Académique Documents
Professionnel Documents
Culture Documents
ArcSight ESM
Version 6.5c SP1 Patch 2
October 2, 2015
http://softwaresupport.hp.com
https://protect724.hp.com
Revision History
Date
Product Version
Description
10/02/2015
Contents
ArcSight ESM v6.5c SP1 Patch 2 ............................................................................................................. 5
ESM 6.5c SP1 Patch 2 ...................................................................................................... 5
Purpose of this Patch ....................................................................................................... 5
Usage Note for this Patch ................................................................................................. 5
ArcSight Web Configuration for PKCS#11/CAC .............................................................. 5
Section 508 Compliance ................................................................................................... 6
Geographical Information Update ...................................................................................... 6
Vulnerability Updates ....................................................................................................... 6
Installing ESM Version 6.5c SP1 Patch 2 ............................................................................. 7
Verify ESM 6.5c SP1 Patch 2 Files ................................................................................ 7
ArcSight ESM Main Component Suite ........................................................................... 8
ArcSight Console ..................................................................................................... 10
Issues Fixed in this Patch ............................................................................................... 13
Analytics ................................................................................................................ 13
ArcSight Console ..................................................................................................... 13
ArcSight Database ................................................................................................... 14
ArcSight Manager .................................................................................................... 14
CORR-Engine .......................................................................................................... 15
Command Center .................................................................................................... 15
Open Issues in this Patch ............................................................................................... 16
Installation and Upgrade .......................................................................................... 16
Issues Fixed in ESM 6.5c SP1 Patch 1 .............................................................................. 16
Analytics ................................................................................................................ 16
ArcSight Console ..................................................................................................... 17
CORR-Engine .......................................................................................................... 17
Installation and Upgrade .......................................................................................... 17
Open Issues in ESM 6.5c SP1 Patch 1 .............................................................................. 18
Open and Closed Issues in ESM 6.5c SP1 .......................................................................... 18
Confidential
Contents
Confidential
Adds support to migrate resources from ESM 5.5 and ESM 5.6 to ESM 6.5c SP1 Patch
2.
To configure:
1
Confidential
Vulnerability Updates
This release includes recent vulnerability mappings from the September 2015 Context
Update.
Device
Vulnerability Updates
CVE
Bugtraq, CVE
CVE, X-Force
CVE
Confidential
For all components and platforms: Make sure that you have enough
space available before you install the patch. The installer checks for 1 GB
of space and generates an error if it is not available. If you run into disk
space issues during installation, create enough space, restore the
component base build from the backup, then resume patch installation.
Backup, patch install, and uninstall procedures require permissions for the
relevant components. To install a patch, make sure that the user who
owns the base build installation folder has full privileges on the PATH
where the base build is installed.
To uninstall the software you must be at the same user level as the
original installer.
For backup, patch install, and uninstall, we recommend that you log in to
the target machine with a specific account name via telnet or SSH. If you
switch accounts after logging in, then specify the flag "-" for the su
command (su - <UserName>).
Confidential
Before you install the patch, verify that <ARCSIGHT_HOME> and any of its
subdirectories are not being accessed by open shells on your system.
If for any reason you need to re-install the patch, run the patch
uninstaller before installing the patch again.
From the directory where you extracted the tar file, as user root, run stop_services
with this command:
./stop_services.sh
Back up the ArcSight directory, /opt/arcsight, by making a copy. Place the copy in
a readily accessible location. This is just a precautionary measure so you can restore
the original state, if necessary.
HP recommends that you do not simply rename files and leave them in
the same directory. Java reads all the files present, regardless of
renaming, and can pick up old code inadvertently, causing undesirable
results.
Read through the license agreement and accept it at the end. In GUI mode, the
acceptance radio button is disabled until you scroll to the bottom of the agreement. In
the console mode, press Enter until you have paged through to the end of the license
agreement.
Select a location for the uninstaller link, if you want to have a shortcut to the
uninstaller in some other location. You must have write permission to the specified
folder.
Confidential
Check the pre-installation summary to verify that all the locations listed are correct and
that you have enough disk space to install this patch.
Click Install.
10 Click Next on the File Delivery Complete screen to install the CORR-Engine, Manager,
and ArcSight Web components.
11 Click Done on the Install Complete screen.
12 As root, run the runAsRoot script with this command:
sh /opt/arcsight/suite/bin/runAsRoot.sh
Messages will result from running this script; ignore the errors No such file or
directory. Eventually, you will see the message: DONE: Set up ArcSight
services. Services begin initializing after runAsRoot completes, but all services
may take a short time to become fully available.
13 Check the ArcSight services as user arcsight:
/etc/init.d/arcsight_services status all
As user arcsight, run the uninstaller program from either the directory where you
created the link while installing the product or, if you had opted not to create a link,
then run this from the
/opt/arcsight/suitepatch/UninstallerData_6.5.1.2 directory:
./Uninstall_ArcSight_ESM_Suite_Patch
Alternatively, you can run the following command from the /home/arcsight (or
wherever you installed the shortcut link) directory:
./Uninstall_ArcSight_ESM_Suite_Patch_6.5.1.2
Or, to uninstall using Console mode, run:
./Uninstall_ArcSight_ESM_Suite_Patch_6.5.1.2 -i console
Run the uninstaller in the same mode in which you ran the installer (GUI or Console
mode).
Confidential
ArcSight Console
This section describes how to install or uninstall the ESM 6.5c SP1 Patch 2 for ArcSight
Console on Windows, Mac, and Linux platforms.
The ArcSight ESM Console is not supported on AIX or Solaris. The following
steps do not include information for installing a Console patch on those
platforms.
Before you install the patch, verify that the Consoles <ARCSIGHT_HOME>
directory and any of its subdirectories are not being accessed by any open
shells on your system.
If you need to re-install the patch, run the patch uninstaller before
installing the patch again.
Download the executable file specific to your platform from the HP Software Support
Online site (http://softwaresupport.hp.com). YYYY.Y represents the Console build
number.
Patch-6.5.1.YYYY.Y-Console-Win.exe
Patch-6.5.1.YYYY.Y-Console-Linux.bin
Patch-6.5.1.YYYY.Y-Console-MacOSX.zip
Be sure to verify the patch file; see Verify ESM 6.5c SP1 Patch 2 Files on page 7.
For the Mac, see To Install the Patch on a Mac, below.
4
On Windows:
Double-click Patch-6.5.1.YYYY.Y-Console-Win.exe
On Linux:
Verify that you are logged in as user arcsight:, and then run the following
command:
./Patch-6.5.1.YYYY.Y-Console-Linux.bin
10
Confidential
To install in Console mode, run the following command from the shell prompt and
then follow the instructions in the window:
./Patch-6.5.1.YYYY.Y-Console-Linux.bin -i console
The installer launches the Introduction window.
5
Accept the terms of the license agreement and click Next. The acceptance radio
button is disabled until you scroll to the bottom of the agreement.
Enter the location of your existing <ARCSIGHT_HOME> directory for your Console
installation in the text box provided or navigate to the location by clicking Choose
If you want to restore the installer-provided default location, click Restore Default
Folder.
Click Next.
Choose a Link Location (on Linux) or Shortcut location (on Windows) by clicking the
appropriate radio button and click Next.
10 Check the pre-installation summary to verify that all the locations listed are correct and
that you have enough disk space to install this patch.
11 Click Install.
12 Click Done on the Install Complete screen.
Be sure to verify the patch file; see Verify ESM 6.5c SP1 Patch 2 Files on page 7.
4
Follow the steps on the patch install wizard, providing the information as prompted:
Confidential
Accept the terms of the license agreement and click Next. The acceptance radio
button is disabled until you scroll to the bottom of the agreement.
Choose the location where you want to install the patch. Browse to
<ARCSIGHT_HOME>, where your previous Console was installed.
Choose an alias location for the Console application (or opt to not use aliases).
This is the same as a link location on UNIX systems or shortcut location on
Windows systems.
Click Next.
Double-click the icon you created for the uninstaller when installing the Console.
For example, if you created an uninstaller icon on your desktop, double-click that
icon.
On Linux:
From the directory where you created the link when installing the Console (your
home directory or some other location), run:
./Uninstall_ArcSight_ESM_Console_Patch_6.5.1.2
If you did not create a link, execute the command from the Consoles
<ARCSIGHT_HOME>/current/UninstallerData_6.5.1.2 directory:
./Uninstall_ArcSight_ESM_Console_Patch
On a Mac:
From the directory where you created the link when installing the Console, run:
Uninstall_ArcSight_ESM_Console_Patch_6.5.1.2
Confidential
Analytics
Issue
Description
NGS-14167
SQL Query generation would fail when aggregators SUM or AVG were used in the
Query->Group Conditions.
This issue is now fixed.
NGS-13099
NGS-11937
In some circumstances, the action of changing the operator from '=' to StartsWith
or Contains, and back again to '=', can erroneously apply an additional level of
character-escaping to the string operand. This can then result in comparison
against an operand string which is not the intended one, which was interpreted as
a failure of StartsWith or Contains. Failure to remove additional
character-escaping has been prevented.
This issue is now fixed.
NGS-10374
When exporting events from the Case Details channel, archived events are not
exported.
This issue is now fixed.
ArcSight Console
Issue
Description
NGS-14427
When using dual monitors and editing a filter in the secondary monitor, pop-ups
could show up in the primary monitor.
This issue is now fixed.
NGS-13252
When multiple recipients were provided in a scheduled report's Jobs tab, for
example: one user in "Email To" and one email address in "Email Addresses"; or
two comma-separated email addresses in "Email Addresses", only the first email
address in "Email Addresses" would receive the message.
This issue is now fixed.
Confidential
Issue
Description
NGS-12571
Added support for a Static Banner at the top of every Console user interface
connecting to a given Manager.
To use it, set the server.staticbanner.backgroundcolor and server.staticbanner.text
properties in server.properties and restart the Manager. The background color
property only supports the following color strings: red, blue, green, yellow, black,
orange, pink, gray, magenta, or cyan.
If the server.staticbanner.text is not set or empty then banner panel will not
display. If the server.staticbanner.backgroundcolor is invalid or is not set then
default color green will be used.
NGS-11732
NGS-11727
NGS-11686
When active channel searches were performed with Case Insensitivity on, no
results would be returned.
This issue is now fixed.
NGS-10255
When case management was moved from ArcSight Web to ACC, the URL sent in
email notifications was not updated correctly and still pointed to Web.
This issue is now fixed.
NGS-9269
Entries in active lists were considered identical with and without trailing spaces,
and deletion of either would result in deletion of both entries.
This issue is now fixed.
ArcSight Database
Issue
Description
NGS-12779
ArcSight Manager
Issue
Description
NGS-14193
The value size calculations for integer/long/double values was incorrect, which
could result in errors saying "Event ... is too long for DB column size '19'." in
server.log.
This issue is now fixed.
NGS-13235
14
Confidential
Issue
Description
NGS-13113
NGS-13068
NGS-10899
When a rule tried to create a case using a filename as part of the case URI or case
name, and that filename contained one or more embedded slashes ('/' as in
/etc/password), the embedded slashes were conflicting with internal
representation causing the filename to be parsed into components. To prevent
this misinterpretation, embedded slashes are now replaced with backslashes.
This issue is now fixed.
CORR-Engine
Issue
Description
NGS-11805
Filters using Target and Attacker User Name fields were not working as expected
in active channels or reports when used with ignore case.
This issue is now fixed.
NGS-8033
Command Center
Issue
Description
NGS-13211
The ArcSight Command Center search module did not honor ESM event access
rights. When you searched in the Command Center using an "OR" condition in the
filter request, logs or events belonging to other customers were visible.
This issue is now fixed.
NGS-10507
Confidential
Description
NGS-14660
Analytics
Issue
Description
NGS-11041
(NGS-8840)
In channel when a filter with field "Request URL Port" along with operator "!=",
not equal to, was used, it was returning incorrect results.
This issue is now fixed.
NGS-10969
(NGS-8578)
The issue observed in thread dumps from a customer production system, where
multiple correlation threads were blocked trying to enter a synchronized code
section. The fix uses "double checked locking", which eliminates locking in the
steady-state case where the relevant object needs only to be read but not
updated.
While the fix is not guaranteed to address the root cause of the performance drop,
it eliminates the observed thread contention while maintaining the correctness of
the code.
NGS-10946
(NGS-8682)
In some instances, when an active list was modified at a high rate, the active list
cache would become inconsistent with the underlying database table, with the
table row count exceeding the configured list capacity. As a result of this
inconsistency, updates to entries not found in the cache were sent to the DB as
INSERT operations, resulting in a CONSTRAINT VIOLATION exception due to the
entry being present in the DB table. In addition, multiple ActiveList tables were
updated in the same DB transaction, causing the exception in one active list to roll
back updates that had previously been made in other active lists.
This issue is now fixed.
Confidential
ArcSight Console
Issue
Description
NGS-10952
If two users were logged in to different consoles, examining the same case, and
one made a change to the "Affected Elements" field of the Description tab, the
change would not be visible on the second console
This issue is now fixed.
NGS-11474
CORR-Engine
Issue
Description
NGS-11780
In some instances under certain loads when multiple active lists are created, the
table_definition_cache fills up, which triggers a rollback of the changes to the
arc_active_list table pointing to the newly created tables. This orphans the tables.
This issue is now fixed.
NGS-11261
Under certain loads, an unstable condition can on occasion arise that leads to a
Signal 11 occurrence.
Now, the likelihood of a Signal 11 condition has been reduced.
Description
NGS-10945
(NGS-9592)
In some installations of ESM 6.0c and later versions, annotation creation can
occur slowly, on the order of 1-3 events annotated per second after pressing OK in
the annotation dialog in the ArcSight ESM Console. This issue is more likely to
occur if there are several active channels open simultaneously, as these other
channels will push the events to be annotated out of the event cache in the
Manager service.
Without this fix, if the events to be annotated are not present in the event cache,
they are fetched one-at-a-time from the logger backend.
With this fix, the events are fetched in larger batches to improve efficiency and
reduce the time taken to annotate the events.
NGS-10926
Confidential
Confidential