Content

Update / Notice to all users

This issue has been resolved and APAR IJ09572 is closed. The SFS for QRadar 7.3.1 Patch 6 has been replaced with an updated version on IBM Fix Central for all users. Administrators can upgrade to QRadar 7.3.1 Patch 6 without experiencing extended upgrade windows.

The information below from the original flash notice is no longer relevant as this issue has been resolved. All content below this separator is considered legacy, but is being kept for historical purposes and to keep SHA1 sum values for affected versus the corrected SFS file versions.

Urgency

This alert is intended for administrators planning to update to QRadar 7.3.1 Patch 6 who have downloaded, but not yet installed the software from IBM Fix Central in their deployment. Administrators should be aware that a revised version of QRadar 7.3.1 Patch 6 is being prepared for IBM Fix Central to reduce the time span required to complete the update for QRadar 7.3.1.20180912181210. If you have successfully completed the update to 7.3.1 Patch 6 (QRadar 7.3.1.20180912181210) without issue, you can ignore this flash notice.

Summary

On Thursday (September 20, 2018), QRadar Support began to receive cases where administrators reported QRadar 7.3.1 Patch 6 seem to be hung and the system was taking an extended amount of time to complete the installation. This issue appears to impact QRadar appliances with  a large asset database as the asset database migration is taking an extended amount of time to complete. Administrators who have started the installation of QRadar 7.3.1 Patch 6 should let the update finish, which will take several hours longer than expected. If an administrator force exits the installer, it will cause the update to fail and a support case will be required. A workaround is available with QRadar Support representatives to assist users who force exit the update so that the patch to QRadar 7.3.1 Patch 6 can complete successfully.

APAR IJ09572 is being created to track this issue. The included link is being provided in this flash notice so users can subscribe to the issue; however, it might take time for the APAR to be visible to all users globally.

Affected Products and Versions

All QRadar appliances attempting to update using the original version of QRadar 7.3.1 Patch 6 can be impacted by this issue.  The length of time required to complete the update is dependent on the size of the asset database.

Affected version SHA256 Sum:  2ab6c820ce1d27912f34df80197b34ca0c441455a96ffc9f7918495329c64267 
731_QRadar_patchupdate-7.3.1.20180912181210.sfs

What to do

Do not cancel or stop the QRadar 7.3.1 Patch 6 installer if the update appears to be in a hung state as the asset database migration is in progress. Administrators who have not yet downloaded the update can get the revised version from IBM Fix Central with the following link:

SHA256 Sum for the corrected version: 7e6439a30b6fc29b036950c17d9140c4d5124cd77b9fca9b37d0668338a06bd4

NOTE: IBM Fix Central download link 731_QRadar_patchupdate-7.3.1.20180912181210.sfs for the corrected software version might take up to 24 hours for the software download to be available to all users globally. It is recommended that all administrators verify the SHA256 sum to ensure they have the updated SFS file.

How to Diagnose this  Issue

To determine if you are experiencing this issue, the update on the appliance might be taking an extended amount of time to complete (several hours longer than expected). The following error output can be displayed to administrators:

Sep 20 12:17:09 2018:[DEBUG](-ni-patchmode) Applied [5/7] '/media/updates/opt/qradar/conf/templates/db_update_7315.defect_inspector.sql' for Test_qradar database..
Sep 20 12:17:09 2018:[DEBUG](-ni-patchmode) Running SQL: f=$(cat /media/updates/opt/qradar/conf/templates/db_update_7315.qvm.sql); echo "SET TRANSACTION READ WRITE; SET SESSION CHARACTERISTICS AS TRANSACTION READ WRITE ; $f" | /usr/pgsql-9.6/bin/psql -Uqradar -p5432 -d patch_test_qradar -v ON_ERROR_STOP=1 -L /var/log/setup-7.3.0.20170620100024/patches.log.sql
Sep 20 12:17:09 2018: [WARN](-ni-patchmode) WARNING:  SET TRANSACTION can only be used in transaction blocks
Sep 20 12:17:09 2018: [WARN](-ni-patchmode) NOTICE:  materialized view "vuln_map_asset_mv" does not exist, skipping

Where do you find more information?