCTION COUNTER RULE TEST MIGHT NOT DISPATCH MULTIPLE OFFENSE AS EXPECTED. |
| IV56748 | CISCO ASA DEVICES THAT SEND NETFLOW V9 INFORMATION MIGHT REPORT THE FIRST PACKET TIME CORRECTLY. |
| IV50566 | QUICK SEARCH FAILS FIRST TIME AFTER A FILTER AND TIME RANGE WERE APPLIED. |
| IV48142 | UNABLE TO PRINT OFFENSE DETAILS. |
| IV49659 | THERE IS NO AUDIT ENTRY WHEN 'FLOW LOG HASHING' IS MODIFIED IN THE ADMIN TAB. |
| IV50576 | THE DEPLOYMENT EDITOR WINDOW FAILS TO OPEN WHEN YOU USE JAVA 7 (1.7) AND THE MICROSOFT INTERNET EXPLORER 8 OR 9 WEB BROWSER. |
| IV50579 | DATA BACKUPS OCCUR FOR THE CONSOLE EVEN WHEN EVENT DATA AND FLOW DATA ARE UNCHECKED. |
| IV50628 | CUSTOM RULE TESTS THAT ARE BASED ON GEOGRAPHIC REGION NOT WORKING AS EXPECTED. |
| IV54075 | SOURCE IF INDEX AND DESTINATION IF INDEX COLUMN VALUES FROM A FLOW MIGHT DISPLAY AN INCORRECT INTERFACE VALUE. |
| IV51799 | QRADAR VULNERABILITY MANAGER AUTOMATIC UPDATES ARE NOT DELETED PROPERLY AFTER INSTALLATION. |
| IV50638 | SORT ORDER OF IP ADDRESS COLUMN IN THE ASSETS TAB IS INCORRECT. |
| IV50729 | SOURCE OR DESTINATION IP FILTER FAILS ON SEARCH RESULTS THAT ARE ALREADY FILTERED BY SOURCE OR DESTINATION IP. |
| IV50731 | OFFENSE RULE TEST MIGHT NOT FUNCTION CORRECTLY. |
| IV54289 | "ACCUMULATED DATA IS NOT AVAILABLE" ERROR IN GENERATED REPORT ONLY WHEN USING TABLE VIEW. |
| IV50733 | QRADAR LOG MANAGER 7.2 CONTAINS TWO UNNECESSARY SYSTEM SETTINGS. |
| IV54627 | THE DEPLOYMENT EDITOR WINDOW FAILS TO OPEN WHEN YOU USE JAVA 7 (1.7) AND THE GOOGLE CHROME WEB BROWSER. |
| IV51433 | SERVER DISCOVERY DISPLAYS AN ERROR MESSAGE WHEN THE BUILDING BLOCK FOR THE HOST DEFINITION CONTAINS A CIDR ADDRESS. |
| IV54609 | THE PAYLOAD INDEX RETENTION DOES NOT PROPERLY DISPLAY IN THE SYSTEM SETTINGS FOR QRADAR LOG MANAGER. |
| IV54651 | SORTING CUSTOM PROPERTIES IN THE USER INTERFACE UNEXPECTEDLY RESORTS THE LIST EACH TIME THE PAGE NUMBER CHANGES. |
| IV54652 | A USER-DEFINED APPLICATION SIGNATURE DOES NOT OVERRIDE THE APPLICATION ID OF A FLOW IN THE SIGNATURES.XML FILE. |
| IV54593 | BACKUP AND RECOVERY CAN CAUSE SYSTEM ISSUES WHEN CONFIGURED TO USE /STORE AS THE BACKUP REPOSITORY PATH. |
| IV51790 | ADDING A COLUMN TO SEARCH RESULTS THAT SPAN MULTIPLE DAYS CAN INITIATE A NEW SEARCH. |
| IV54653 | SEARCH PARAMETERS WITH A LARGE NUMBER OF CURRENT FILTERS CAN INCONSISTENTLY SCROLL A WINDOW WHEN A VALUE IS SELECTED. |
| IV54193 | THE TOOLTIP FOR USER-CENTRIC OFFENSES SHOWS LAST EVENT IN FUTURE. |
| IV54267 | ASSET EXPORTS THAT TAKE LONGER THAN 20 MINUTES FAIL. |
| IV54259 | MULTIPLE SIMULTANEOUS EXPORTS CAUSE UI OUTAGES DUE TO TOMCAT TX SENTRIES. |
| IV54268 | OFFENSE SEARCHES BY CATEGORY CAN DISPLAY AN ERROR IN THE USER INTERFACE. |
| IV54479 | AUTO UPDATE CHANGE SETTINGS CAN DISPLAY AN INCORRECT PORT VALUE ERROR MESSAGE. |
| IV54732 | RULE TESTS THAT ALLOW A USER TO SELECT EVENT PROPERTIES FROM A REFERENCE TABLE MIGHT NOT SELECT VALUES CORRECTLY. |
| IV58928 | THE DYNAMIC SYSTEM ANALYSIS (DSA) TOOL ON QRADAR APPLIANCES IS BEING INVESTIGATED FOR POTENTIAL IMPACT TO SYSTEM STABILITY. |
| IV58602 | ARIEL QUERIES MIGHT BECOME STUCK IN QRADAR SIEM 7.2.1. |
| IV54639 | WHEN A NEW AUTHORIZED SERVICE IS CREATED, THE SYSTEM CAN GENERATE AN INVALID OR EXPIRED TOKEN ERROR. |
| Number | Description |
|---|---|
| IV49245 | DEFAULT SEARCHES DO NOT SHOW UP IN QUICK SEARCHES OR DASHBOARDS FOR NEW NON-ADMIN USERS. |
| IV54071 | DISK REPLICATION FALLING BEHIND NOTIFICATIONS ARE GENERATED REPEATEDLY DUE TO ASSET UPDATES. |
| IV54345 | DROPPED EVENTS DUE TO ASSETPROFILER AND TUNNEL CONFIG USING DIFFERENT CONFIGURATION TO GET PORT INFORMATION |
| IV54649 | DELETED REFERENCE SETS THAT ARE DEFINED AS PART OF A BUILDING BLOCK MIGHT DROP OR STORE EVENTS. |
| IV54734 | RULE RESPONSES THAT SEND AN OFFENSE SUMMARY EMAIL NOTIFICATION MIGHT INCLUDE AN UNRESOLVABLE ADDRESS IN THE URL. |
| IV55608 | NULLPOINTEREXCEPTION ERROR MAY CAUSE ALL OFFENSES TO BE CLOSED WHEN YOU DEPLOY CONFIGURATION CHANGES |
| IV56598 | DISPATCHED EVENTS DO NOT CONTAIN MAC ADDRESS BUT THE RULE WIZARD ALLOWS TO INDEX OFFENSES BASED ON MAC |
| IV56757 | UNABLE TO OPEN THE DEPLOYMENT EDITOR WITH JAVA UPDATE 51 OR LATER |
| IV56828 | DATABASE TRANSACTIONS ARE TIMING OUT AFTER 20 MINUTES WHEN RUNNING REPORTS |
| IV57299 | QFLOW SEGFAULTS ON IPV6 FLOWS |
| IV57327 | ARRAY INDEX OUT OF RANGE ERROR IS DISPLAYED IN PLACE OF A REPORT CHART |
| IV57329 | QFLOW CRASHING ON CORRUPT NETFLOWV9 TEMPLATE |
| IV58603 | THE UI MAY BECOME UNAVAILABLE DURING PERIODS OF HIGH SYSTEM LOADAND FREQUENT USER PERMISSION CHECKS |
| IV59329 | SEARCH BASED ON REFERENCE SET - WITH IGNORE CASE NOT WORKING CORRECTLY |
| IV59730 | QRADAR VULNERABILITY MANAGER MIGHT TAKE AN EXCESSIVE AMOUNT OF TIME TO UPGRADE TO SOFTWARE VERSION 7.2.2. |
For specific questions or concerns about updating your system, contact IBM support or post a question in our QRadar Developerworks forum: https://ibm.biz/BdR2kC
Related Information
Was this topic helpful?
Document Information
Modified date:
10 May 2019
UID
swg27041942