IBM Support

Apache Log4j CVE-2021-44228 vulnerability in IBM SPSS Statistics

News


Abstract

IBM is actively responding to the reported remote code execution vulnerability in the Apache Log4j 2 Java library dubbed Log4Shell (or LogJam).

The IBM SPSS Statistics Development team produced interim fixes for our currently supported versions, updating the Log4j .jar files to version 2.17.1. This version resolves CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832 vulnerabilities.


NOTE:
- On 8 February 2022, IBM SPSS Statistics 28.0.1.1 was released incorporating the Log4j fixes found here. Update to SPSS Statistics 28.0.1.1(15) Windows or 28.0.1.1(14) macOS or the latest SPSS Statistics Subscription 28.0.1.1(15) Windows or 28.0.1.1(14) macOS.
- The fixes on this page are for supported versions before 28.0.1.1(14).
- These fixes are updated to include Log4j version 2.17.1.
- If you have downloaded fixes from this note before 18 January 2022 AND have deployed a version of IBM SPSS Statistics before release 28.0.0.0(192), download and apply these fixes.

Content

For more details about this specific vulnerability in IBM SPSS Statistics:
For information about  IBM SPSS Modeler
IBM SPSS Amos, IBM SPSS Data Access Pack, and the IBM SPSS Concurrent License Manager and Tools products are not affected by this issue.
An interim fix now exists for each of the currently supported releases of IBM SPSS Statistics. Supported versions are release 25.0 and later. If you have deployed IBM SPSS Statistics 24.0 or earlier, these versions are end of service and are no longer supported. Upgrade to a supported release.
Update your version of IBM SPSS Statistics to the latest Fixpack (or Modified Release).
  • For example, if you have SPSS Statistics 27.0 deployed, update it to Statistics 27.0.1 before applying the associated interim fix.
  • IBM SPSS Statistics 28.0.1.0 Modified Release 1 Fixpack 1 (version 28.0.1.1) has been released and incorporates the fixes on this page. Download and apply IBM SPSS Statistics 28.0.1.1.
  • IBM SPSS Statistics Subscription updates via the "Help -> Check for updates" menu item and has recently been updated to incorporate the fixes found on this page. The interim fix found here applies to IBM SPSS Statistics Subscription release 28.0.1.0(142).  The current release is 28.0.1.1(15) on Windows and 28.0.1.1(14) on macOS. Use the "Help -> Check for updates"  menu and bring your IBM SPSS Statistics Subscription release to 28.0.1.1(15) Windows or 28.0.1.1(14) macOS.

If you do not know your current release and Fixpack level,
See: how-do-i-identify-my-spss-product-releasebuild

Fixpacks and Modified Releases:
IBM SPSS Statistics 28.0 Modified Release 1 Fixpack 1: This release is not vulnerable - Statistics 28.0.1.1
IBM SPSS Statistics 28.0 Modified Release 1: Statistics 28.0.1.0
IBM SPSS Statistics 27.0 Modified Release 1: Statistics 27.0.1.0
IBM SPSS Statistics 26.0 Fixpack 1: Statistics 26.0.0.1 (Windows) or 26.0.0.2 (macOS)
IBM SPSS Statistics 25.0 Fixpack 2: Statistics 25.0.0.2
Interim Fixes
Download the interim fix, extract it and find the "Readme" file for installation instructions.
IBM SPSS Statistics 28.0.1.0, IF 009:  IF 28.0.1.0-9
IBM SPSS Statistics Subscription:  IF for Subscription
IBM SPSS Statistics 27.0.1.0, IF 023:  IF 27.0.1.0-23
IBM SPSS Statistics 26.0.0.1 (Windows) or 26.0.0.2 (macOS), IF 017:  IF 26.0.1-017
IBM SPSS Statistics 25.0.0.2, IF 017:  IF 25.0.0.2-17

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLVMB","label":"IBM SPSS Statistics"},"ARM Category":[{"code":"a8m0z000000GmtjAAC","label":"Statistics"}],"Platform":[{"code":"PF017","label":"Mac OS"},{"code":"PF033","label":"Windows"}],"Version":"25.0.0;26.0.0;27.0.0;28.0.0"}]

Document Information

Modified date:
03 March 2022

UID

ibm16525830