Juniper Secure Analytics Patch Release Notes

Transcription

1 Juniper Secure Analytics Patch Release Notes December patch resolves several known issues in Juniper Secure Analytics (JSA). Contents Installing Patch Clearing the Cache Known Issues and Limitations Resolved Issues Documentation Feedback Requesting Technical Support Self-Help Online Tools and Resources Opening a Case with JTAC Revision History

2 JSA Patch Release Notes Installing Patch 6 Administrator Notes This update includes a change to how login authentication works for fallback LDAP, Radius, or Active Directory on administrator accounts. If the external authentication server is unavailable, not all administrators will be able to fall back to their local administrator passwords without a configuration change. This change was implemented in JSA or later and this note is being included in Patch 6 to raise awareness for this change. JSA Patch 6 is released and resolves various field issues reported from users and administrators. Patches are software updates that address known software issues in your JSA deployment. JSA patches are installed by using an SFS file. If your deployment is installed with (any patch level till Patch 5), you can install the patch. NOTE: Administrators on JSA software versions must use the ISO file (JSA7.3.0.iso) to update their deployment to Ensure that you take the following precautions: Back up your data before you begin any software upgrade. For more information about backup and recovery, see the Juniper Secure Analytics Administration Guide. To avoid access errors in your log file, close all open JSA webui sessions. All appliances in the deployment must be on the same version. The patch for JSA cannot be installed on a managed host that is at a different software version from the console. Verify that all changes are deployed on your appliances. The patch cannot install on appliances that have changes that are not deployed. If this is a new installation, administrators must review the instructions in the Juniper Secure Analytics Upgrading JSA to Guide. To install thejsa Patch 6: 1. Download the patch from the Juniper Customer Support website Using SSH, log into your system as the root user. 3. To verify you have enough space (3GB) in /store/tmp for the JSA Console, type: df -h /tmp /storetmp /store/transient tee diskchecks.txt 2

3 Installing Patch 6 Best directory option: /storetmp It is available on all appliance types, is not cleaned up if you need to postpone your update, and is available on all appliance types at all versions. In JSA versions /store/tmp is a symlink to the /storetmp partition. 2nd best directory option: /tmp This directory is available on all appliances, but in versions is significantly smaller and moving a file here can cause services to stop. If you leave a file in /tmp for 10 days without completing the SFS update, it might get cleaned up by Red Hat's tmpwatch cron job. 3rd best option: /store/transient The store/transient directory was introduced in JSA and is allocated 10% of the overall /store directory. However, this directory does not exist on all appliances and might not be an actual partition on all appliances. If the disk check command fails, retype the quotation marks from your terminal, then re-run the command. This command returns the details to both the command window and to a file on the Console named diskchecks.txt. Review this file to ensure that all appliances have at minimum 3GB of space available in a directory to copy the SFS before attempting to move the file to a managed host. If required, free up disk space on any host that fails to have less that 3GB available. NOTE: In JSA and later, an update to directory structure for STIG compliant directories reduces the size of several partitions. This can impact moving large files to JSA. 4. To create the /media/updates directory, type the following command: mkdir -p /media/updates 5. Using SCP, copy the files to the JSA Console to the /storetmp directory or a location with 3GB of disk space. 6. Change to the directory where you copied the patch file. For example, cd /storetmp 7. Unzip the file in the /storetmp directory using the bunzip utility: bunzip sfs.bz2 8. To mount the patch file to the /media/updates directory, type the following command: mount -o loop -t squashfs sfs /media/updates/ 9. To run the patch installer, type the following command: 3

4 JSA Patch Release Notes /media/updates/installer NOTE: The first time that you run the patch, there might be a delay before the patch install menu is displayed. 10. Using the patch installer, select all. The all option updates the software on all appliances in the following order: Console No order required for remaining appliances. All remaining appliances can be updated in any order the administrator requires. If you do not select the all option, you must select your console appliance. As of the JSA r4 patch and later, administrators are only provided the option to update all or update the console appliance. Managed hosts are not displayed in the installation menu to ensure that the console is patched first. After the console is patched, a list of managed hosts that can be updated is displayed in the installation menu. This change was made starting with the JSA r4 patch to ensure that the console appliance is always updated before managed hosts to prevent upgrade issues. If administrators want to patch systems in series, they can update the console first, then copy the patch to all other appliances and run the patch installer individually on each managed host. The console must be patched before you can run the installer on managed hosts. When updating in parallel, there is no order required in how you update appliances after the console is updated. If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes. 11. To exit the patch installer after the installation completes, type the following command: umount /media/updates 12. Administrators and users should clear their browser cache before logging in to the Console. Results A summary of the patch installation advises you of any managed host that were not updated. If the patch fails to update a managed host, you can copy the patch to the host and run the installation locally. What to do next You are now ready to clear the Java cache and the browser cache. 4

5 Clearing the Cache Related Documentation Clearing the Cache on page 5 Known Issues and Limitations on page 6 Resolved Issues on page 6 Clearing the Cache After you install the patch, you must clear your Java cache and your web browser cache before you log into the JSA appliance. Before you begin Ensure that you have only one instance of your browser open. If you have multiple versions of your browser open, the cache might fail to clear. Ensure that the Java Runtime Environment is installed on the desktop system that you use to view the user interface. You can download Java version 1.7 from the Java website: About this task If you use the Microsoft Windows 7 operating system, the Java icon is typically located under the Programs pane. To clear the cache: 1. Clear your Java cache: a. On your desktop, select Start > Control Panel. b. Double-click the Java icon. c. In the Temporary Internet Files pane, click View. d. On the Java Cache Viewer window, select all Deployment Editor entries. e. Click the Delete icon. f. Click Close. g. Click OK. 2. Open your web browser. 3. Clear the cache of your web browser. If you use the Mozilla Firefox web browser, you must clear the cache in the Microsoft Internet Explorer and Mozilla Firefox web browsers. 4. Log in to JSA. Related Documentation Installing Patch 6 on page 2 Known Issues and Limitations on page 6 5

6 JSA Patch Release Notes Resolved Issues on page 6 Known Issues and Limitations None. Related Documentation Installing Patch 6 on page 2 Resolved Issues on page 6 Clearing the Cache on page 5 Resolved Issues The following is the resolved issue addressed in the Patch 6: Managed host time synchronization can fail to work correctly due to an upgrade of OpenSSL. Event/Flow (EPS/FPS) in license pool allocation is displayed as N/A after patching JSA. Application installation window hangs when attempting to update JSA Apps. JSA Apps can fail to install after an upgrade. Gluster daemon is not stopping when updating Gluster RPMS during a JSA upgrade. JSA Applications can fail to install properly and rollback when a install health check connection Rest/Refuse occurs. The JSA user interface can become unresponsive when loading the Log Sources window due to a sensor device table lock. Factory reinstall can fail on a JSA appliance that has been upgraded from to Custom action response returns Null value for some defined parameters. Failed replications can leave residual files in the /TMP directory. Unable to delete reference set elements using the JSA user interface. Offense search exclusion filters containing a defined network hierarchy parameter does not respect the exclusion. Device stopped sending events rule sometimes does not display the associated log source when part of an offence. DSM Editor can display REGEX grabs inconsistently between workspace field and log activity preview. Events contributing to an offense cannot be displayed after a custom event property OFFENSEID is created in the DSM Editor. 6

7 Resolved Issues The message Template not found is displayed when attempting to view, run or edit a report. The selected event does not display in the DSM editor workspace. Searches can fail with Connecting to the Query Server errors and/or I/O error occurred when many security profiles exist. The store/transient partition does not perform the required cleanup when running low on free disk space. Reports run on some AQL searches can return inconsistent column names. The server encountered an error reading one or more files when performing a log activity search. Searches can fail/cancel when a maximum number of results is reached. Manage Search Results page fails to load with General failure. Please try again message. Non-Admin JSA users are unable to perform various right-click and API call functions. RHEL CIFS-UTILS package is not included on JSA appliances installed at, or upgraded to version Tunnel connections remain after a data node or event collector are removed from a JSA deployment. DNS lookups for internal IP network ranges are not working as intended. Auto update can cause an interruption in flow collection and a Performance degradation system notification in the user interface. In progress searches that run longer than the configured search results retention period are deleted prior to completion. Attempting to obfuscate a large volume of Username field based events can cause obfuscated events to be dropped. Adding a REGEX filter to an existing search can generate the error Fatal exception in validation exception: This is not a valid... Comma characters (,) in quick filter searches are treated as OR values and can cause varied search results. Edit host connection option is not enabled after event/flow processor is added to the deployment. API searches using a completed ariel search can sometimes return with an error 500. Unable to perform a bulk add of log sources. JSA user interface becomes unresponsive linked to LOGROTATE of HTTPD files. Ariel searches that do many string comparisons can run slower than expected in low memory scenarios. TOMCAT service can fail to load due to a deadlock, causing the JSA user interface to become inaccessible. 7

8 JSA Patch Release Notes Attempting to cancel a duplicate log activity search in progress can display the error...warn_query_collect_data_limit. The JSA upgrade process can sometimes fail at the pre-boot phase and / partition fills to 100%. A null pointer exception can be generated by JSA handling of DSM adaptive patterns leading to unparsed or stored events. JSA upgrade and/or patching within can fail on micro-services installer due to a vault certificate mismatch. A null pointer exception can be generated during import when using the content management tool containing custom log source type. Configuration restoration onto a console with a different IP address causes JSA Applications to no longer work. JSA Store and Forward Event Collector can have incorrect licence EPS value when attached managed host has encryption enabled. Application tabs can fail to load after upgrading to JSA No flow processor data received from flow collectors after an upgrade. Deploy process can timeout due to /OPT/QRADAR/CONF/ DIRECTORY permission changes after an upgrade. Missing files in /STORETMP/UPGRADE errors when running /ROOT/COMPLETE_UPGRADE.SH script after a failed upgrade. Using rule response Execute Custom Action can sometimes not work as expected. Console installation of JSA can fail when UTC timezone is selected. General failure. Please try again message is displayed when a log activity search with REF table filter User specified value is run. /VAR/LOG/ PARTITION can run out of space due to logs filling with messages The usersession object in sessioncontent... Lower than expected performance results when using historical correlation. Host context can run out of memory due to task management database table becoming corrupted. JSA docker logging reports An unexpected error occurred performing monitor [QAPP_MONITOR]. The asset details, asset summary window of an asset can sometimes be missing the operating system data. Results in report data can sometimes not match search results when an OR condition exists in search filters. Creating routing rules for events is not an available option for JSA EP/FP Combo appliances. The Assigned To link in an open offense summary window does not work. 8

9 Resolved Issues The Asset Name field for assets can sometimes be blank. A custom action script using the parameter CREEVENTLIST can fail and generate and generate an exception in JSA logging. Log source user interface does not save enabled, coalescing events, store event payload, and group assignment check box actions. An error occurred when parsing this even s payload. You ll not be able to edit this mapping when mapping events. Real-time streaming can fail to display events when filtering on even processor. LDAP hover text tooltip displays duplicate values. Searches using a geographic location filter can return unexpected results. Data nodes may not rebalance correctly if there are multiple destinations. Running the ARIEL_QUERY.PY script from a console command line can return extra spaces in the results. JSA Store and Forward Event Collector appliances are assigned an EPS value of 450 instead of their processor s value. HOSTCONTEXT can sometimes not start after upgrading JSA with Failed to acquire JMS connection error message. Previous corruption in NVA.CONF can cause some upgrades to JSA to fail. There are not enough unallocated EPS in the pool to maintain the event rate limits that are assigned to the managed hosts. JSA user interface outages with logs displaying HOSTCONTEXT... Too many open files messages. The Delete Listed option while filtered on a reference set data list can delete all reference set data. System and License management can take a longer than expected time to load in large JSA deployments. Reports running on Accumulated Data can sometimes fail due to the global view rollups failing. JSA searches can fail to complete and/or dashboard data can fail to load due to an ariel connection leak. I/O error for managed host(s) displayed in the search window while running log and/or network activity searches. An Application error can be displayed for new users logging into the JSA user interface instead of a default dashboard. Ariel searches that are run using API version 7.0+ do not return payload properly for parsing. Error: Could not find or load min class COM.Q1LABS.CORE.UTIL. PASSWORDENCRYPT when configuring LDAP hover feature. 9

10 JSA Patch Release Notes Unexpected error while retrieving GET_LOGS status when a non-admin user accesses system and license management. Drilling into a search that was grouped by a custom event property with parenthesis does not work as expected. Users with default domain permissions cannot view log source and log source group event filters. Application error when opening some offenses. Large CSV exports from JSA Vulnerability Manager Scan results can take an unexpectedly long time to complete. Filtering by phrase or vendor in a scan policy vulnerability search returns in incomplete results. Some JSA advanced searches do not complete, displaying In progress 0% complete. Netflow forwarding can be inconsistent from a high availability pair. JSA user interface sessions are becoming disconnected (session timeout) unexpectedly. JSA patching can fail at Error: The upgrade phase script 40-preserve_protected_search_results.sh failed... CVE : Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. MAILX rpm is not present/installed in new or upgraded installations of JSA version x. JSA Vulnerability Manager Vulnerability Managed is in the process of being deployed message on vulnerabilities tab after patching. JSA Vulnerability Manager scan results displays 100% progress and stops as scan duration time continues to increment. ed vulnerability scan reports can sometimes be blank. Scan result data can sometimes fail to be updated in the JSA asset model. Inconsistent asset counts when drilling down into some scan results. JSA Vulnerability Manager is on the process of being deployed message is displayed on the Vulnerabilities tab. JSA Vulnerability Manager scanning that uses the external scanner fails to start after the upgrade. Defined JSA Vulnerability Manager network exceptions are not honored. A scheduled scan in JSA Vulnerability Manager can be started multiple times one minute apart. 10

11 Documentation Feedback Vulnerability search dashboard items changes do not persist after log out of the JSA user interface. Incomplete vulnerability report can be generated when running against assets contained in the same CIDR. JSA Log Manager Additional rule tests cannot be added to current rules and new rules cannot be created when using JSA Log Manager. Related Documentation Installing Patch 6 on page 2 Clearing the Cache on page 5 Known Issues and Limitations on page 6 Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods: Online feedback rating system On any page of the Juniper Networks TechLibrary site at simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at Send your comments to techpubs-comments@juniper.net. Include the document or topic name, URL or page number, and software version (if applicable). Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or Partner Support Service support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at Product warranties For product warranty information, visit JTAC hours of operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. 11

12 JSA Patch Release Notes Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: Find product documentation: Find solutions and answer questions using our Knowledge Base: Download the latest versions of software and review release notes: Search technical bulletins for relevant hardware and software notifications: Join and participate in the Juniper Networks Community Forum: Open a case online in the CSC Case Management tool: To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at Call JTAC ( toll-free in the USA, Canada, and Mexico). Revision History For international or direct-dial options in countries without toll-free numbers, see December 2017 for the JSA Release Patch 6 Copyright 2017 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates in the United States and other countries. All other trademarks may be property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 12