IBM Support

Apache Log4j CVE-2021-44228 vulnerability in IBM SPSS Statistics



IBM is actively responding to the reported remote code execution vulnerability in the Apache Log4j 2 Java library dubbed Log4Shell (or LogJam).

The IBM SPSS Statistics Development team produced interim fixes for our currently supported versions, updating the Log4j .jar files to version 2.17.1. This version resolves CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832 vulnerabilities.

- On 8 February 2022, IBM SPSS Statistics was released incorporating the Log4j fixes found here. Update to SPSS Statistics Windows or macOS or the latest SPSS Statistics Subscription Windows or macOS.
- The fixes on this page are for supported versions before
- These fixes are updated to include Log4j version 2.17.1.
- If you have downloaded fixes from this note before 18 January 2022 AND have deployed a version of IBM SPSS Statistics before release, download and apply these fixes.


For more details about this specific vulnerability in IBM SPSS Statistics:
For information about  IBM SPSS Modeler
IBM SPSS Amos, IBM SPSS Data Access Pack, and the IBM SPSS Concurrent License Manager and Tools products are not affected by this issue.
An interim fix now exists for each of the currently supported releases of IBM SPSS Statistics. Supported versions are release 25.0 and later. If you have deployed IBM SPSS Statistics 24.0 or earlier, these versions are end of service and are no longer supported. Upgrade to a supported release.
Update your version of IBM SPSS Statistics to the latest Fixpack (or Modified Release).
  • For example, if you have SPSS Statistics 27.0 deployed, update it to Statistics 27.0.1 before applying the associated interim fix.
  • IBM SPSS Statistics Modified Release 1 Fixpack 1 (version has been released and incorporates the fixes on this page. Download and apply IBM SPSS Statistics
  • IBM SPSS Statistics Subscription updates via the "Help -> Check for updates" menu item and has recently been updated to incorporate the fixes found on this page. The interim fix found here applies to IBM SPSS Statistics Subscription release  The current release is on Windows and on macOS. Use the "Help -> Check for updates"  menu and bring your IBM SPSS Statistics Subscription release to Windows or macOS.

If you do not know your current release and Fixpack level,
See: how-do-i-identify-my-spss-product-releasebuild

Fixpacks and Modified Releases:
IBM SPSS Statistics 28.0 Modified Release 1 Fixpack 1: This release is not vulnerable - Statistics
IBM SPSS Statistics 28.0 Modified Release 1: Statistics
IBM SPSS Statistics 27.0 Modified Release 1: Statistics
IBM SPSS Statistics 26.0 Fixpack 1: Statistics (Windows) or (macOS)
IBM SPSS Statistics 25.0 Fixpack 2: Statistics
Interim Fixes
Download the interim fix, extract it and find the "Readme" file for installation instructions.
IBM SPSS Statistics, IF 009:  IF
IBM SPSS Statistics Subscription:  IF for Subscription
IBM SPSS Statistics, IF 023:  IF
IBM SPSS Statistics (Windows) or (macOS), IF 017:  IF 26.0.1-017
IBM SPSS Statistics, IF 017:  IF

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLVMB","label":"IBM SPSS Statistics"},"ARM Category":[{"code":"a8m0z000000GmtjAAC","label":"Statistics"}],"Platform":[{"code":"PF017","label":"Mac OS"},{"code":"PF033","label":"Windows"}],"Version":"25.0.0;26.0.0;27.0.0;28.0.0"}]

Document Information

Modified date:
03 March 2022