IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Flash Notice: A critical issue has been identified in /opt/qradar/bin/qchange_netsetup

  • 1.  Flash Notice: A critical issue has been identified in /opt/qradar/bin/qchange_netsetup

    Posted Tue March 09, 2021 08:28 PM
    Edited by Jonathan Pechta Thu March 11, 2021 08:27 PM

    A flash notice was issued to all users on 9 March 2021 to AVOID using the qchange_netsetup utlilty. We are tracking an issue where running the qchange_netsetup utility can cause critical configuration issues on appliances.

    Update

    QRadar Support republished the flash notice with new instructions as there is a method to detect if you are going to experience the qchange_netsetup host configuration issue. Same URL as the initial flash notice and the change list reflects the updates today 3/11/2021.

    Link: Important: A critical issue has been identified in /opt/qradar/bin/qchange_netsetup

    At this time, QRadar Support is instructing users who are on 7.4.1 (any fix pack version) or earlier to always validate the qradar_netsetup.log file when you initially launch qchange. This is done by tailing the qradar_netsetup.log, then starting a qchange_netsetup from your console keyboard, IMM, or VM console to confirm the Run by field displays 'Run by -qchange_netsetup'. If any other value is listed, such as 'Run by -bash', you must Cancel the qchange_netsetup, and run it again, which should allow qchange to load properly so you can make network configuration udpates or complete hardware migrations.

    We are still investigating how to replace qchange code on the affected versions. The updated flash notice posted on 3/11/2021 outlines how users can identify the issue from the qradar_netsetup.log and how to workaround invalid hostnames that can be flagged in certain patch versions, which require a hostname update to complete an upgrade.

    There will be more information pending on this issue, but wanted to post an update here so users were aware of the new instructions in case you have business critical network changes. A change list is integrated in to the article so users can see when we modify the instruction set or have improved workarounds or guidance for administrators.

    As always, if you are unsure of how to walk through these instructions, open a case with QRadar Support and we will assist.


    --- Original post ---

    What to know

    • Avoid using /opt/qradar/bin/qchange_netsetup utility to update your network config, such as changing IP addresses, changing hostnames, on any of your appliances until notified by QRadar Support. Administrators might want to alert their teams to ensure everyone is aware of this issue.
    • Avoid migrating appliances where the procedure requires you to run qchange_netsetup.
    • If you are migrating from QRadar SIEM (on premise) to QRadar on Cloud, you might need to postpone this data migration, as the procedure typically involved running qchange_netsetup when IBM Security Expert labs migrates data and sets up Data Gateways.

    This issue is still under investigation, but we are alerting users to avoid running qchange_netsetup. The only versions we've confirmed do NOT experience this issue are appliances on QRadar 7.4.2 GA or later, such as 7.4.2 GA, 7.4.2 Fix Pack 1, and 7.4.2 Fix Pack 2. If you are at any version of QRadar 7.4.2, you can ignore this notice. However, all other versions at 7.4.1 or earlier are affected and you should alert your team to avoid using qchange_netsetup.

    We will be updating and reissuing the flash notice when an APAR is available and there is a workaround, a utility or auto update fix, or method to identify the hostname or configuration issues on appliances.



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------


  • 2.  RE: Flash Notice: A critical issue has been identified in /opt/qradar/bin/qchange_netsetup

    Posted Wed March 10, 2021 05:57 AM
    Jonathan,
    thx for your flash notice about not using qchange_netsetup. From our experience its never been easy to use in migration scenarios, depending on complexity of your distributed configuration. Our workaround always has been to run a fresh setup and supply network parameters manually. Configuration data then can easily be migrated using CMT export/import. "CMT being best known secret inside QRadar" according to Colin Hay - quote from 2018 London University. Successfully used in appliance based and ESXi based deployments for multiple migration scenarios. I would expect that this works in Cloud migration scenarios as well, however have not tested it yet.
    BR
    Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 3.  RE: Flash Notice: A critical issue has been identified in /opt/qradar/bin/qchange_netsetup

    Posted Thu March 11, 2021 08:30 PM
    Further guidance is now available for users and I updated my original post.. We (QRadar Support) reissued the flash notice to all QRadar SIEM users to inform everyone that a method is available to determine if qchange_netsetup can experience the critical host configuration issue. The new instructions allow administrators to validate the status of the qradar_netsetup.log to if a network change can be completed.

    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------

    Original Message


Related Content