Security Bulletin: IBM QRadar SIEM is vulnerable to missing authentication checks (CVE-2016-9729)

2018-06-16T21:50:45

Description

## Summary IBM QRadar SIEM does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. ## Vulnerability Details **CVEID:** [CVE-2016-9729](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9729>)** DESCRIPTION:** IBM QRadar does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. CVSS Base Score: 6.5 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119758> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) ## Affected Products and Versions • IBM QRadar SIEM 7.2.n ## Remediation/Fixes • [_IBM QRadar/QRM/QVM/QRIF 7.2.8 Patch 4_](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=Linux&function=fixId&fixids=7.2.8-QRADAR-QRSIEM-20170224202650&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) ## Workarounds and Mitigations None ## Get Notified about Future Security Bulletins Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this. ### References [Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> "Link resides outside of ibm.com" ) [On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> "Link resides outside of ibm.com" ) [Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> "Link resides outside of ibm.com" ) [On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> "Link resides outside of ibm.com" ) Off ## Related Information [IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) [IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>) ## Acknowledgement IBM X-Force Ethical Hacking Team: Paul Ionescu, Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza ## Change History 28 February 2017 *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. ## Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions. [{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Affected Software

CPE Name	Name	Version
	IBM Security QRadar SIEM	7.2

{"id": "809A3713563A53AEB37E1CCD25838C012ECD946B155E1275BEFED777A9ABB9F4", "vendorId": null, "type": "ibm", "bulletinFamily": "software", "title": "Security Bulletin: IBM QRadar SIEM is vulnerable to missing authentication checks (CVE-2016-9729)", "description": "## Summary\n\nIBM QRadar SIEM does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-9729](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9729>)** \nDESCRIPTION:** IBM QRadar does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. \nCVSS Base Score: 6.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119758> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\n\u2022 IBM QRadar SIEM 7.2.n\n\n## Remediation/Fixes\n\n\u2022 [_IBM QRadar/QRM/QVM/QRIF 7.2.8 Patch 4_](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=Linux&function=fixId&fixids=7.2.8-QRADAR-QRSIEM-20170224202650&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>)\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nIBM X-Force Ethical Hacking Team: Paul Ionescu, Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza\n\n## Change History\n\n28 February 2017\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSBQAC\",\"label\":\"IBM Security QRadar SIEM\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"7.2\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "published": "2018-06-16T21:50:45", "modified": "2018-06-16T21:50:45", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 6.4}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 2.5}, "href": "https://www.ibm.com/support/pages/node/293073", "reporter": "IBM", "references": [], "cvelist": ["CVE-2016-9729"], "immutableFields": [], "lastseen": "2022-06-28T22:15:44", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-9729"]}, {"type": "ibm", "idList": ["03B6C658330D9ED7D3D5C516018194DBD42F5AA0466A1BAFC87309A8A438D756"]}], "rev": 4}, "score": {"value": 0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2016-9729"]}, {"type": "ibm", "idList": ["03B6C658330D9ED7D3D5C516018194DBD42F5AA0466A1BAFC87309A8A438D756"]}, {"type": "symantec", "idList": ["SMNTC-111284"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "IBM Security QRadar SIEM", "version": 7}]}, "vulnersScore": 0.3}, "_state": {"dependencies": 1662397864, "score": 1662397857, "affected_software_major_version": 1666695388}, "_internal": {"score_hash": "5b2ba98a4f89d211cf0adb81e2b9bc17"}, "affectedSoftware": [{"name": "IBM Security QRadar SIEM", "version": "7.2", "operator": "eq"}]}

{"cve": [{"lastseen": "2022-03-23T16:39:30", "description": "IBM QRadar 7.2 does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. IBM Reference #: 1999545.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2017-03-07T17:59:00", "type": "cve", "title": "CVE-2016-9729", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9729"], "modified": "2017-03-09T02:59:00", "cpe": ["cpe:/a:ibm:qradar_security_information_and_event_manager:7.2.0", "cpe:/a:ibm:qradar_security_information_and_event_manager:7.2.6", "cpe:/a:ibm:qradar_security_information_and_event_manager:7.2.2", "cpe:/a:ibm:qradar_security_information_and_event_manager:7.2.7", "cpe:/a:ibm:qradar_security_information_and_event_manager:7.2.8", "cpe:/a:ibm:qradar_security_information_and_event_manager:7.2.1", "cpe:/a:ibm:qradar_security_information_and_event_manager:7.2.5", "cpe:/a:ibm:qradar_security_information_and_event_manager:7.2.3", "cpe:/a:ibm:qradar_security_information_and_event_manager:7.2.4"], "id": "CVE-2016-9729", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9729", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:qradar_security_information_and_event_manager:7.2.8:*:*:*:*:*:*:*"]}], "ibm": [{"lastseen": "2021-12-30T21:50:33", "description": "## Abstract\n\nA list of the installation instructions, new features, and resolved issues list for the release of IBM Security QRadar 7.2.8 Patch 4 (7.2.8.20170224202650). \n \n\n\n## Content\n\n**Known issue identified** \n**IMPORTANT**: A known issue has been identified in QRadar 7.2.8 Patch 4 where QFlow Collector (12xx/13xx) appliances might experience an issue upgrading from older versions of QRadar, such as QRadar 7.2.6 or QRadar 7.2.7. Administrators should be aware of this issue and if you plan to upgrade older versions of QRadar (7.2.6 or 7.2.7), contact QRadar support before upgrading if you have QFlow appliances in your deployment. This issue does not impact QRadar 7.2.8 users who update to the latest version (7.2.8 Patch 4). \n\n\n**Known Issue in 7.2.8 Patch 4** \nNumber | Description \n---|--- \n[IV93936](<http://www.ibm.com/support/docview.wss?uid=swg1IV93936>)| QRADAR 7.2.8 PATCH 4 FLOW COLLECTOR (12XX/13XX) PATCH PROCESS FAILS AT TEST WHEN PATCHING FROM VERSION 7.2.6.X OR 7.2.7.X \n \n \n \n \n**Upgrade information** \nFix packs are cumulative software updates to fix known software issues in your QRadar deployment. There are five APARs associated with QRadar 7.2.8 Patch 4, which address a number of specific issues in QRadar 7.2.8. QRadar fix packs are installed by using an SFS file. The fix pack can update all appliances attached to the QRadar Console. If your deployment is installed with any of the following QRadar versions, you can install fix pack 7.2.8-QRADAR-QRSIEM-20170224202650 to upgrade to QRadar 7.2.8 Patch 4: \n \n**Current QRadar Version**| **Upgrades to QRadar 7.2.8 Patch 4?** \n---|--- \nQRadar 7.2.3 (any patch level) or earlier| No, a minimum of QRadar 7.2.4 is required. \nQRadar 7.2.4 (any patch level)| Yes \nQRadar 7.2.5 (any patch level)| Yes \nQRadar 7.2.6 (any patch level)| Yes \nQRadar 7.2.7 (any patch level)| Yes \n \nThe 7.2.8-QRADAR-QRSIEM-20170224202650 fix pack can upgrade QRadar 7.2.4 (7.2.4.983526) and later to the latest software version. However, this document does not cover all of the installation messages and requirements, such as changes to memory requirements or browser requirements for QRadar. To review any additional requirements, see the [QRadar Upgrade Guide](<http://public.dhe.ibm.com/software/security/products/qradar/documents/7.2.8/en/b_qradar_upgrade.pdf>). If you are on a version of QRadar earlier than QRadar 7.2.4, you must upgrade to QRadar 7.2.4 before proceeding to QRadar 7.2.8. For more information, see the [QRadar Software Upgrade Progression](<http://www.ibm.com/support/docview.wss?uid=swg21651118>) technical note. \n \n**Important**: A QRadar 7.2.8 ISO is available on IBM Fix Central for administrators to want to install a new appliance or virtual machine. Administrators who want to complete a new install need to review the [QRadar Installation Guide](<http://public.dhe.ibm.com/software/security/products/qradar/documents/7.2.8/en/b_siem_inst.pdf>). \n\n \n\n\n**Before you begin \n**Ensure that you take the following precautions:\n\n * Back up your data before you begin any software upgrade. For more information about backup and recovery, see the [IBM Security QRadar Administration Guide](<http://public.dhe.ibm.com/software/security/products/qradar/documents/7.2.8/en/b_qradar_admin_guide.pdf>).\n * To avoid access errors in your log file, close all open QRadar sessions.\n * The fix pack for QRadar cannot be installed on a managed host that is at a different software version from the Console. All appliances in the deployment must be at the same software revision to patch the entire deployment.\n * Verify that all changes are deployed on your appliances. The patch cannot install on appliances that have changes that are not deployed.\n * The .SFS file is only capable of upgrading existing QRadar installations. A QRadar 7.2.8 ISO is available for administrators to want to install a new appliance or virtual machine. Administrators who want to do a new install need to review the [QRadar Installation Guide](<http://public.dhe.ibm.com/software/security/products/qradar/documents/7.2.8/en/b_siem_inst.pdf>).\n \n \n\n\n**Installing the QRadar 7.2.8 Patch 4 Fix Pack \n**The instructions guide administrators through the process of upgrading an existing QRadar version at 7.2.4 or later to the newest software version.\n\n \n\n\n**Procedure**\n\n 1. Download the fix pack to install QRadar 7.2.8 Patch 4 from the IBM Fix Central website: [](<https://ibm.biz/BdEZdW>)[http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=Linux&function=fixId&fixids=7.2.8-QRADAR-QRSIEM-20170224202650&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc ](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=Linux&function=fixId&fixids=7.2.8-QRADAR-QRSIEM-20170224202650&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) \n\n 2. Using SSH, log in to your system as the root user.\n 3. Copy the fix pack to the **/tmp** directory on the QRadar Console. **Note:** If space in the **/tmp** directory is limited, copy the fix pack to another location that has sufficient space.\n 4. To create the /media/updates directory, type the following command: `**mkdir -p /media/updates**`\n 5. Change to the directory where you copied the patch file. For example, `**cd /tmp**`\n 6. To mount the patch file to the /media/updates directory, type the following command: \n`**mount -o loop -t squashfs 728_QRadar_patchupdate-7.2.8.20170224202650.sfs /media/updates**`\n 7. To run the patch installer, type the following command: `**/media/updates/installer \n**`**Note:** The first time that you run the fix pack, there might be a delay before the fix pack installation menu is displayed.\n 8. Using the patch installer, select **all**. \n * The **all** option updates the software on all appliances in the following order: \n \n1\\. Console \n2\\. Event Processors \n3\\. Event Collectors \n4\\. Flow Processors \n5\\. Flow Collectors\n * If you do not select the **all** option, you must select your Console appliance. \n \nAs of QRadar 7.2.6 Patch 4 and later, administrators are only provided the option to update **all** or update the Console appliance as the managed hosts are not displayed in the installation menu. After the Console is patched, a list of managed hosts that can be updated is displayed in the installation menu. This change was made starting with QRadar 7.2.6 Patch 4 to ensure that the Console appliance is always updated before managed hosts to prevent upgrade issues. \n \nIf administrators want to patch systems in series, they can update the Console first, then copy the patch to all other appliances and run the patch installer individually on each managed host. The Console must be patched before you can run the installer on managed hosts. When updating in parallel, there is no order required in how you update appliances after the Console is updated. \n \nIf your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes. \n \n\n\n1\\. After the patch completes and you have exited the installer, type the following command: `**umount /media/updates**`\n\n2\\. Administrators and users should clear their browser cache before logging in to the Console. \n \n**Results \n**A summary of the fix pack installation advises you of any managed host that were not updated. If the fix pack fails to update a managed host, you can copy the fix pack to the host and run the installation locally. \n \nAfter all hosts are updated, administrators can send an email to their team to inform them that they will need to clear their browser cache before logging in to the QRadar SIEM interface. \n\n \n\n\n \n**Resolved issues \n** \n**Note: **Some APAR links in the table below might take 24 hours to display properly after a software release. A full APAR link for all QRadar versions is available \n \n\n\n**Issues resolved in 7.2.8 Patch 4** \nNumber | Description \n---|--- \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21999556>)| IBM QRADAR SIEM IS VULNERABLE TO A DENIAL OF SERVICE (CVE-2016-9740) \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21999549>)| IBM QRADAR SIEM AND QRADAR INCIDENT FORENSICS ARE VULNERABLE TO CROSS-SITE REQUEST FORGERY (CVE-2016-9730) \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21999545>)| IBM QRADAR SIEM IS VULNERABLE TO MISSING AUTHENTICATION CHECKS (CVE-2016-9729) \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21999542>)| IBM QRADAR SIEM AND QRADAR INCIDENT FORENSICS ARE VULNERABLE TO OS COMMAND INJECTION (CVE-2016-9726, CVE-2016-9727) \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21999543>)| IBM QRADAR SIEM IS VULNERABLE TO SQL INJECTION (CVE-2016-9728) \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21999539>)| IBM QRADAR INCIDENT FORENSICS IS VULNERABLE TO OVERLY PERMISSIVE CORS ACCESS POLICIES (CVE-2016-9725) \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21999537>)| IBM QRADAR SIEM IS VULNERABLE TO XML ENTITY INJECTION (CVE-2016-9724) \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21999534>)| IBM QRADAR SIEM AND QRADAR INCIDENT FORENSICS ARE VULNERABLE TO CROSS SITE SCRIPTING (CVE-2016-9723, CVE-2017-1133) \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21999533>)| IBM QRADAR SIEM AND QRADAR INCIDENT FORENSICS ARE VULNERABLE TO INFORMATION EXPOSURE (CVE-2016-9720) \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21999532>)| MOZILLA NSS AS USED IN IBM QRADAR SIEM IS VULNERABLE TO ARBITRARY CODE EXECUTION (CVE-2016-2834) \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21999395>)| PIVOTAL SPRING FRAMEWORK AS USED IN IBM QRADAR SIEM IS VULNERABLE TO VARIOUS CVEs \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21999474>)| APACHE SOLR AS USED IN IBM QRADAR SIEM AND INCIDENT FORENSICS IS VULNERABLE TO A DENIAL OF SERVICE \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21997340>)| IBM QRADAR SIEM CONTAINS HARD-CODED CREDENTIALS \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21997341>)| IBM QRADAR SIEM USES BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHMS \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21999488>)| APACHE TOMCAT PRIOR TO VERSION 6.0.48 IS SUSCEPTIBLE TO SEVERAL VULNERABILITIES \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21999479>)| IBM QRADAR SIEM AND INCIDENT FORENSICS ARE VULNERABLE TO VARIOUS CVEs FOUND IN IBM JAVA. \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21999478>)| OPENSSL AS USED IN IBM QRADAR SIEM IS VULNERABLE TO VARIOUS CVEs \n[IV86405](<http://www.ibm.com/support/docview.wss?uid=swg1IV86405>)| 'APPLICATION ERROR' WHEN USING A VALUE SPECIFIED IN 'AS' CLAUSE FOR LOGSOURCENAME IN AN ADVANCED SEARCH (AQL) \n[IV86407](<http://www.ibm.com/support/docview.wss?uid=swg1IV86407>)| THE /VAR/LOG PARTITION CAN FILL DUE TO THE QRADAR LOG FILES BEING QUICKLY FILLED WITH 'EXCEPTION IN TEST' MESSAGES \n[IV87313](<http://www.ibm.com/support/docview.wss?uid=swg1IV87313>)| 'SOURCE' AND 'DESTINATION' NETWORK GROUP SHOW FULL NETWORK HIERARCHY NAME WHEN ADDED AS A COLUMN TO DISPLAY \n[IV87507](<http://www.ibm.com/support/docview.wss?uid=swg1IV87507>)| SOME DASBOARD ITEMS NO LONGER DISPLAY IN THE QRADAR USER INTERFACE \n[IV87862](<http://www.ibm.com/support/docview.wss?uid=swg1IV87862>)| RULE 'EXPLOIT: DESTINATION VULNERABLE TO DETECTED EXPLOIT' CAN SOMETIMES NOT TRIGGER WHEN EXPECTED \n[IV89015](<http://www.ibm.com/support/docview.wss?uid=swg1IV89015>)| APPLICATION ERROR WHEN DOUBLE CLICKING THE RESULTS OF AN 'ADVANCED SEARCH' (AQL) \n[IV89556](<http://www.ibm.com/support/docview.wss?uid=swg1IV89556>)| ECS-EP PROCESS RUNNING, BUT EVENT/FLOW PROCESSING NOT OCCURING ON A QRADAR APPLIANCE \n[IV89820](<http://www.ibm.com/support/docview.wss?uid=swg1IV89820>)| SYSLOG EVENTS GENERATED FROM AN OFFENSE RULE DO NOT CONTAIN ANY CONFIGURED NAMING CONTIBUTIONS IN THE EVENT PAYLOAD \n[IV89893](<http://www.ibm.com/support/docview.wss?uid=swg1IV89893>)| 'ASSET MODEL HAS NOT YET BEEN UPDATED WITH SCAN RESULTS' MESSAGE WHEN NO ASSETS HAVE BEEN SCANNED \n[IV89904](<http://www.ibm.com/support/docview.wss?uid=swg1IV89904>)| QVM VULNERABILITY EXCEPTIONS FOR IP/CIDR/NETWORK ARE NOT RESPECTED WHEN A FILTER IS DEFINED TO EXCLUDE THEM \n[IV89929](<http://www.ibm.com/support/docview.wss?uid=swg1IV89929>)| 'MISSING PATCHES' REPORT CAN SOMETIMES BE EMPTY WHEN RUN ON SYSTEMS WITH A LARGE NUMBER OF VULNERABILITY INSTANCES \n[IV90002](<http://www.ibm.com/support/docview.wss?uid=swg1IV90002>)| QVM RED WARNING TRIANGLE DISPLAYED ON A SCAN RESULT WHEN THE ASSET MODEL WAS PROPERLY UPDATED \n[IV90004](<http://www.ibm.com/support/docview.wss?uid=swg1IV90004>)| ASSET MODEL 'NOT UPDATED' ICON DISPLAYS FOR A SCAN PROFILE RESULT WHEN SCAN POLICY HAS BEEN EDITED \n[IV90075](<http://www.ibm.com/support/docview.wss?uid=swg1IV90075>)| RED WARNING ICON ON QVM SCAN RESULTS PAGE WHEN RESULTS HAVE BEEN REPUBLISHED \n[IV90376](<http://www.ibm.com/support/docview.wss?uid=swg1IV90376>)| SECURITY APP EXCHANGE APPLICATIONS CAN FAIL TO COMMUNICATE IN SOME HIGH AVAILABILITY QRADAR CONFIGURATIONS \n[IV90421](<http://www.ibm.com/support/docview.wss?uid=swg1IV90421>)| RULE TESTS AGAINST A REFERENCE MAP DO NOT WORK WHEN DESTINATION PORT IS NULL \n[IV90793](<http://www.ibm.com/support/docview.wss?uid=swg1IV90793>)| PATCHING TO QRADAR 7.2.8 GA OVERWRITES CA CERTS THAT WERE LOCATED IN /ETC/PKI/TLS/CERTS/CA-CUNDLE.CRT \n[IV90795](<http://www.ibm.com/support/docview.wss?uid=swg1IV90795>)| DRILLING INTO A SEARCH THAT WAS GROUPED BY A CUSTOM EVENT PROPERTY WITH PARENTHESIS DOES NOT WORK AS EXPECTED \n[IV90887](<http://www.ibm.com/support/docview.wss?uid=swg1IV90887>)| 'ASSET MODEL HAS NOT YET BEEN UPDATED WITH SCAN RESULTS' MESSAGED DISPLAYED WHEN ASSET MODEL IS UPDATED CORRECTLY \n[IV90906](<http://www.ibm.com/support/docview.wss?uid=swg1IV90906>)| TIMES SERIES NOT WORKING FOR SOME NON-ADMIN QRADAR USERS \n[IV91300](<http://www.ibm.com/support/docview.wss?uid=swg1IV91300>)| CREATING A REPORT BASED ON AN AQL (ADVANCED SEARCH) QUERY CONTAINING 'ORDER BY' FAILS TO GENERATE PROPER OUTPUT \n[IV91322](<http://www.ibm.com/support/docview.wss?uid=swg1IV91322>)| ATTEMPTING TO ENABLE TIMESERIES COLLECTION FOR SHARED SAVED SEARCHES CAN SOMETIMES FAIL \n[IV91615](<http://www.ibm.com/support/docview.wss?uid=swg1IV91615>)| 'ERROR: COULD NOT FIND OR LOAD MAIN CLASS COM.Q1LABS.CORE.UTIL . PASSWORDENCRYPT' WHEN CONFIGURING LDAP HOVER FEATURE \n[IV91618](<http://www.ibm.com/support/docview.wss?uid=swg1IV91618>)| EDIT SEARCH PAGE CAN SOMETIMES FAIL TO LOAD ALL OF THE EXPECTED SEARCH PAGE OPTIONS \n[IV91634](<http://www.ibm.com/support/docview.wss?uid=swg1IV91634>)| ARIEL SEARCHES THAT ARE RUN USING API VERSION 7.0+ DO NOT RETURN PAYLOAD PROPERLY FOR PARSING \n[IV91635](<http://www.ibm.com/support/docview.wss?uid=swg1IV91635>)| QUICK SEARCHES CANNOT BE REMOVED FROM THE QUICK SEARCH LIST \n[IV91675](<http://www.ibm.com/support/docview.wss?uid=swg1IV91675>)| AN 'APPLICATION ERROR' CAN BE DISPLAYED FOR NEW USERS LOGGING INTO THE QRADAR USER INTERFACE INSTEAD OF A DEFAULT DASHBOARD \n[IV91816](<http://www.ibm.com/support/docview.wss?uid=swg1IV91816>)| PATCHING QRADAR HIGH AVAILABILITY (HA) PAIR APPLIANCES CONFIGURED USING CROSSOVER CAN SOMETIMES FAIL \n[IV92139](<http://www.ibm.com/support/docview.wss?uid=swg1IV92139>)| 'WRAP TEXT' FUNCTION FOR EVENT PAYLOAD INFORMATION DOES NOT WORK AFTER APPLYING QRADAR PATCH \n[IV92466](<http://www.ibm.com/support/docview.wss?uid=swg1IV92466>)| QRADAR SEARCHES CAN FAIL TO COMPLETE AND/OR DASHBOARD DATA CAN FAIL TO LOAD DUE TO AN ARIEL CONNECTION LEAK \n[IV92851](<http://www.ibm.com/support/docview.wss?uid=swg1IV92851>)| ARIEL CAN BECOME OVERLOADED CAUSING SLOWER THAN EXPECTED SEARCH RESULTS AND SLOW USER INTERFACE RESPONSE \n[IV92852](<http://www.ibm.com/support/docview.wss?uid=swg1IV92852>)| REPORTS RUNNING ON 'ACCUMULATED DATA' CAN SOMETIMES FAIL DUE TO THE GLOBAL VIEW DAILY ROLLUPS FAILING \n[IV93839](<https://www.ibm.com/support/entdocview.wss?uid=swg1IV93839>)| QRADAR FEATURES USING THE ARIEL PROCESS (SEARCHES, DASHBOARDS, REPORTS, ETC.) CAN INTERMITTENTLY FAIL TO LOAD/COMPLETE (NOTE: THIS APAR WAS RECENTLY ADDED AND MIGHT TAKE UP TO 12 HORUS TO DISPLAY) \n \n**Issues resolved in 7.2.8 Patch 3** \nNumber | Description \n---|--- \n[IV89519](<http://www.ibm.com/support/docview.wss?uid=swg1IV89519>)| RULES THAT TEST AGAINST REFERENCE MAP OF DATA SETS CAN SOMETIMES FIRE UNEXPECTEDLY \n[IV89901](<http://www.ibm.com/support/docview.wss?uid=swg1IV89901>)| QRADAR AUTO UPDATE FEATURE CONFIGURED TO USE A PROXY SERVER CAN FAIL AFTER PATCHING \n[IV91030 ](<http://www.ibm.com/support/docview.wss?uid=swg1IV91030>)| QRADAR APPS THAT REQUIRE SPECIFIC USER ROLE PERMISSIONS CAN STOP WORKING AFTER PATCHING TO QRADAR 7.2.8 PATCH 1 \n[IV91617 ](<http://www.ibm.com/support/docview.wss?uid=swg1IV91617>)| QFLOW APPLIANCES CAN STOP SENDING FLOWS TO FLOW PROCESSORS AFTER PATCHING TO QRADAR 7.2.8 \n[IV92220](<http://www.ibm.com/support/docview.wss?uid=swg1IV92220>)| TIME SERIES DATA ACCUMULATION DOES NOT WORK FOR NON-ADMIN DOMAIN USERS WITH MULTI-TENANCY DASHBOARD \n \n**Issues resolved in 7.2.8 Patch 2** \nNumber | Description \n---|--- \nNONE| QRADAR 7.2.8 PATCH 2 DOES NOT INCLUDE ANY RESOLVED ISSUES (APARs). THIS UPDATE INCORPORATES FRAMEWORK CHANGES IN ORDER TO SUPPORT THE NEW QRADAR NETWORK INSIGHTS APPLIANCE (19xx) IN A QRADAR DEPLOYMENT. THIS SOFTWARE VERSION WAS NOT PUBLISHED AS A GLOBAL SOFTWARE RELEASE. THIS DOWNLOAD IS ONLY AVAILABLE FROM QRADAR SUPPORT. \n \n**Issues resolved in 7.2.8 Patch 1** \nNumber | Description \n---|--- \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21994719>)| APACHE POI AS USED IN IBM QRADAR SIEM IS VULNERABLE TO VARIOUS CVEs (CVE-2012-0213, CVE-2014-3529, CVE-2014-3574, CVE-2014-9527, CVE-2016-5000) \n[SECURITY BULLETIN](<http://www.ibm.com/support/docview.wss?uid=swg21994725>)| IBM QRADAR SIEM IS VULNERABLE TO VARIOUS CGI VULNERABILITIES (CVE-2016-5385, CVE-2016-5387, CVE-2016-5388) \n[IV77767](<http://www.ibm.com/support/docview.wss?uid=swg1IV77767>) | QRADAR USER INTERFACE OUTAGES CAN OCCUR WHEN TRYING TO LOAD THE MANAGED SEARCH RESULTS PAGE \n[IV83509](<http://www.ibm.com/support/docview.wss?uid=swg1IV83509>) | USING 'WHEN THE EVENT(S) HAVE NOT BEEN DETECTED...' RULE WITH A RESPONSE TO CREATE NEW EVENT, THAT EVENT HAS INCORRECT QID | [IV83701](<http://www.ibm.com/support/docview.wss?uid=swg1IV83701>) | ERRORS VISIBLE IN QRADAR LOGGING AFTER A CUSTOM EVENT PROPERTY HAS BEEN SUCCESSFULLY DELETED \n[IV84025](<http://www.ibm.com/support/docview.wss?uid=swg1IV84025>) | UNABLE TO DELETE RULES THAT ARE ADDED TO THE GROUP 'ANOMALY' | [IV84615](<http://www.ibm.com/support/docview.wss?uid=swg1IV84615>) | RULE OR BUILDING BLOCK DELETION CAN FAIL WHEN THERE ARE INVALID SEARCHES \n[IV86422](<http://www.ibm.com/support/docview.wss?uid=swg1IV86422>) | 'MORE OPTIONS' IS DISPLAYED TWICE WHEN PERFORMING A RIGHT CLICK OF A SOURCE AND/OR DESTINATION IP IN A NETWORK ACTIVITY SEARCH | [IV86683](<http://www.ibm.com/support/docview.wss?uid=swg1IV86683>) | THE EVENT PAYLOAD INFORMATION FIELD DOES NOT PROPERLY DISPLAY UTF DATA IF IT CONTAINS CONSECUTIVE SPACES OR A TAB CHARACTER \n[IV87248](<http://www.ibm.com/support/docview.wss?uid=swg1IV87248>) | HIGH AVAILABILITY CONSOLE WITH CROSSOVER CONNECTIONS CAN HANG AND/OR FAIL DURING QRADAR PATCHING | [IV87577](<http://www.ibm.com/support/docview.wss?uid=swg1IV87577>) | QUICK FILTER CONTAINING DOUBLE-BYTE CHARACTERS ON LOG AND/OR NETWORK ACTIVITY TAB DOES NOT WORK AS EXPECTED \n[IV87796](<http://www.ibm.com/support/docview.wss?uid=swg1IV87796>) | CUSTOM EVENT PROPERTIES DO NOT FORWARD THROUGH A CUSTOM RULE RESPONSE WHEN USING JSON FORMAT | [IV87859](<http://www.ibm.com/support/docview.wss?uid=swg1IV87859>) | SOME LOG SOURCES CAN FAIL TO BE IMPORTED DURING A CONTENT MANAGEMENT TOOL IMPORT \n[IV88275](<http://www.ibm.com/support/docview.wss?uid=swg1IV88275>) | NON-ADMIN QRADAR USERS ARE UNABLE TO FILTER ON 'EVENT PROCESSOR' | [IV88279](<http://www.ibm.com/support/docview.wss?uid=swg1IV88279>) | USER ROLE WITH ONLY 'MANAGE LOG SOURCES' UNDER 'DELEGATED ADMINISTRATION' CANNOT PERFORM A QRADAR DEPLOY FUNCTION \n[IV88324](<http://www.ibm.com/support/docview.wss?uid=swg1IV88324>) | THE SYSTEM HEATH (QRADAR HEALTH CONSOLE) FEATURE CAN HAVE VARIOUS PROBLEMS AFTER APPLYING A QRADAR PATCH | [IV88392](<http://www.ibm.com/support/docview.wss?uid=swg1IV88392>) | ORDERING OF ASSETS BY IP ADDRESS SOMETIMES DOES NOT WORK AS EXPECTED \n[IV88708](<http://www.ibm.com/support/docview.wss?uid=swg1IV88708>) | QRADAR VULNERABILITY MANAGER - ASSET DETAILS RISK POLICY SCREEN SHOWS INCORRECT TIMESTAMP IN LAST EVALUATED FIELD WHEN TIME ZONE IS SET FOR NEW ZEALAND | [IV89064](<http://www.ibm.com/support/docview.wss?uid=swg1IV89064>) | THE QRADAR ARIEL API CAN SOMETIMES RETURN NO RESULTS WHEN PROCESSING LARGE NUMBERS OF SEARCH RESULTS \n[IV89173](<http://www.ibm.com/support/docview.wss?uid=swg1IV89173>) | QRADAR VULNERABILITY MANAGER - CIDR DATA ENTRY VALIDATION FOR SCANNERS DOES NOT WORK AS EXPECTED | [IV89196](<http://www.ibm.com/support/docview.wss?uid=swg1IV89196>) | SEARCHING ON COMPRESSED DATA USING FILTER 'RETENTION BUCKET IS' RETURNS NO RESULTS \n[IV89308](<http://www.ibm.com/support/docview.wss?uid=swg1IV89308>) | THE QRADAR RULES PAGE FAILS TO LOAD OR TAKES A LONGER THAN EXPECTED TIME TO LOAD | [IV89309](<http://www.ibm.com/support/docview.wss?uid=swg1IV89309>) | SORT ON 'COUNT DESCENDING' ORDERING NOT WORKING AS EXPECTED IN REPORT OUTPUT \n[IV89345](<http://www.ibm.com/support/docview.wss?uid=swg1IV89345>) | QVM: CIS SCAN RESULT STATUS CAN SOMETIMES DISPLAY AS FAIL INSTEAD OF UNKNOWN IN THE USER INTERFACE | [IV89365](<http://www.ibm.com/support/docview.wss?uid=swg1IV89365>) | QVM VULNERABILITY FILTERING BY VENDOR AND DATE RANGE SOMETIMES DOES NOT RETURN THE COMPLETE LIST OF VULNERABILITIES \n[IV89367](<http://www.ibm.com/support/docview.wss?uid=swg1IV89367>) | QRADAR SYSTEM NOTIFICATION: 'TRANSACTION SENTRY: RESTORED SYSTEM HEALTH BY CANCELLING HUNG TRANSACTIONS OR DEADLOCKS | [IV89393](<http://www.ibm.com/support/docview.wss?uid=swg1IV89393>) | CONTENT MANAGEMENT TOOL (CMT) EXPORT OF CUSTOM RULES FAILS WITH A NULLPOINTER EXCEPTION \n[IV89408](<http://www.ibm.com/support/docview.wss?uid=swg1IV89408>) | QRADAR VULNERABILITY MANAGER SCANS UNEXPECTEDLY DISPLAY A ZERO VULNERABILITY COUNT AND NO ASSETS CREATED FROM THOSE SCANS \n[IV89516](<http://www.ibm.com/support/docview.wss?uid=swg1IV89516>) | SAVED SEARCHES ATTEMPTING TO USE CVE-ID NUMBER DATA IN REFERENCE SETS DO NOT WORK AS EXPECTED \n[IV89665](<http://www.ibm.com/support/docview.wss?uid=swg1IV89665>) | FILTERING ON 'USERNAME IS ANY OF' \" \" (A BLANK SPACE WITHIN QUOTES) DOES NOT DISPLAY AS A CURRENTLY APPLIED FILTER \n[IV89901](<http://www.ibm.com/support/docview.wss?uid=swg1IV89901>) | QRADAR AUTO UPDATE FEATURE CONFIGURED TO USE A PROXY SERVER CAN FAIL AFTER PATCHING \n[IV90087](<http://www.ibm.com/support/docview.wss?uid=swg1IV90087>) | SEARCHES CAN TAKE A LONGER THAT EXPECTED TIME TO COMPLETE IN QRADAR 7.2.8 GA \n[IV90323](<http://www.ibm.com/support/docview.wss?uid=swg1IV90323>) | UNABLE TO DELETE REFERENCE SET ELEMENTS USING THE QRADAR USER INTERFACE \n[IV90372](<http://www.ibm.com/support/docview.wss?uid=swg1IV90372>) | ATTEMPTING TO ADD AN ADVANCED SEARCH (AQL) TEST TO A RULE CAN CAUSE THE USER INTERFACE WINDOW TO BECOME UNRESPONSIVE \n[IV90419](<http://www.ibm.com/support/docview.wss?uid=swg1IV90419>) | EVENT DATA WRITTEN INTO QRADAR AT VERSION 7.2.3.X OR PRIOR CANNOT BE READ BY QRADAR VERSION 7.2.7.X AND 7.2.8 GA \n[IV90460](<http://www.ibm.com/support/docview.wss?uid=swg1IV90460>) | QRADAR DEPLOY FUNCTION CAN FAIL AFTER PATCHING TO QRADAR 7.2.8 GA \n[IV90646](<http://www.ibm.com/support/docview.wss?uid=swg1IV90646>) | QFLOW PROCESS CAN STOP WORKING AS EXPECTED ON FLOW APPLIANCES AFTER PATCHING TO QRADAR 7.2.8 GA \n[IV90649](<http://www.ibm.com/support/docview.wss?uid=swg1IV90649>) | PATCH PROCESS TO 7.2.8 GA FAILS DUE TO A USER AND AUTHORIZED SERVICE HAVING THE SAME NAME \n[IV90777](<http://www.ibm.com/support/docview.wss?uid=swg1IV90777>) | NO FLOWS OR EVENTS VISIBLE IN THE QRADAR USER INTERFACE AFTER RESTORING A CONFIGURATION BACKUP FROM 7.2.8 GA \n \n**Issues resolved in 7.2.8** \nNumber | Description \n---|--- \n[IV81172](<http://www.ibm.com/support/docview.wss?uid=swg1IV81172>) | SQL EXCEPTION WHEN RUNNING EVENTS/LOGS REPORTS BASED ON ADVANCED SEARCH FOR ASSETS \n[IV87841](<http://www.ibm.com/support/docview.wss?uid=swg1IV87841>) | RULE TEST WITH MULTIPLE REFERENCE SETS ONLY MATCHES FIRST REFERENCE SET IN TEST \n[IV82547](<http://www.ibm.com/support/docview.wss?uid=swg1IV82547>) | WEB APPLICATION XJAVASCRIPT FILTERING BROKEN \n[IV84386](<http://www.ibm.com/support/docview.wss?uid=swg1IV84386>) | CRITSIT: LOG ACTIVITY - UI EXCEPTION POPUP WHEN MOUSING OVER IP ADDRESSES \n[IV88370](<http://www.ibm.com/support/docview.wss?uid=swg1IV88370>) | REFERENCE DATA - BULK LOADING PERFORMANCE NEEDS WORK \n[IV84710](<http://www.ibm.com/support/docview.wss?uid=swg1IV84710>) | ASSET SCREEN IN UI IS SLOW WHEN THE NUMBER OF ASSETS IS MODERATE TO LARGE \n[IV85584](<http://www.ibm.com/support/docview.wss?uid=swg1IV85584>) | RULE WIZARD UI ISSUES \n[IV79236](<http://www.ibm.com/support/docview.wss?uid=swg1IV79236>) | CRITSIT: CANNOT ACCESS RULE WIZARD WHEN NAVIGATING TO AN EVENT THROUGH AN OFFENSE \n[IV85435](<http://www.ibm.com/support/docview.wss?uid=swg1IV85435>) | OFFENSE NAMING NOT WORKING CONSISTENTLY \n[IV87029](<http://www.ibm.com/support/docview.wss?uid=swg1IV87029>) | INDEX ROLLER BUG \n[IV70567](<http://www.ibm.com/support/docview.wss?uid=swg1IV70567>) | AUTOUPDATE HTTPS AND PROXY INTERCEPTION - CONNECT FAILURES BY UPDATECONFS.PL \n[IV84567](<http://www.ibm.com/support/docview.wss?uid=swg1IV84567>) | OFFENSES OVER TIME REPORTS CAN MISMATCH OFFENSE SCREEN \n[IV86839](<http://www.ibm.com/support/docview.wss?uid=swg1IV86839>) | FILTERING IN LOG SOURCES WHILE SORTED BY EPS CAUSES EXCEPTION \n[IV82557](<http://www.ibm.com/support/docview.wss?uid=swg1IV82557>) | NULLPOINTEREXCEPTION IN DATA DELETION CAUSES USER UNABLE TO DELETE RULE OR CUSTOM EVENT PROPERTY \n[IV89021](<http://www.ibm.com/support/docview.wss?uid=swg1IV89021>) | EVENTS CONTAINING ESCAPED CHARACTERS ARE DISPLAYED INCORRECTLY IN THE CUSTOM EVENT PROPERTY SCREEN \n \n \n \n \n \n \n \n**Where do I find more information? \n**\n\n* * *\n\n[![](/support/pages/system/files/support/swg/swgdocs.nsf/0/6e2439b64aefc3f2852580d0004c4270/Content/1.29C.png)](<http://ibm.biz/QRadar-KC>)[![](/support/pages/system/files/support/swg/swgdocs.nsf/0/6e2439b64aefc3f2852580d0004c4270/Content/1.FA2.png)](<https://ibm.biz/qradarforums>)[![](/support/pages/system/files/support/swg/swgdocs.nsf/0/6e2439b64aefc3f2852580d0004c4270/Content/1.1BAE.png)](<http://ibm.biz/qradarknowledge>)[![](/support/pages/system/files/support/swg/swgdocs.nsf/0/6e2439b64aefc3f2852580d0004c4270/Content/1.2836.png)](<http://ibm.biz/SecSuptUTube>)[![](/support/pages/system/files/support/swg/swgdocs.nsf/0/6e2439b64aefc3f2852580d0004c4270/Content/1.3472.png)](<http://ibm.biz/qradarsoftware>)[![](/support/pages/system/files/support/swg/swgdocs.nsf/0/6e2439b64aefc3f2852580d0004c4270/Content/1.4028.png)](<http://ibm.biz/MyNotification>)[![](/support/pages/system/files/support/swg/swgdocs.nsf/0/6e2439b64aefc3f2852580d0004c4270/Content/1.4D36.png)](<http://ibm.biz/qradarsupport>)\n\n[{\"Product\":{\"code\":\"SSBQAC\",\"label\":\"IBM Security QRadar SIEM\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Documentation\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"7.2\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-05-10T14:29:11", "type": "ibm", "title": "Release of QRadar 7.2.8 Patch 4 (7.2.8.20170224202650) Updated w/Security Bulletins", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0213", "CVE-2014-3529", "CVE-2014-3574", "CVE-2014-9527", "CVE-2016-2834", "CVE-2016-5000", "CVE-2016-5385", "CVE-2016-5387", "CVE-2016-5388", "CVE-2016-9720", "CVE-2016-9723", "CVE-2016-9724", "CVE-2016-9725", "CVE-2016-9726", "CVE-2016-9727", "CVE-2016-9728", "CVE-2016-9729", "CVE-2016-9730", "CVE-2016-9740", "CVE-2017-1133"], "modified": "2019-05-10T14:29:11", "id": "03B6C658330D9ED7D3D5C516018194DBD42F5AA0466A1BAFC87309A8A438D756", "href": "https://www.ibm.com/support/pages/node/598271", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}