IBM Support

IBM SPSS Modeler Updates Netty Components to Address Published CVEs in Versions 18.4, 18.5, 18.6, and 19.0

General Page

IBM SPSS Modeler includes Netty components that are affected by CVE-2024-47535 and CVE-2025-25193. Updated product builds are available for IBM SPSS Modeler versions 18.4, 18.5, 18.6, and 19.0. This technote summarizes the issue, identifies affected versions and platforms, and provides verification details for the updated Netty runtime libraries.

Problem

A security review identified vulnerabilities affecting Netty libraries used by IBM SPSS Modeler. To address the reported CVEs, Netty components have been upgraded to version 4.1.119.Final across supported product releases.

The following CVEs are addressed:

  • CVE-2024-47535
  • CVE-2025-25193

Although the reported vulnerabilities primarily affect the netty-common library, IBM recommends updating the complete Netty component set to maintain compatibility and ensure a consistent runtime environment.

Affected Versions

  • IBM SPSS Modeler 18.4
  • IBM SPSS Modeler 18.5
  • IBM SPSS Modeler 18.6
  • IBM SPSS Modeler 19.0

Affected Platform

  • macOS

Prerequisites

  • IBM SPSS Modeler 18.4, 18.5, 18.6, or 19.0 must be installed on macOS.
  • Stop all running instances of IBM SPSS Modeler before applying the update.

Verification Details

IBM SPSS Modeler 19.0 on macOS

Installation Paths

  • <installation_path>/Contents/spark/jars
  • <installation_path>/Contents/spark/external-jars

The following Netty components should be updated from version 4.1.100.Final (and where applicable 4.1.87.Final) to 4.1.119.Final:

  • netty-all
  • netty-buffer
  • netty-codec
  • netty-common
  • netty-handler
  • netty-resolver
  • netty-transport
  • netty-transport-classes-epoll
  • netty-transport-classes-kqueue
  • netty-transport-native-unix-common

Update Procedure

  1. Back up the existing Netty JAR files.
  2. Download the corresponding version 4.1.119.Final JARs from Maven Central.
  3. Replace the existing JARs in both installation locations.
  4. Verify that the updated JARs are present after the update.

IBM SPSS Modeler 18.6 on macOS

Installation Path

  • <installation_path>/spark/jars

The following Netty components should be updated from version 4.1.108.Final to 4.1.119.Final:

  • netty-all
  • netty-buffer
  • netty-codec
  • netty-codec-http
  • netty-codec-http2
  • netty-codec-socks
  • netty-common
  • netty-handler
  • netty-handler-proxy
  • netty-resolver
  • netty-transport
  • netty-transport-classes-epoll
  • netty-transport-classes-kqueue
  • netty-transport-native-epoll (Linux x86_64, aarch_64, riscv64)
  • netty-transport-native-kqueue (macOS x86_64 and aarch_64)
  • netty-transport-native-unix-common

Unchanged Components

The following libraries remain at version 2.0.61.Final and do not require updating:

  • netty-tcnative-boringssl-static*
  • netty-tcnative-classes

Update Procedure

  1. Back up the existing Netty JAR files.
  2. Download the corresponding version 4.1.119.Final JARs from Maven Central.
  3. Replace the existing JARs in the installation directory.
  4. Verify that the updated JARs are present after the update.

IBM SPSS Modeler 18.5 on macOS

Installation Path

  • <installation_path>/spark/jars

The following Netty components should be updated from version 4.1.100.Final (and where applicable 4.1.87.Final) to 4.1.119.Final:

  • netty-all
  • netty-buffer
  • netty-codec
  • netty-codec-http
  • netty-codec-http2
  • netty-codec-socks
  • netty-common
  • netty-handler
  • netty-handler-proxy
  • netty-resolver
  • netty-transport
  • netty-transport-classes-epoll
  • netty-transport-classes-kqueue
  • netty-transport-native-epoll (Linux x86_64 and aarch_64)
  • netty-transport-native-kqueue (macOS x86_64 and aarch_64)
  • netty-transport-native-unix-common

Unchanged Components

The following libraries remain at version 2.0.61.Final and are not affected by the reported CVEs:

  • netty-tcnative-boringssl-static*
  • netty-tcnative-classes

Update Procedure

  1. Back up the existing Netty JAR files.
  2. Download the corresponding version 4.1.119.Final JARs from Maven Central.
  3. Replace the existing JARs in the installation directory.
  4. Verify that the updated JARs are present after the update.

IBM SPSS Modeler 18.4 on macOS

Installation Path

  • <installation_path>/spark/jar

The following Netty components should be updated from version 4.1.77.Final to 4.1.119.Final:

  • netty-all
  • netty-buffer
  • netty-codec
  • netty-codec-dns
  • netty-codec-haproxy
  • netty-codec-http
  • netty-codec-http2
  • netty-codec-memcache
  • netty-codec-mqtt
  • netty-codec-redis
  • netty-codec-smtp
  • netty-codec-socks
  • netty-codec-stomp
  • netty-codec-xml
  • netty-common
  • netty-handler
  • netty-handler-proxy
  • netty-resolver
  • netty-resolver-dns
  • netty-resolver-dns-classes-macos
  • netty-resolver-dns-native-macos
  • netty-transport
  • netty-transport-classes-epoll
  • netty-transport-classes-kqueue
  • netty-transport-native-epoll
  • netty-transport-native-kqueue
  • netty-transport-native-unix-common
  • netty-transport-rxtx
  • netty-transport-sctp
  • netty-transport-udt

Unchanged Components

The following library remains unchanged and is not affected by the reported CVEs:

  • netty-tcnative-classes (2.0.46.Final)

Update Procedure

  1. Back up the existing Netty JAR files.
  2. Download the corresponding version 4.1.119.Final JARs from Maven Central.
  3. Replace the existing JARs in the installation directory.
  4. Verify that the updated JARs are present after the update.
  5. Restart the application.

[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS3RA7","label":"IBM SPSS Modeler"},"ARM Category":[{"code":"a8m3p0000006xr6AAA","label":"SPSS Modeler"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"18.4.0;18.5.0;18.6.0;19.0.0"}]

Document Information

Modified date:
15 June 2026

UID

ibm17276355

Page Feedback